Inquiring minds (and our clients) want to know, is becoming compliant with DFARS 7012 by Dec. 31 the only goal? In simple terms, no – your compliance MUST be maintained. Let’s dig into this complex topic.
Lifecycle Management of your DFARS 7012 Compliance
Think of your compliance as a product. In the government contracting world, you hear the term “lifecycle management” in reference to the management and maintenance of equipment. Proper methodologies and plans for the continual monitoring and maintenance of that equipment are in place. The same should be true for your compliance. It only takes one small change to your systems to fall out of compliance. Controlling who does what and understanding the effect changes can have on your compliance status is very important. As part of the methodologies and plans, mentioned prior, there has to be a way to plan for changes, document, reassess and validate controls that may have been affected by any sort of change.
In short, whenever new regulations or guidelines are introduced, or you have a change in your systems, your Compliance Working Group will have to adjust to ensure your policies and procedures match-up.
The Consequences of Poor Maintenance
From our knowledge and experience with defense contracting and this regulation, whether or not you are compliant with DFARS 7012 is a major differentiator. The same is true for the way in which you maintain, or don’t maintain, your compliance. Sloppy compliance management sends the signal to your team that cutting corners is tolerated. It encourages risk-taking and enhances vulnerability exposure.
Primes, remember, you are responsible for the compliance of your team.
If they aren’t compliant, that may affect your Pwin. It puts you at a competitive disadvantage bidding new contracts as the government can make your compliance responsibilities, and the dissemination of a comparable questionnaire to your team, part of their award criteria.
Compliance Must Be Verified ALL the Time!
Yes, you read that right, all the time. You should have controls in place for Continuous Monitoring (CA-7-1) of logs, vulnerability scanning, and real-time alerts as a minimum. Who should be in control of checking these logs, is up to you, but it should be someone with extensive knowledge of the software, the DFARS regulation, and NIST document. See our Cybersecurity Product Partnerships page for our recommendation of a Continuous Monitoring software.
A few other tips for verification of your compliance:
- Check Incident Monitoring and Reporting on an as-needed basis.
- Review Real-time/Daily/Weekly Virus Scan Reports on a weekly basis.
- Review baseline configuration updates, risk assessment, risk reports, blacklisting and whitelisting, system component inventory, and all recurring actions on a quarterly basis.
- Review remote access, accounts, audit events checklist, remote connections, local admin approval, and FedRAMP vendor approvals on a bi-annual basis.
- Review continued security assessments, your configuration management plan, your incident response plan, and your COOP and Disaster Recovery plans (which are not CUI protection requirements but HIGHLY recommended) on an annual basis.
We let our customers know up front that DFARS 7012 compliance isn’t just a one-and-done. It has to be maintained, but more importantly, maintained right. We offer a full Compliance Management monthly plan to take care of the monitoring, reporting, and updates to our templates (if you purchased them from us) for you.