Back to Insights

Government Contracting Industry Alert: DOD Provides Federal Contractors More Time To Achieve Cybersecurity Compliance

January 20, 2016 2 Min Read Alerts, Article, Government Contracting
Thomas C. Yankanich, CPA Director, Audit & Accounting, Leader - Government Contracting, Professional Services, and Architecture & Engineering Industry Groups

Federal contractors voiced concerns about the timeline for cybersecurity compliance requirements, originally believed to be mandated for 2016, and the U.S. Department of Defense (DOD) listened.

On December 30, 2015, the DOD granted more time for contractors and certain subcontractors to comply with the standards contained in the National Institute of Standards and Technology (NIST) Publication 800-171, “Protecting Controller Unclassified Information in Nonfederal Information Systems Organizations.” Contractors now have until December 31, 2017 to implement the new security requirements.

While additional time has been awarded, the DOD did not do so without certain conditions. The new solicitation clause requires offerors to identify to the contracting officer any variances between their cybersecurity procedures and those NIST SP 800-171 standards that are in effect at the time of contract award. The contractor’s submission will need to include an explanation as to why a particular security requirement is not applicable or how an alternative security measure will provide security and protection equal to that of the NIST standards. Submissions will be reviewed by the DOD Chief Information Officer, who will approve or disapprove the variances prior to the award. Any approved variances will be included in the final contract.

How exactly will this affect subcontractors? In addition to the extension of the compliance date, the DOD’s recent interim rules specify that the cybersecurity clauses should be flowed down to subcontractors only when their efforts involve covered defense information or they will provide operationally critical support.

In summary, government contractors now have more time to implement the NIST SP 800-171 standards. But they need to start “getting their ducks in a row,” considering their current security measures and where they will need to be tomorrow.

Click here to view the DOD’s NIST SP 800-171 publication.


If you have any questions or comments about this topic, please contact Thomas C. Yankanich, Director, Audit & Accounting, at Email or 215-441-4600.

Information contained in this alert should not be construed as the rendering of specific accounting, tax, or other advice. Material may become outdated and anyone using this should research and update to ensure accuracy. In no event will the publisher be liable for any damages, direct, indirect, or consequential, claimed to result from use of the material contained in this alert. Readers are encouraged to consult with their advisors before making any decisions.


Contact the Author

Thomas C. Yankanich, CPA

Thomas C. Yankanich, CPA

Director, Audit & Accounting, Leader - Government Contracting, Professional Services, and Architecture & Engineering Industry Groups

Government Contracting Specialist, Architecture & Engineering Specialist, Professional Services Specialist, ESOPs Specialist, Owner Operated Private Companies Specialist, Private Equity-Backed Companies Specialist

Contact Us

We invite you to connect with us to discuss your needs and learn more about the Kreischer Miller difference.
Contact Us
You are using an unsupported version of Internet Explorer. To ensure security, performance, and full functionality, please upgrade to an up-to-date browser.