DFARS & NIST 800-171

DFARS 252.204-7012 Requirements for Defense Contractors Must Be Satisfied by DECEMBER 31, 2017

As with most government documents, one often leads to another. And that’s the case with DFARS 252.204-7012 . “DFARS” (the Defense Federal Acquisition Regulation Supplement Part 252: Solicitation Provisions and Contract Clauses) states:

“Contractors shall implement NIST 800-171 as soon as practical, but no later than December 31, 2017.”

That leads us to the next document: NIST Special Publication 800-171: Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. This document was originally written as suggested ways to protect data. The DFARS document is now requiring the NIST suggestions.

 

THE PROBLEM

Defense contractors, including the small companies that supply the big ones, must implement DFARS requirements or they will be dropped as suppliers. Not having these measures in place could put a company out of business. That’s why DFARS is such an urgent issue.

One area of concern that defense contractors face happens on the assembly floor. Manufacturing facilities often have centrally located computers accessed by multiple users. Currently, workers are typing a user name and password to log in. If their passwords are compromised, or if an employee shares their passwords, there is no way for that current system to verify who actually logged in, which does not meet DFARS.

Part of the DFARS includes having an authentication process, plus a tracking ability.

 

AUTHENTICATION

The Power LogOn system utilizes a smartcard as one factor of the Multi-Factor Authentication process (something you Have). The card is protected by a PIN (a second factor – something you Know.) Because the user doesn’t even know their passwords, there is nothing they can share or tell to allow another person to be able to log in. The card allows you to know absolutely that it was Joe’s card that logged in.

The PIN protected card adds a layer of assurance, creating Two Factor Authentication, which does meet DFARS. For a super secure site, another layer could be added using a biometric, (something you Are – which our software supports), creating Three Factor Authentication.

  • 2 Factors = Card + PIN (most cost effective and fastest to implement), Card + Biometric, or PIN + Biometric
  • 3 Factors = Card + PIN + Biometric

The more hurdles you put up, the harder it becomes for a hacker or thief.

 

TRACKING and REPORTS

Power LogOn records whose card comes into the system, what that person logged into, how long they were in, and when they logged out. This process leaves an audit trail, which is also required in the DFARS.

 

DIFFERENTIATION

What makes Power LogOn so much better than other solutions is that the defense contractor doesn’t have to go through the complexity or expense of certificates and PKI. They can add the Power LogOn system directly onto their existing physical access badges, creating even more benefits. Because physical access badges are often used for more than just door access – think time and attendance, payment in cafeterias, forklift ignition, etc. –  there are a lot of different cross references and cross checks. If Joe logs into the system, but Joe has not clocked in or come through the door, that becomes a system red flag.

 

COMPLIANCE

Here’s a list of DFARS requirements that defense contractors are trying desperately to comply with by the end of THIS YEAR. Power LogOn meets each section with a check mark. Click here to get the full report.