How to Ensure NIST 800-171 Subcontractor Compliance

By Eric Noonan • January 11, 2018

The December 31, 2017 deadline for creating a System Security Plan (SSP) and associated Plans of Action & Milestones (POA&Ms) aligned with NIST special publication 800-171 requirements has passed. If you are a DoD prime contractor, now it’s time to focus subcontractor compliance.

Subcontractor Compliance and CDI

DFARS 252.204-7012 (“the DFARS cyber clause”) compelled you to validate your own compliance status and address any cybersecurity gaps. As a prime, you have satisfied your in-house compliance obligations. Now it’s time to turn your attention to your subcontractors since the DFARS cyber clause must be flowed down to all suppliers or subcontractors that store, process and/or generate Covered Defense Information (“CDI”) as part of contract performance.

Keep in mind that CDI is defined as “unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is:

  1. Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
  2. Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

Controlled technical information is technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.”

How to Ensure Subcontractor Compliance

Subcontractors can achieve compliance with the NIST 800-171 Rev. 1 requirements in a variety of ways including flow down of the 252.204-7012 clause in subcontract documents that contain detailed communication with the specific requirements of the DFARS cyber clause. This includes the mandate for subcontractors to:

  • Create an SSP and associated POA&Ms.
  • Fully implement the requirements outlined in the clause and NIST 800-171.
  • Report non-compliance to the DoD CIOs office within 30 days after contract award.
  • Report cyber incidents within 72 hours.
  • Formally flow down the DFARS cyber clause to all lower-tier suppliers/subcontractors storing, processing, and/or generating CDI.
  • Be in full compliance with the DFARS cyber clause.

Remember that as a prime contractor, you are ultimately liable for the compliance of your suppliers and subcontractors. Make sure the flow down of requirements and the validation of compliance is a formal, documented, and repeatable process.

Also, if you are using an existing Governance, Risk, and Compliance (GRC) technology for other regulatory compliance requirements, you should be able to extend its use to cover DFARS 252.204-7012 subcontractor compliance. If you don’t have an existing GRC solution consider these alternatives:

  • Partner with a Managed Security Services Partner (MSSP) that offers a compliance and reporting capability specific to NIST 800-171. Many of the required controls can be mapped back to managed service offerings to produce automated compliance reporting.
  • Work with your contracting organization to create and implement a process that can be incorporated into the existing contracting business cycle. Contracts staff already play a key role related to subcontractor compliance for other contract clauses and adding DFARS 252.204-7012 requirements should be a logical fit.

Bottom line: It’s the prime contractor’s obligation to flow down DFARS 252.204-7012 requirements to all suppliers or subcontractors. Planning for success now is imperative.

If you need help complying with NIST SP 800-171, contact us at


CyberSheath Blog

Dr. Robert Spalding to Address Nation-State Attacks at CMMC Con 2021

Since the inaugural CMMC Con, we’ve seen some of the most malicious attacks on American infrastructure ever executed. The SolarWinds attack reverberated across the entire government as agencies scrambled to discover what nation-state attackers had accessed and stolen. The Colonial Pipeline, shut down by a ransomware attack, led to fuel…

CMMC-AB vice chair Jeff Dalton to address CMMC Con 2021

The swiftness and severity of recent cyber attacks has dominated headlines and revealed that many organizations still don’t quite know what to do to protect themselves, as well as the businesses and government entities they’re connected to.   Ransomware attacks were a big point of discussion at the recent G7…

CMMC Con 2021 Opens Registration, Reveals Theme and Speakers

CMMC compliance stands in the way of revenue for every defense contractor in the supply chain. Now that CMMC is a reality for the Defense Industrial Base (DIB), learn how contractors — primes and subs, large and small, foreign-owned — are handling the standards and requirements, as well as the…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Microsoft