S/MIME 101: Maintaining DFARS Compliance Using S/MIME
Supplementing the original Defense Federal Acquisition Regulation to mandate encryption of all data at rest or in transit, DFARS creates a security baseline that must be met by all contractors. Since email is just as indispensable to defense contractors as it is to any other industry, this means that effective encryption tools must be set in place before doing business with the government.
During the course of our ongoing S/MIME series, we’ve discussed what S/MIME is, why S/MIME is important, and how it can protect users from specific types of email-based attacks. We’ve also discussed how it can help companies remain compliant with privacy and security regulations like HIPAA.
Most people have heard of HIPAA. After all, health care is something that impacts just about everybody. Fewer, however, are likely to have heard of the Defense Federal Acquisition Regulation Supplement, better known as DFARS. The regulation is designed to protect controlled unclassified information in nonfederal systems and organizations. At its core, this is not dissimilar to what HIPAA is designed for, except instead of protecting patient health care information, DFARS applies to information related to national security and defense.
The threat of cyberattack is felt very keenly by the defense industry. Defense-related intellectual properties, such as designs pertaining to American military assets, are incredibly high-value targets. Government agencies have been forced to improve their cyber defense capabilities, using their considerable resources to shore up weak points against potential attack. In response, cybercriminals have increasingly shifted their focus to defense contractors as they seek to gain access to information with strategic national importance.
While defense contractors are hardly easy targets themselves, DFARS creates actionable regulations to ensure that sensitive information is handled with the proper care and security. Supplementing the original Defense Federal Acquisition Regulation to mandate encryption of all data at rest or in transit, DFARS creates a security baseline that must be met by all contractors. Since email is just as indispensable to defense contractors as it is to any other industry, this means that effective encryption tools must be set in place before doing business with the government.
Like HIPAA, this regulation does not mandate the use of email certificates—but it is the best way to accomplish the goal. Certificate-protected email remains encrypted from the time it leaves the sender’s machine until the time it is opened in the recipient’s inbox, encrypting the data in transit across both the internet and all associated mail servers. What’s more, emails and attachments stored on mail servers are also encrypted while at rest—ensuring full compliance with DFARS.
The security protocols associated with the defense industry can be challenging, but S/MIME certificates make DFARS compliance as straightforward as possible. By providing comprehensive, end-to-end encryption, S/MIME ensures full protection of critical information transmitted via email and proper compliance with federal regulations.
To learn more, read Meeting Federal Requirements for Secure Email.
Next up: S/MIME 101: Making GDPR Compliance Easy with S/MIME
Previous blogs in this series
S/MIME 101: Why Email is Vulnerable and How S/MIME Can Help