How to Ensure NIST 800-171 Subcontractor Compliance

The December 31, 2017 deadline for creating a System Security Plan (SSP) and associated Plans of Action & Milestones (POA&Ms) aligned with NIST special publication 800-171 requirements has passed. If you are a DOD prime contractor, now it’s time to focus subcontractor compliance.

Subcontractor Compliance and CDI

DFARS 252.204-7012 (“the DFARS cyber clause”) compelled you to validate your own compliance status and address any cybersecurity gaps. As a prime, you have satisfied your in-house compliance obligations. Now it’s time to turn your attention to your subcontractors since the DFARS cyber clause must be flowed down to all suppliers or subcontractors that store, process and/or generate Covered Defense Information (“CDI”) as part of contract performance.

Keep in mind that CDI is defined as “unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is:

  1. Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DOD in support of the performance of the contract; or
  2. Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

Controlled technical information is technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.”

How to Ensure Subcontractor Compliance

Subcontractors can achieve compliance with the NIST 800-171 Rev. 1 requirements in a variety of ways including flow down of the 252.204-7012 clause in subcontract documents that contain detailed communication with the specific requirements of the DFARS cyber clause. This includes the mandate for subcontractors to:

  • Create an SSP and associated POA&Ms.
  • Fully implement the requirements outlined in the clause and NIST 800-171.
  • Report non-compliance to the DOD CIOs office within 30 days after contract award.
  • Report cyber incidents within 72 hours.
  • Formally flow down the DFARS cyber clause to all lower-tier suppliers/subcontractors storing, processing, and/or generating CDI.
  • Be in full compliance with the DFARS cyber clause.

Remember that as a prime contractor, you are ultimately liable for the compliance of your suppliers and subcontractors. Make sure the flow down of requirements and the validation of compliance is a formal, documented, and repeatable process.

Also, if you are using an existing Governance, Risk, and Compliance (GRC) technology for other regulatory compliance requirements, you should be able to extend its use to cover DFARS 252.204-7012 subcontractor compliance. If you don’t have an existing GRC solution consider these alternatives:

  • Partner with a Managed Security Services Partner (MSSP) that offers a compliance and reporting capability specific to NIST 800-171. Many of the required controls can be mapped back to managed service offerings to produce automated compliance reporting.
  • Work with your contracting organization to create and implement a process that can be incorporated into the existing contracting business cycle. Contracts staff already play a key role related to subcontractor compliance for other contract clauses and adding DFARS 252.204-7012 requirements should be a logical fit.

Bottom line: It’s the prime contractor’s obligation to flow down DFARS 252.204-7012 requirements to all suppliers or subcontractors. Planning for success now is imperative.

If you need help complying with NIST SP 800-171, contact us at


CyberSheath’s Federal Enclave: The Fast Track to CMMC Compliance. Checkout the Enclave Whitepaper to Learn More.
This is default text for notification bar