DFARS & NIST Deadline Requirements (Updated)
What is the deadline date for compliance with DFARS 252.204-7012?
The deadline for DoD contractors has expired. DoD contractors must now be compliant with DFARS 252.204-7012 and all related DFARS Regulations. There is no grace period.
What does "DFARS Compliant" mean? Has that changed recently?
The definition of "DFARS Compliance" was clarified in this Sept 21, 2017 memo from the Office of Under Secretary of Defense (CLICK HERE).
In summary, the DoD softened the compliance requirements to enable more contractors to meet the end-of-2017 deadline for compliance. While contractors aren't currently required to remediate every NIST SP 800-171 gap, they should diligently work toward that goal quickly. Audits have been conducted, and changes to RFPs and contracts have been proposed and are under draft review. These changes may require vendors to submit their System Security Plan (SSP) and Plan of Action & Milestones (POAM) with any new proposals as part of the award evaluation criteria. Furthermore, various controls have been defined with a priority or 'weighted importance' for evaluating the proposals.
To be DFARS compliant, contractors must:
- Assess their cybersecurity posture against NIST SP 800-171 and develop a SSP covering those controls
- Develop a Plan of Action & Milestones (POA&M) showing when they will begin and complete any NIST 800-171 gaps remediation
- Obtain your Medium Assurance digital certificate for rapid incident logging
- Flow down this requirement to any of your subcontractors that will be handling CDI-related information
- Verify that any Cloud Applications used by the contractor and storing CDI meet the FedRamp Moderate equivalence standard
Is there a compliance deadline for NIST SP 800-171?
No. Contractors can choose not to remediate their NIST SP 800-171 gaps.
HOWEVER, you may NOT be awarded ANY future DoD business. NIST SP 800-171 compliance can, and likely will, be considered as part of any future contract awards. Future RFPs may contain compliance requirements, such as "Must be 100% NIST SP 800-171 compliant".
Bottom line, while you have been given additional time to plug any gaps you have, it is HIGHLY recommended that you complete your remediation efforts as quickly as possible if your firm will continue to pursue additional DoD contracts.