Date post: | 07-Apr-2018 |
Category: |
Documents |
Upload: | bob-gourley |
View: | 216 times |
Download: | 0 times |
8/4/2019 DFARSSurvey
http://slidepdf.com/reader/full/dfarssurvey 1/8
September 2011
White Paper:Proposed Changes to DFARSto enhance Cyber Security of
DoD Info
CTOlabs.com
Inside:
• Background on proposed changes
• Survey Results
• Trends of note
A White Paper providing context on proposed rule changes
8/4/2019 DFARSSurvey
http://slidepdf.com/reader/full/dfarssurvey 2/8
CTOlabs.com
The Community Weighs In On Proposed DFARS ChangesDoD has proposed changes to the Defense Federal Acquisition Regulation Supplement (DFARS) to
help enhance security of DoD information in use at contractor facilities. This report provides context
on those changes including insights from a recent survey of the federal IT community.
Executive Summary
Respondents to a recent survey of members of the federal IT community provides useful context onthe proposed DFARS changes. It was interesting to note, however, that few believe the government is
best at protecting information.
Survey Background
In July, CTOvision.com created and distributed a survey on the new proposed Defense Federal
Acquisition Regulation Supplement (DFARS) to safeguard unclassied Department of Defense
information on contractor networks. After receiving responses from government, industry, andacademia, we’ve summarized feelings and expectations towards the policy below. Of the respondents,
73% said that they were familiar with DFARS, so we believe we hit a good community with our
survey. Additionally, about a third of the respondents reported that they were security executives,
and another third said they were practitioners. It is good having inputs from both those groupings. A
quarter of respondents were in government and three fourths came from industry and academia.
Summary of the proposed DFARS changes:
Draft changes to the Defense Federal Acquisition Regulation Supplement were proposed after the
recent string of high prole cyber attacks on defense contractors. Information on Department of
Defense networks is protected by DIACAP standards but as of now, protecting information on private
networks is left up to the company’s discretion. Yet since so much of the government’s information
storage and R & D is performed by private corporations, DFARS has been put forward in an attempt to
1
8/4/2019 DFARSSurvey
http://slidepdf.com/reader/full/dfarssurvey 3/8
A White Paper For The Federal IT Community
standardize protection and reporting for contractor networks and systems. Aside from an extensive listof reporting requirements, the following three policies are at the heart of DFARS:
a) The Government and its contractors and subcontractors will provide adequate security to safeguard
unclassied DoD information on their unclassied information systems from unauthorized access and
disclosure.
b) Contractors must report to the Government certain cyber incidents that aect unclassied DoD
information resident on or transiting contractor unclassied information systems. Detailed reporting
criteria and requirements are set forth in the clause at 252.204-70YY.
c) A cyber incident that is properly reported by the contractor shall not, by itself, be interpreted
as evidence that the contractor has failed to provide adequate information safeguards for DoD
unclassied information, or has otherwise failed to meet the requirements of the clause at 252.204-
70YY. Contracting ocers shall consult with a functional manager to assess contract performance.
A cyber incident will be evaluated in context, and such events may occur even in cases when it is
determined that adequate safeguards are being used in view of the nature and sensitivity of the DoD
unclassied information and the anticipated threats.
Views of Respondents from Government
Public sector respondents believed in extending regulation to private industry. 75% answered that
government regulations such as FISMA, OMB’s M-11-11, NISTIC , and FICAM should apply to all
contractors if they hope to work with the government, while 25% felt that companies could secure
their data on their own.
Most, however, did not believe that the public sector was better at protecting information. 46% of
respondents believed that government was better than industry at protecting information systems,54% thought it was not, and numerous wrote in that it depends on which industry, company, or
agency, and on which aspect of protection from what threat.
