UPDATE: The DOD is planning to introduce the new Cybersecurity Maturity Model Compliance framework(CMMC) in 2020.
To say that cybersecurity is a pressing issue in the government space would be an understatement. As the government comes under scrutiny for security, new regulations and requirements are being passed to the supplier level. Indeed, the Defense Federal Acquisition Regulation Supplement DFARS compliance is a set of cybersecurity standards that are placed on all DOD contractors and suppliers.
In 2017, Microsoft announced DFARS support for Azure Government Services. Not only was this a clear indicator from Microsoft that it was committed to creating a healthy and practical government environment, but it also signified the critical importance of DFARS. Indeed, contractors and suppliers can (and usually will) lose their DOD contracts for failure to comply with DFARS standards.
So, let’s look at what DFARS is and how you can use Azure Government Services with Office 365 to remain DFARS compliant.
What is DFARS?
Since the government is so dependent on digital resources, finding ways to mitigate risks associated with data leakage is crucial. Controlled Unclassified Information (CUI) — which refers to information that isn’t classified but is still sensitive — makes up the bulk of sensitive data handled by DOD contractors.
To help mitigate risks and introduce thorough compliance measures, the DOD published the Defense Federal Acquisition Regulation Supplement (DFARS) and Procedures, Guidance, and Information (PGI). These rules govern how CUI is handled by DOD contractors and supplies in accordance with NIST Special Publication 800-171 (or NIST 800-171).
The bulk of these rules can be condensed into the following statement:
All DOD contractors and suppliers must prove that they adequately protect CUI data AND that they can rapidly report any incidents to the appropriate channels.
While the DOD itself has different, unique risk and compliance requirements, DFARS was created to ensure that CUI that is “processed, stored, or transmitted by nonfederal organizations using nonfederal information systems” is adequately protected from threats. Further, the original problem contained in Executive Order 13556 is that government agencies rely on contractors their work. This made data compliance complicated and non-uniform across government channels.
Government agencies had rules regarding CUI, but their contractors didn’t. That was definitely a problem. DFARS eliminates that issue by requiring any entity that works with the DOD to follow a clear, concise set of procedures.
In the NIST 800-171 publication, 14 families of security are discussed, and each of them requires unique compliance workflows.
These 14 families are:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
The NIST 800-171 publication is over 75 pages long, and it contains a wealth of details. Thus, for many contractors, this can make DFARS compliance seem unnecessarily complicated and terrifying to follow.
Luckily, Office 365 has the capabilities to help you remain DFAR compliant without implementing 3rd party tools.
Can I Meet DFARS Compliance Guidelines in Office 365?
Microsoft has been ramping up its government capabilities over the last few years. As government agencies and contractors continue to grow into cloud services, Microsoft has positioned itself as the ideal partner for both the DOD itself and all of its contracted work. With multiple DOD contracts already in place (e.g., $1.76B contract, $480M contract, etc.) and some big contracts looming on the horizon, Microsoft wants to win the government sector. To do this, Microsoft is baking incredible security and policy control into its government offerings. At the moment, two Microsoft packages are DFARS compliant (with the proper configurations and policy controls).
- Azure Government
- Microsoft Office 365 GCC High
In addition to being DFARS compliant, both Azure Government and Office 365 GCC High:
- Support ITAR capabilities
- Have DOD Impact Level 4 and Impact Level 5 capabilities
- Meet FedRamp + requirements
In specific, Microsoft Office 365 GCC High and Azure Government meet the requirements outlined in DFARS clause 252.204-7012 — which is specific to cloud services.
As far as setting up your DFARS environment goes, you’ll strategize with your services provider (typically a Microsoft partner) to enable your DFARS, ITAR, DOD Impact Level, and FedRAMP + requirements. In fact, most Microsoft partners can only supply GCC High services to government agencies or contractors with over 500 seats. That’s simply not achievable for most DOD contractors.
Luckily, Microsoft has allowed 6 of its worldwide AOS-G Partners to supply Microsoft Office GCC High services. In fact, Agile IT is one of these 6 exclusive providers, and we’ve been on a mission to help DOD contractors tap into the power and flexibility of cloud solutions.
Are You Ready to Meet DFARS Compliance?
If you’re a government contractor who needs the power of the cloud, we can help. Indeed, you need to stay compliant with the requirements set forth by the DOD and the National Institute of Standards and Technology. Failure to comply with DFARS can quickly impact your ability to work with the DOD.
Don’t worry! We’ve got your back. Not only is Agile IT one of only 6 Microsoft partners that can supply Office 365 GCC High, but we have the knowledge, experience, and resources to fast track your adoption. Indeed, we will help you implement all of the compliance requirements that you need to function.
Agile IT has over 15 Gold Competencies, and we’ve been Microsoft Cloud Partners of the Year for four consecutive years. If you need to utilize the power and ease of Office 365 in a government setting, schedule a call or request a quote: