× Search
ServicesSecurity ComplianceDFARS NIST 800-171

The NIST states: “All Department of Defense (DoD) contractors that process, store or transmit Controlled Unclassified Information (CUI) must meet the Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards by December 31, 2017 or risk losing their DoD contracts”. The DOD CIO has mandated that all companies and their subcontractors doing business with the Department of Defense must be in compliance with DFARS (Defense Federal Acquisition Regulation Supplement) 252.204-7012/NIST 800-171.

There are 110 controls across 14 areas of the NIST SP 800-171 that DoD Contractors must implement:

Access (22)

Identification & Authentication (11)

Personnel Security (2)

Awareness & Training (3)

Incident Response (3)

Physical Protection (6)

Audit & Accountability (9)

Configuration Management (9)

Risk Assessment (3)

Maintenance (6)

System & Communications Protection (16)

Security Assessment (4)

Media Protection (9)

System & Information Integrity (7)



 Implications with Non-compliance

Termination for Default

  • Government agency may exercise their right to terminate a contract for failure to comply with mandated cybersecurity and IT requirements

Breach of Contract

  • Non-compliance to the security requirements can be seen as a breach of the contract. 

Liquidated Damages

  • Government agencies may add provisions in the form of damages when sensitive personal information is involved, ranging from $35 to $5,000 per affected file

False Claims Act

  • Prime and subcontractors will be held liable under the False Claims Act if they submit any false information

To help monitor risk, we check the following forward-looking metrics

  • Time it takes to detect and mitigate cyber incidents
  • Volume of unknown devices connected to the internal network
  • Vendors that are non-compliant with security requirements
  • Employees failing phishing tests
  • Effectiveness of current education, training, and awareness

Questions to ask yourself:

1. How can government contractors accurately and cost effectively assess their cybersecurity compliance to NIST SP 800-171?

2. What actions do U.S. government contracting officers plan to take if government contractors fail to comply with the DFARS 252.204-7012 (NIST SP 800‑171 compliance requirement) after the Dec. 31, 2017, deadline?

3. How should government contractors pay for this additional cybersecurity compliance expense?

4. Do I have to purchase cybersecurity liability insurance?

5. Will prime government contractors be held contractually responsible and financially liable for cyber-related damages caused by their subcontractors and/or third-party partners’ failure to comply with NIST SP 800-171?

6. How can government contractors staff and retain high-quality cybersecurity talent to meet the increasing number of government information security compliance standards when considering the highly competitive marketplace and global shortage of cybersecurity professionals today?

NIST 800-171 is a framework that specifies how your information systems and policies need to be setup in order to protect Controlled Unclassified Information (CUI). Earlier in 2017, DOD contractors learned about the new DFARS clause that required existing contractors and subcontractors be NIST 800-171 compliant before December 31, 2017. Many have missed that deadline, or new contractors are searching for help with this new requirement.

Contact RB Advisory

Terms Of UsePrivacy StatementCopyright 2019 by RB Advisory LLC
Back To Top