[compliance for defense contractors and subcontractors]


Department of Defense (DoD) contractors and subcontractors must comply with a cybersecurity program under the Defense Federal Acquisition Regulation Supplement (DFARS). To comply with DFARS, contractors must address the requirements listed in the following documents:

  • 252.204-7008: Compliance with Safeguarding Covered Defense Information Controls
  • 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting with the Application of NIST SP 800-171 controls

The deadline for compliance was December 31, 2017. If you have not implemented the regulations by now, you’re at risk for losing current and future DoD contracts.

DFARS Compliance Clauses

WHAT IS NIST SP 800-171?

NIST SP 800-171 is a U.S. standard for the protection of controlled unclassified information (CUI). CUI refers to information shared with non government entities by federal agencies.

NIST SP 800-171 is designed to address those instances where cybersecurity compliance is not explicitly addressed. Although it went into effect on December 31, 2017, many contractors are not in full compliance, even though noncompliance can result in a loss of all current and future contracts.

At GreyCastle Security, we understand the magnitude of NIST SP 800-171 compliance. There are 110 controls spread over 14 groups or categories of security. Putting together the necessary resources to ensure compliance can be overwhelming; however, failing to comply could be disastrous. We have assembled an experienced team that can help plan and oversee compliance efforts starting with identifying CUI through assessment to compliance.

Click here to read more about DFARS compliance


Successful NIST compliance requires more than checking off boxes. It requires an understanding of a cybersecurity landscape of increasing threats. NIST compliance is not a one-time event. It is an ongoing process of continuous improvement of security policies and procedures. That's why organizations need partners with experience in the areas of NIST compliance, such as:

  • User access and controls
  • Disposal of digital assets
  • Risk and security assessments
  • Incident reporting and response
  • Infrastructure protection

GreyCastle Security's approach to DFARS compliance rests on partnering with our clients to develop a process of continuous improvement of their cybersecurity. Contact us to begin that partnership.