DFARS & NIST DCMA Audits
Are You 100% Compliant on DFARS 252.204-7012 and NIST SP 800-171?
The deadline for DoD contractors has expired. DoD contractors must now be compliant with DFARS 252.204-7012 and all related DFARS Regulations, including NIST SP 800-171. There is no grace period. Contractors are being audited by DCMA, specifically focusing on their NIST SP 800-171 compliance, their Systems Security Plan (SSP), Plan of Actions and Milestones (POA&M), and Policies.
What does "DFARS Compliant" mean? Has that changed recently?
The definition of "DFARS Compliance" was clarified in this Sept 21, 2017 memo from the Office of Under Secretary of Defense (CLICK HERE).
In summary, the DoD softened the compliance requirements to enable more contractors to meet the end-of-2017 deadline for compliance. At that time, contractors weren't required to remediate every NIST SP 800-171 gap.
While that regulation hasn't officially changed, the DCMA Inspector Generals have ruled that Contractors must be diligent and sincere in addressing the requirement. Therefore, they are specifically reviewing the accuracy and status of your SSP, POAM, Policies AND IMPLEMENTATION of the cybersecurity controls defined in NIST SP 800-171.
All of our clients that have undergone these audits have passed on the first try. If you are facing an audit, we can help! We can answer any questions you have now and provide advice, services, and support to help you pass your audit.
And, if you haven't yet addressed your regulatory compliance requirements, we can help you obtain compliance within a few weeks.