DFARS & NIST Deadline Requirements Updated
What is the deadline date for compliance with DFARS 252.204-7012?
The deadline for DoD contractors has expired. DoD contractors must now be compliant with DFARS 252.204-7012 and all related DFARS Regulations. There is no grace period.
What does "DFARS Compliant" mean? Has that changed recently?
The definition of "DFARS Compliance" has been clarified in this Sept 21, 2017 memo from the Office of Under Secretary of Defense (CLICK HERE).
In summary, the DoD has softened the compliance requirements to enable more contractors to meet the end-of-year deadline for compliance. Contractors ARE NO LONGER REQUIRED TO REMEDIATE EVERY NIST SP 800-171 GAP!
To be DFARS compliant, contractors must:
- Assess their cybersecurity posture against NIST SP 800-171 and develop a System Security Plan covering those controls
- Develop a Plan of Action & Milestones (POA&M) showing when they will begin and complete any NIST 800-171 gaps remediation
- Obtain your Medium Assurance digital certificate for rapid incident logging
- Flow down this requirement to any of your subcontractors that will be handling CDI-related information
- Verify that any Cloud Applications used by the contractor and storing CDI meet the FedRamp Moderate equivalence standard
Is there a compliance deadline for NIST SP 800-171?
No. Contractors can choose not to remediate their NIST SP 800-171 gaps.
HOWEVER, you may NOT be awarded ANY future DoD business. NIST SP 800-171 compliance can, and likely will, be considered as part of any future contract awards. Future RFPs may contain compliance requirements, such as "Must be 100% NIST SP 800-171 compliant".
Bottom line, while you have been given additional time to plug any gaps you have, it is HIGHLY recommended that you complete your remediation efforts as quickly as possible if your firm will continue to pursue additional DoD contracts.