Some Good News and Bad on the DFARS Compliance Deadline

Nashua, NH, December 27, 2017 –(– Many Department of Defense (DoD) Contractors have been looking at the end of 2017 with dread. Strict, new DoD regulations require that before 2018 they comply with detailed cybersecurity and cyber-incident reporting requirements or lose their DoD contracts. But now, those who thought they could not meet that deadline have been thrown a lifeline.

Ellen Lord, who is the Undersecretary of Defense for Acquisition, Technology and Logistics, recently testified before Congress on the end-of-year deadline for compliance with the DFARS/NIST (SP) 800-171 cybersecurity and cyber-incident reporting requirements. Her testimony had both good news and bad news, with the good outweighing the bad.

The good news is that despite the seeming mandatory language of DFARS section 252.204-7008 that a contractor will “implement” the 110 controls in 800-171 “not later than December 31, 2017”(1), Undersecretary Lord stated that “the only requirement for this year is to lay out what your plan is…”

The bad news is that a plan must be more than just planning to comply. Secretary Lord indicated that there is a need for a “template” against which a contractor can “just report [its] compliance to it.”

A video of Secretary Lord’s remarks and an article describing their effect are at the links in the footnote below.(2) As the commentator in the article says, [c]ompanies that do not adhere to the new rules could lose existing contracts and be barred from seeking new government contracts.”

So, the good news is that end-of-year compliance has become easier. The bad news is still not having a solution in place means loss of DoD business.

But there is more good news. RegDOX has an off-the-shelf compliance plan for medium and small defense contractors and sub-contractors. It provides the same gap analysis, remediation, plan of action and milestones we have been providing DoD contractors over the past year. RegDOX is prepared to get this in place for your company by the end of 2017. Just call.

RegDOX Solutions Inc.

1 Tara Blvd., Suite 300

Nashua, NH 03063


[email protected]

(1) See also 252.204-7012(b)(2)1(ii)(A) (“The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017. For all contracts awarded prior to October 1, 2017, the Contractor shall notify the DoD Chief Information Officer (CIO), via email at [email protected], within 30 days of contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award.”)


Leave a Reply

Your email address will not be published.