DFARS In Depth – Part 5: Incident Response and Maintenance

DFARS In Depth – Part 5: Incident Response and Maintenance


Our in-depth discussion of the DFARS security requirements as set out in NIST SP 800-171 continues with the next two security requirement families: Incident Response and Maintenance.

Both of these security families involve taking steps to make sure that the security infrastructure that you’ve put in place remains functional and responsive to new threats.

Incident Response - Security Requirements

The Incident Response security requirement family contains only two basic requirements and a single derived requirement:

  • Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
  • Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.
  • Test the organizational incident response capability.

Good incident response begins with preparation -- recognizing that security incidents can and will happen, and having a plan to deal with them when they do. So having a thorough, written incident response plan is key. Additionally, you’ll need to figure out how and when that plan gets put into effect. Detections from antivirus systems, intrusion detection systems, and event log systems must be triaged, and then followed up on if they present a real threat.

Security incidents also need to be tracked -- primarily internally, but also to outside authorities if the need arises. For example, your contract may specify that the DoD must be notified of certain incidents, so those details should be included in your incident response plan.

Finally, the derived requirement for this family mentions testing the response capability. This can include “fire drills” where the incident response plan is checked for accuracy, as well as disaster recovery scenarios where backups and recovery plans are tested and verified. This is also an opportunity to determine operation effects of various disaster scenarios.

Maintenance - Security Requirements

The Maintenance security requirement family includes just two basic requirements:

  • Perform maintenance on organizational systems.
  • Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.

The first one is simple -- just do it! But maintenance on complex IT systems is not a simple matter. There are dozens of “moving parts” in even the simplest systems, including software updates, firmware updates, and preventative maintenance on hardware components. So establishing a set schedule for these procedures will minimize system downtime and security threats from unpatched vulnerabilities.

And since maintenance operations are by their nature sensitive -- requiring high-level administrator access, and having the potential to cause serious outages -- the second basic requirement reminds us of the importance of both technical and procedural controls on these processes.

The derived requirements get into some more specifics on how to perform maintenance securely:

  • Ensure equipment removed for off-site maintenance is sanitized of any CUI.
  • Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.

These two derived requirements remind us that even during maintenance, it’s important to be mindful of data flowing out and the potential for malware to flow in to your systems. And since diagnostic utilities are often run with privileged credentials, extra care must be taken to ensure they’re from a trusted source.

The final derived requirement in this family is an interesting one:

  • Supervise the maintenance activities of maintenance personnel without required access authorization.

From time to time, it’s necessary for a vendor, consultant, or other individuals to access your systems to perform maintenance or diagnostics. Since these would fall outside of your organization’s authentication mechanisms, it’s important to supervise their work closely, whether it’s on-site or remote. For example, only use screen sharing software that you’ve approved, and observe their remote session from beginning to end to make sure that nothing untoward is happening.

With a good incident response plan and a regular maintenance program, you can keep your systems secure and compliant with DFARS.