Compliance with DFARS 252.204-7012 & NIST 800-171; Expect 2019 to be the year of audit and enforcement

By Eric Noonan • November 29, 2018

On November 6th, 2018, DoD’s Acting Principal Director for Defense Pricing and Contracting (DPC) issued a memorandum titled, “Guidance for Assessing Compliance and Enhancing Protections Required by DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting” that is expected to be transformative in the enforcement of compliance throughout the acquisition process.

While the implementation of DFARS and NIT 800-171 requirements have been mandatory since December 2017, many Department of Defense (DoD) contractors haven’t yet felt the sting of an audit and efforts were largely contained to completing checklists from government contracting officers or Primes. The DoD telegraphed a transition to enforcement and the impacts of non-compliance with guidance made available to the public for comment in Federal Register, Volume 83 Issue 79 (Tuesday, April 24, 2018). All comments were considered and integrated, when appropriate, into the final documents and as expected 2019 will be a game changer for non-compliant Prime and subcontractors.

The November 6th, 2018 memorandum references two new guidance documents providing for enforcement of DFARS 252.204-7012 & NIST 800-171 across the entire supply chain:

“DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented”

“Guidance for Assessing Compliance of and Enhancing Protections for a Contractor’s Internal Unclassified Information System”

This new set of guidance empowers acquisition officers to enforce compliance throughout the entire acquisition lifecycle, both before and after contract award. Changes include:

  • A standard for the data content and format to be used in NIST SP 800-171 System Security Plans
  • Adding cybersecurity measures in addition to those found in NIST SP 800-171
  • Creating an “Acceptable” (Go/No Go threshold) rating, which can require “must-have” NIST 800-171 requirements to be in place before an award can be made
  • Incorporates 800-171 compliance as a technical evaluation factor, which often becomes part of the weighted score for contract awards
  • Conducting on-site assessments, using NIST SP 800-171A: Assessing Security Requirements for Controlled Unclassified Information
  • Requiring a contractor to complete a new form titled: ‘Contractor’s Record of Tier 1 Level Suppliers Receiving/Developing Covered Defense Information
  • Requesting a contractor’s plan to track flow down of Covered Defense Information
  • Requesting a contractor’s plan to assess the compliance of their own suppliers

With the ability to request a contractor’s plan to track flow down of Covered Defense Information (CDI) and request the contractor’s plan to assess the compliance of their own suppliers, Prime contractors are expected to document and demonstrate enforcement of their own supply chain’s compliance.

In 2019 Prime and Subcontractors can expect to be audited against actual implementation the DFARS 252.204-7012 & NIST 800-171 security requirements. For those taking a wait and see approach to the impact of your ability to do business with the DoD without implementing NIST 800-171; you just got your answer, 2019 will be a year of reckoning for non-compliant Prime and subcontractors.

If you have delayed documenting your SSP, POA&Ms or actually implementing the NIST 800-171 requirements, CyberSheath can lead your efforts to achieve compliance by conducting a gap assessment of your compliance with NIST 800-171, writing the required System Security Plan (SSP) and leading your implementation efforts. Contact Us today to get started!

CyberSheath Blog

Dr. Robert Spalding to Address Nation-State Attacks at CMMC Con 2021

Since the inaugural CMMC Con, we’ve seen some of the most malicious attacks on American infrastructure ever executed. The SolarWinds attack reverberated across the entire government as agencies scrambled to discover what nation-state attackers had accessed and stolen. The Colonial Pipeline, shut down by a ransomware attack, led to fuel…

CMMC-AB vice chair Jeff Dalton to address CMMC Con 2021

The swiftness and severity of recent cyber attacks has dominated headlines and revealed that many organizations still don’t quite know what to do to protect themselves, as well as the businesses and government entities they’re connected to.   Ransomware attacks were a big point of discussion at the recent G7…

CMMC Con 2021 Opens Registration, Reveals Theme and Speakers

CMMC compliance stands in the way of revenue for every defense contractor in the supply chain. Now that CMMC is a reality for the Defense Industrial Base (DIB), learn how contractors — primes and subs, large and small, foreign-owned — are handling the standards and requirements, as well as the…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Microsoft

CMMC Con 2021 is here! Save your spot to hear the latest on CMMC from our expert speakers across the government and Defense Industrial Base.