Editor’s Note: This post was created by Jon Williams who is a partner with PilieroMazza and a member of the firm’s Government Contracts Group.
We have been blogging and giving webinars since last year about the DoD requirements around cybersecurity for contractors that are subject to DFARS 252.204-7012. Please view our past blogs and webinars here and here to get more of the backstory.
In a nutshell, DoD contractors operating nonfederal IT systems and subject to DFARS 252.204-7012 were required to have a system security plan (“SSP”) in place by December 31, 2017, to demonstrate compliance with the recommended security controls in NIST SP 800-171. Although the DFARS requirements were black-and-white, there was a fair amount of uncertainty late last year and continuing into this year about what contractors needed to do to comply and if/how DoD would enforce the requirements.
DoD has taken some of the mystery out of these cyber requirements in a recently-released draft guidance.
See GTPAC’s instructional video on achieving compliance with DFARS 252.204-7012 and NIST guidance at: http://gtpac.org/cybersecurity-training-video/