DFARS Compliance in Office 365

DFARS Compliance in Office 365: Stay Secure With GCC High

To say cybersecurity is a pressing issue for the government space would be an understatement. With cyber-attacks becoming an increasingly costly reality for organizations across the country, the government, and organizations within the Defense Industrial Base (DIB), have a responsibility to secure sensitive data such as control unclassified information (CUI) to preserve national security. To mitigate the risk of cyber threats and ensure that sensitive data is protected, the Department of Defense (DoD) has issued several regulations that organizations within the DIB must adhere to in order to secure their systems and protect the sensitive government data that they store, process, and transmit.

One such regulation all DoD contractors, subcontractors, and suppliers must adhere to is the Defense Federal Acquisition Regulation Supplement (DFARS), which outlines cybersecurity standards these organizations must meet to ensure the confidentiality of defense projects and the security of sensitive government data. Organizations within the DIB have a contractual obligation to comply with the regulations outlined in DFARS, otherwise, they could face severe penalties and lose out on both current and future government contracts.

Yet, new DoD contractors may wonder how DFARS will affect them and how these regulations will impact their cloud environment. The good news if you currently operate in a Microsoft cloud environment is that Microsoft has developed government cloud services including Azure Government and Microsoft Government Community Cloud (GCC) High to help defense contractors maintain DFARS compliance in Office 365.

To help you better understand your security obligations as a DoD contractor, keep reading as we take a look at what DFARS is and how you can use Microsoft Government Cloud Services like Office 365 GCC High to remain DFARS and CMMC compliant.

What is DFARS?

With the DoD and organizations within the defense industrial base increasingly relying on digital resources such as the cloud, finding ways to mitigate risks associated with data breaches is crucial, particularly for organizations handling CUI. In response to these risks and the need for more robust protections for sensitive government data, the DoD published the Defense Federal Acquisition Regulation Supplement (DFARS), which outlines how DoD contractors and suppliers should handle CUI in accordance with NIST Special Publication (SP) 800-171.

DFARS compliance plays a critical role in maintaining national security, as it helps mitigate vulnerabilities within the defense industrial base by preventing data breaches. DFARS also outlines cyber incident report obligations to reduce the potential impact of a cyber-attack.

DFARS was created to ensure that CUI that is “processed, stored, or transmitted by nonfederal organizations using nonfederal information systems” is adequately protected from threats. By requiring any entity that works with the DoD to follow the clear, concise procedures outlined in DFARS, the risk of storing CUI on nonfederal information systems is reduced.

The Rules of DFARS

While DFARS outlines various rules and regulations that organizations within the DIB must follow to protect CUI, these rules can be condensed into the following statement: All DoD contractors and suppliers must prove that they adequately protect CUI AND that they can rapidly report any incidents to the appropriate channels. These rules are elaborated on in greater detail within the four primary clauses of DFARS which we will outline below:

• DFARS 252.204-7012: This is the core clause of DFARS that requires DoD contractors to properly protect CUI and report cyber incidents. This clause requires defense contractors to implement the controls specified by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 to protect sensitive information. This clause also outlines the exact process a DoD contractor must follow in case of a cyber incident.
• DFARS 252.204-7019 & DFARS 252.204-7020: These clauses address self-assessment of NIST SP 800-171, which ties into CMMC compliance. These clauses also require contractors to maintain a record of their NIST 800-171 compliance within the Supplier Performance Risk System (SPRS).
• DFARS 252.204-7021: This clause requires DoD contractors to maintain the appropriate CMMC level for their contracts.

DFARS Compliance Requirements

Of course, you may find yourself wondering what exactly it takes to become DFARS compliant. In order to meet the minimum security requirements outlined in DFARS, DoD contractors must take certain precautions to safeguard CUI, including maintaining compliance with the Cybersecurity Maturity Model Certification(CMMC) framework by undergoing regular third-party audits of their cybersecurity practices. Additionally, DFARS outlines specific cybersecurity guidelines that affected organizations must follow to protect sensitive government data from unauthorized access, misuse, or destruction. DFARS also has strict protocols for rapidly reporting and responding to cyber incidents in order to mitigate their impact.

NIST SP 800-171 Security Families

DFARS also requires organizations to pass a readiness assessment following NIST 800-171 guidelines. NIST SP 800-171 outlines 110 controls that all federal contractors who handle CUI are required to implement. These controls cover various security aspects spread across 14 security families which include:

• Access Controls
• Awareness and Training
• Audit and Accountability
• Configuration Management
• Identification and Authentication
• Physical Protection
• Incident Response
• Maintenance
• Media Protection
• Risk Assessment
• Security Assessment
• System and Communications Protection
• System and Information Integrity
• Personnel Security.

Alignment with the controls in these NIST SP 800-171 families is essential to protect CUI on nonfederal systems and ensure DFARS compliance. However, since the NIST 800-171 publication is over 75 pages long and contains a wealth of details, this can make DFARS compliance seem unnecessarily complicated and terrifying to follow for many contractors. Luckily, Office 365 GCC High has the capabilities to help you remain DFARS-compliant without implementing 3rd party tools.

How Can Microsoft Government Cloud Help Me Achieve DFARS Compliance?

Recent years have seen Microsoft ramping up its government capabilities so that it can meet the cloud security needs of government agencies and contractors. This has positioned Microsoft as the ideal partner for not only the DoD, but also for all their contractors, subcontractors, and suppliers who must secure CUI in order to maintain CMMC and DFARS compliance. They have achieved this by creating government cloud service offerings with incredible security and policy controls that can help DoD contractors maintain DFARS compliance. In particular, Microsoft Government Cloud Services can help defense contractors meet the requirements outlined in DFARS 252.204-7012 that apply to cloud service providers, as both Azure Government and Office 365 GCC High provide the capabilities necessary to help customers comply with DFARS 7012 through their L5 accreditation to the Department of Defense Security Requirements Guide.

In addition to being DFARS compliant, both Azure Government and Office 365 GCC High can help government contractors stay compliant by:

• Supporting ITAR Capabilities
• Having DoD Impact Level 4 and Impact Level 5 Capabilities
• Meeting FedRAMP Requirements
• Satisfying Requirements for CMMC Practices

Of course, to achieve your specific compliance level, you must implement the proper configurations when setting up your DFARS environment. This will require you to strategize with your service provider (typically a Microsoft partner) to enable your DFARS, CMMC, ITAR, FedRAMP, and DoD Impact Levels. It is then essential that you take your time to find an experienced Microsoft AOS-G Partner who can not only supply you with Microsoft Office GCC High services, but who can also help you review your security posture and achieve/maintain DFARS compliance.

Need Help Meeting DFARS and CMMC Compliance? Contact Agile IT Today!

As the world becomes increasingly digital, Department of Defense contractors must take advanced precautions to protect sensitive government data. While the DoD has released guidelines to help these organizations secure CUI, obtaining NIST, CMMC, and DFARS compliance can seem like an overwhelming prospect. The good news is that we’re here to help unravel the confusion and streamline this process.

At Agile IT, our goal is to empower DoD contractors to tap into the power and flexibility of cloud solutions while maintaining compliance with DFARS and other cybersecurity regulations. With our AgileDefend service, we can uniquely address your Microsoft 365, security, and compliance needs, helping you get ahead of evolving threats and boost your compliance posture while helping maximize your productivity.

If you want to maximize the power and productivity Office 365 can provide in a government setting while also protecting your valuable data, contact us today to learn more about Microsoft GCC High as well as to request a quote.