Further guidance regarding cyber security compliance has been provided by Ellen Lord, the Defense Undersecretary for Acquisition, Technology, and Logistics. The January 1, 2018 deadline for being 100% compliant has been relaxed to now “the only requirement for this year is to lay out what your plan is” said Ms. Lord in a briefing given on December 7, 2017. She goes on to say “that can be a very simple plan.” So, perhaps cyber security is not as scary as it initially seemed!

Don’t get too comfy thinking you can put off cyber security a little longer. This clarification still requires contractors to have a System Security Plan by December 31st.  Your System Security Plan describes the current state of your information system and outlines a plan of how the requirements in cyber security will be met for those things that your current information system is lacking.

DFAR 204.73 is driving this requirement and contains the prescriptions for the clauses you will see in your contracts: 252.204-7008, 252.204-7009, and 252.204-7012.

Helpful cyber security information can be found at the following websites:

https://www.nist.gov/mep/dfars-cybersecurity-requirements

https://business.defense.gov/Small-Business/Cybersecurity/