Of government respondents, 83% worked for organizations with policies in place for encryption of
data for storage and transmission, network protection and intrusion detection, and cyber intrusion
reporting based on NIST Special Pub 800-53 “Recommended Security Controls for Federal Information
2
8/4/2019 DFARSSurvey
http://slidepdf.com/reader/full/dfarssurvey 4/8
CTOlabs.com
3
Systems and Organizations” while only 7% said they did not and 10% did not know.
To make DFARS better, the most prevalent suggestion was to get more specic. There were concerns
over the government having too broad an inuence in contractor systems, overlaps and confusion
in rules, departments, and agencies, and insuciently explicit requirements. Another repeated
suggestion was to mandate red team exercises to test the vulnerability of systems.
Views of Respondents from the Private Sector:
In the private sector, faith in government control and regulation was much lower. Only 24% thought
the government was better than industry at protecting information, and even then there were heavy
reservations with comments such as “both are awful” and numerous responses that it depends on
which industry, which government agency, and what data.
Two thirds of respondents feared that their costs would go up if DFARS were to be implemented.
At the same time, only 42% felt that adhering to these rules would make their organization or
government data any more secure, as opposed to 58% that did not. Reasons given include that some
corporations already exceed DFARS standards and that regulations do little to improve fundamental
problems of security on the internet such as attribution.
Suggesting ways to make DFARS better, industry respondents also cited making denitions and
requirements more precise and clarifying terms like “adequate” just as government respondents did.
Private sector respondents also expressed concern for smaller contractors, who may have diculty
implementing the recommendations and “go broke trying to comply.”
Overall Trends
Both government and industry respondents were concerned about the fuzzy language of DFARS
and ambiguity in its implementation. Public sector respondents were much more condent in the
government’s ability to keep information secure than private sector though both thought it could be
8/4/2019 DFARSSurvey
http://slidepdf.com/reader/full/dfarssurvey 5/8
A White Paper For The Federal IT Community
improved, raising questions on whether government should dictate security measures to industry.While most respondents thought DFARS was generally a good set of guidelines, there were doubts
over the cost and implementation.
To those that took our survey, thanks! Your inputs will do more than just contribute to this post. We are
also providing comments into the formal DFARS process in the hopes of helping government decision-
makers think through the right approach.
4
8/4/2019 DFARSSurvey
http://slidepdf.com/reader/full/dfarssurvey 6/8
CTOlabs.com
5
More Reading
For more federal cybersecurity technology and policy issues visit:
CTOvision.com- an blog for enterprise technologists with a special focus on Big Data.
CTOlabs.com - the respository for our research and reporting on all IT issues.
Fedcyber.com - tracking all important federal cybersecurity issues.
8/4/2019 DFARSSurvey
http://slidepdf.com/reader/full/dfarssurvey 7/8
A White Paper For The Federal IT Community
About the AuthorAlexander Olesker is a technology research analyst at Crucial Point LLC,
focusing on disruptive technologies of interest to enterprise technologists.
He writes at http://ctovision.com.
Alex is a graduate of the Edmund A. Walsh School of Foreign Service at
Georgetown University with a degree in Science, Technology, and
International Aairs. He researches and writes on developments in
technology and government best practices for CTOvision.com and
CTOlabs.com, and has written numerous whitepapers on these subjects.
Alex has worked or interned in early childhood education, private
intelligence, law enforcement, and academia, contributing to numerous publications on technology,
international aairs, and security and has lectured at Georgetown and in the Netherlands. Alex is
also the founder and primary contributor of an international security blog that has been quoted and
featured by numerous pundits and the War Studies blog of King’s College, London. Alex is a uent
Russian speaker and procient in French.
Contact Alex at [email protected]
6
8/4/2019 DFARSSurvey
http://slidepdf.com/reader/full/dfarssurvey 8/8
CTOlabs.com
For More Information
If you have questions or would like to discuss this report, please contact me. As an advocate for better
IT in government, I am committed to keeping the dialogue open on technologies, processes and best
practices that will keep us moving forward.
Contact:Bob Gourley
703-994-0549
All information/data ©2011 CTOLabs.com.