Many defense contractors have ignored this regulation until they (1) received something from their prime inquiring about their compliance status, or (2) they received a modification to their current prime or subcontract with the DFARS 252.204-7012 compliance requirement contained in the solicitation requirements. We don’t blame them for wanting their prime, or the government, to prove that this requirement applied to their company, but no matter when or how the requirement was enforced, the deadline for compliance has remained December 31, 2017.
There may not be many clear answers coming from the DoD regarding how compliance will be audited and when, but what has been consistent from the start is (1) the deadline and (2) that the DFARS 7012 compliance requirement applies to all defense contractors – regardless of size.
Here is what we do know: the DoD is being very pragmatic about how they are going to enforce this requirement. In other words, there is not much out there to support that your contracts will be taken away if you’re found non-compliant come Jan. 1. What we know for sure is that when an auditor/prime contractor/agency comes knocking on your door for a compliance status, they will want to see your System Security Plan (SSP) and your Plan of Actions and Milestones (PoA&M). We call these documents the “Show Me” documents. Your SSP and PoA&M will give auditors/prime contractors/agencies proof that your compliant or a clear picture of where you are in your compliance process.
From what we have heard from the DoD, auditors/prime contractors/agencies want to see PROGRESS.
Our recommendation is this: start with an Assessment of your current network to populate a PoA&M. An assessment from our ISSO, using our TechDART Assessment tool, will do just that. After that, work through documentation (policies, procedure, validation, etc.). The custom templates we’ve created with already written policies, procedures, and validations would be a productive next step to create solid documentation – and cut your compliance time in half.
We have helped, and are currently helping, over 20 government contractors through the DFARS 252.204-7012 (Implementing NIST 800-171) compliance process. Help ranging from full implementation to customers simply purchasing our templates or technical solutions from our many partners. The compliance program we’ve created was done to fit any sized and type corporate infrastructure. Give us a call today or fill out the form below to set-up some time with our specialists. We would love to sit down and discuss how our consulting services and technical solutions can guide your company to compliance with DFARS 7012 in the most productive and cost-effective way possible.