Some Good News and Bad on the DFARS Compliance Deadline

Ellen Lord, the Undersecretary of Defense for Acquisition, Technology and Logistics, recently
testified before Congress on the end-of-year deadline for compliance with the DFARS/NIST (SP)
800-171 cybersecurity and cyber-incident reporting requirements, giving both good and bad news to
DoD contractors.

Nashua, NH, December 27, 2017 --(PR.com)-- Many Department of Defense (DoD) Contractors have
been looking at the end of 2017 with dread. Strict, new DoD regulations require that before 2018 they
comply with detailed cybersecurity and cyber-incident reporting requirements or lose their DoD
contracts. But now, those who thought they could not meet that deadline have been thrown a lifeline.

Ellen Lord, who is the Undersecretary of Defense for Acquisition, Technology and Logistics, recently
testified before Congress on the end-of-year deadline for compliance with the DFARS/NIST (SP)
800-171 cybersecurity and cyber-incident reporting requirements. Her testimony had both good news and
bad news, with the good outweighing the bad.

The good news is that despite the seeming mandatory language of DFARS section 252.204-7008 that a
contractor will “implement” the 110 controls in 800-171 “not later than December 31, 2017”(1),
Undersecretary Lord stated that “the only requirement for this year is to lay out what your plan is...”

The bad news is that a plan must be more than just planning to comply. Secretary Lord indicated that
there is a need for a “template” against which a contractor can “just report [its] compliance to it.”

A video of Secretary Lord's remarks and an article describing their effect are at the links in the footnote
below.(2) As the commentator in the article says, [c]ompanies that do not adhere to the new rules could
lose existing contracts and be barred from seeking new government contracts."

So, the good news is that end-of-year compliance has become easier. The bad news is still not having a
solution in place means loss of DoD business.

But there is more good news. RegDOX has an off-the-shelf compliance plan for medium and small
defense contractors and sub-contractors. It provides the same gap analysis, remediation, plan of action
and milestones we have been providing DoD contractors over the past year. RegDOX is prepared to get
this in place for your company by the end of 2017. Just call.

RegDOX Solutions Inc.

1 Tara Blvd., Suite 300
Nashua, NH 03063

+1.603.589.4830
RegDOX.Sales@RegDOX.com
www.RegDOX.com

Page 1/3
PR.com Press Release Distribution Terms of Use
(1) See also 252.204-7012(b)(2)1(ii)(A) (“The Contractor shall implement NIST SP 800-171, as soon as
practical, but not later than December 31, 2017. For all contracts awarded prior to October 1, 2017, the
Contractor shall notify the DoD Chief Information Officer (CIO), via email at osd.dibcsia@mail.mil,
within 30 days of contract award, of any security requirements specified by NIST SP 800-171 not
implemented at the time of contract award.”)

(2) https://www.c-span.org/video/?c4701321/hon-ellen-lord-dfars-cyber-comments
http://www.nextgov.com/cio-briefing/2017/12/pentagon-delays-deadline-military-suppliers-meet-cyberse
curity-rules/144562/

Page 2/3
PR.com Press Release Distribution Terms of Use
Contact Information:
RegDOX Solutions Inc.
Jessica Stepanek
603-589-4830
Contact via Email
www.RegDOX.com

Online Version of Press Release:

You can read the online version of this press release at: https://www.pr.com/press-release/739916

News Image:

Page 3/3
PR.com Press Release Distribution Terms of Use