Roadmap to DFARS Compliance by December 2017 Deadline

Share Button

This article was co-authored by Natasha Barnes.

2017 is a significant year for Department of Defense (DoD) contractors, as Defense Federal Acquisition Regulation Supplement (DFARS) compliance is required “as soon as practical, but no later than December 31, 2017 (252.204-7012.ii.A).” DFARS clause 252.204-7008 addresses requirements for safeguarding covered defense information controls in government contractor systems. Covered defense information is a broad term for unclassified controlled technical information or other Controlled Unclassified Information (CUI), which has protection and dissemination requirements. Clause 252.204-7012 expands on these safeguards to include cyber incident reporting requirements. These mandatory controls are detailed in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171: Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations.

As there are 109 controls in NIST SP 800-171, government contractors may be concerned about successfully navigating the road to compliance. A gap analysis can determine a remediation approach for deficient areas. This gap analysis can be expedited by using Appendix D – Mapping Tables, which maps CUI Security Requirements to NIST SP 800-53: Security and Privacy Controls for Federal Information Systems and Organizations and International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001: Information Security Management controls.

Remediation activities should include clearly documenting controls via matrices or procedures that are developed from a comprehensive suite of IT policies. Once the appropriate controls and documents are in place, monitor the controls for proper design and operating effectiveness. If controls sufficiently address 800-171 control objectives but vary from the requirements, per 252.204-7012, contractors may submit an exception request for the DoD Chief Information Officer (CIO) to consider. This process is also followed when contractors determine a control is not applicable to their services.

The time is now to determine how DFARS compliance will be implemented by the deadline. Considering the new requirements may result in control development or revision, proactive contractors will be well-positioned to maintain current and receive new DoD awards. DFARS does not contain specific details on 800-171 implementation evaluation criteria, but the expectation is that all DoD contractors will meet the requirements. In addition to the implementation deadline, contractors who receive awards before October 1, 2017, but have not implemented all 800-171 controls must report this status within 30 days of the award date to the DoD CIO via email.

Federal agency cybersecurity effectiveness and resilience is imperative to national security goals. Government contractors have a responsibility to remain trustworthy DoD partners to support mission fulfillment through effective DFARS compliance. For more information, please contact Aronson Technology Risk Services Partner Payal Vadhani at

Learn more about our approach to FISMA & DFARS compliance here.

About Payal Vadhani

Payal Vadhani has written 4 post in this blog.

Payal Vadhani is the partner-in-charge of Aronson LLC’s Technology Risk Services Group. She is an innovative and seasoned executive with more than fifteen years of technology risk advisory and assurance experience. Her experience has been providing internal auditing, IT risk management, information and cyber security, third party reporting, compliance, process improvement, and additional technology risk services to clients across industries. In particular, she has extensive financial services experience. Throughout her career, she has sought to align clients’ needs and strategic objectives with an approach that manages the risks of technology with the benefits. As a trusted advisor to her clients, Payal succeeds in breaking down complex technology concepts and developing pragmatic, cost-effective solutions that minimize risk and add value. She offers significant experience building technology risk management programs and managing large advisory engagements. In her current role, she is focusing on the development of risk services related to existing and emerging technologies including cloud (private and public) computing, mobile computing, big data, social media, and internet of things. Payal earned a Master’s of Business Administration degree in Information Technology from American University. She received her Bachelor’s in Engineering degree in Computer Science from the University of Pune, one of the premier universities in India. She holds credentials in IT Capability Maturity Framework (IT-CMF) and Certified Information Systems Auditor (CISA).

View Archives

Blog Authors

Latest Webinar Videos