DoD Meets Contractors Half-Way at Industry Information Day

On June 23, the Department of Defense hosted its highly anticipated Industry Information Day to respond to feedback received from the contracting community regarding last year’s finalization of DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. Top of mind for many in attendance was the looming end-of-year deadline to implement NIST SP 800-171, including its requirements regarding multifactor authentication. By the end of the session, however, DoD representatives repeatedly stated that contractors may use system security plans (SSPs) and plans of action and milestones (POAMs) to document their anticipated implementation of the required controls and thus comply with the Clause – even if the actual implementation of those controls extends beyond 2017. A revised set of FAQs is expected next month, which should provide additional details regarding this new guidance.