• SecurePath for Auto Dealers
  • Services
    • SOC Reporting Services
      • SOC 2® Readiness Assessment
      • SOC 2® Reports
      • SOC 3® Reports
      • SOC for Cybersecurity® Reports
    • IT Advisory Services
      • IT Vulnerability Assessment
      • Network Penetration Testing
      • Privileged Access Management
      • Social Engineering Testing
      • Virtual CISO (vCISO)
      • Written Information Security Program (“WISP”)
      • IT General Controls Audit & Compliance
    • IT Government Compliance
      • CMMC Cybersecurity Services & Compliance
      • DFARS Compliance
      • FTC Safeguards Compliance
  • Industries
    • Financial Services
    • Government
    • Auto Dealerships
    • Enterprise
  • Blog
  • About Us
    • Meet The Team
    • Jobs
  • Contact Us

Call us today! 844-OCD-TECH

Find our Location
OCD TechOCD Tech
  • SecurePath for Auto Dealers
  • Services
    • SOC Reporting Services
      • SOC 2® Readiness Assessment
      • SOC 2® Reports
      • SOC 3® Reports
      • SOC for Cybersecurity® Reports
    • IT Advisory Services
      • IT Vulnerability Assessment
      • Network Penetration Testing
      • Privileged Access Management
      • Social Engineering Testing
      • Virtual CISO (vCISO)
      • Written Information Security Program (“WISP”)
      • IT General Controls Audit & Compliance
    • IT Government Compliance
      • CMMC Cybersecurity Services & Compliance
      • DFARS Compliance
      • FTC Safeguards Compliance
  • Industries
    • Financial Services
    • Government
    • Auto Dealerships
    • Enterprise
  • Blog
  • About Us
    • Meet The Team
    • Jobs
  • Contact Us
Are You Ready to Be Audited by the DoD?

Are You Ready to Be Audited by the DoD?

December 12, 2018 Posted by Nick DeLena Cybersecurity, DFARS

If you are a prime or subprime contractor to the Department of Defense, chances are pretty good that you’ve heard of the DFARS clauses 252.204-7008 and 252.204-7012, titled “Compliance with Safeguarding Covered Defense Information Controls” and “Safeguarding Covered Defense Information and Cyber Incident Reporting”, respectively. Unless you are selling commercial off-the-shelf (COTS) products, you are subject to these requirements.

Clauses 7008 and 7012 require organizations that process, store, or transmit Covered Defense Information to implement the 110 security requirements in NIST Special Publication 800-171r1.

Contractors subject to these clauses have been required to self-attest compliance or face contractual penalties, with no official audit mechanism – until now.

Recently the DoD issued “Guidance for Assessing Compliance of and Enhancing Protections for a Contractor’s Internal Unclassified Information System” which outlines procurement guidance for DoD buyers. In it, the DoD establishes new guidance for procurement staff for pre-award and post-award activities.

Pre-Award Guidance:

  • Contractors must self-attest their compliance to provision 252.204-7008 and clause 252.204-7012
  • Evaluate the possibility of requiring enhanced cybersecurity measures in addition to the security requirements in NIST SP 800-171 based on project specifics
  • Establish measures to assess/affirm contractor compliance with cybersecurity requirements:
    • Establish Go/No-go evaluation criteria based on NIST SP 800-171 implementation status
    • Establish compliance with NIST SP 800-171 implementation as a separate technical evaluation factor – requiring delivery of contactor’s System Security Plan (SSP) and Plan of Action and Milestones (POAM)
    • Conduct on-site government assessment of contractor’s internal unclassified information system in accordance with NIST SP 800-171a
    • Contractor to identify known Tier 1-level suppliers and request contractor’s plan to track flow-down and assess compliance of Tier 1-level suppliers

Post-Award Guidance

  • Conduct on-site government assessment of contractor’s internal unclassified information system in accordance with NIST SP 800-171a
  • Identify DoD controlled unclassified information requiring protection

The detail and guidance surrounding the on-site assessments are undefined as yet, but in June 2018 DoD Office of the Inspector General announced an audit covering a number of contractors and sub-contractors. The results of this audit and any further actions have not been made public, but we can reasonably expect more of this activity as the DoD looks to shore up cybersecurity controls of the defense industrial base.

What you need to do

If you are either a prime or subprime DoD contractor providing anything but COTS goods, chances are you are subject to clauses 7008 and 7012. This is a good opportunity to confirm that by reviewing contracts and purchase order provisions. Assuming you are subject to these requirements, you must take action immediately to achieve compliance. The first step is to perform an assessment of your IT environment against the 110 security requirements in NIST Special Publication 171r1. NIST has issued another Special Publication, 800-171a, “Assessing Security Requirements for Controlled Unclassified Information (CUI)” to assist organizations in assessing their controls. If you do not have the expertise in-house to conduct the self-assessment, consider hiring a qualified third-party to do so. Likewise, if you are a prime contractor struggling to get a handle on your subcontractors’ compliance programs, consider using a qualified organization that specializes in this area to perform this function for you.

The result of this exercise should be a System Security Plan (SSP) which describes your implementation of the requirements and a Plan of Action and Milestones (POAM) that outlines the controls not yet implemented and defines a plan with milestones to achieve full compliance. Contractors are not authorized to deviate from the requirements in SP 800-171r1 without written approval from the Department of Defense.

Because of the self-attest contract provision in the DFARS clause, if you invoice the DoD or a higher-tier contractor while subject to clauses 7008 and 7012 without a corresponding compliance program in place, you may not only lose the existing and future contracts but be subject to prosecution under the False Claims Act.

Don’t take that chance.

Bring in the experts to get you moving in the right direction. OCD Tech, the IT Audit & Security division of O’Connor & Drew is a leading provider of DFARS cybersecurity compliance services in the northeast. Contact us to see how we can help with your compliance needs.

Tags: complianceCYBERcyber securitycybersecurityInformation SecurityIT SecurityNISTOCD TECH
Share
1
Avatar photo

About Nick DeLena

Nick leads engagements across the division’s primary practice areas, including audit, security, and advisory services. He’s a 19-year veteran of IT and IT risk management, having audited, consulted, and managed IT teams in a variety of industries. He holds several leading certifications, including CISSP, CISA, CRISC, and Security+, among others, and has an MBA from Brown University.

You also might be interested in

The DFARS Deadline Has Passed

The DFARS Deadline Has Passed

Jan 3, 2018

Did you miss the DFARS cybersecurity deadline of December 31,[...]

Why SMBs Need Specialized Cybersecurity

Why SMBs Need Specialized Cybersecurity

Nov 25, 2024

In today’s digital landscape, small and medium-sized businesses (SMBs) face[...]

Strengthening Cybersecurity: The Benefits of Choosing a Smaller Audit Firm

Strengthening Cybersecurity: The Benefits of Choosing a Smaller Audit Firm

Aug 26, 2024

Choosing a security audit company is a crucial decision for[...]

Find us on

Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Send Message
OCD Tech logo Audit. Security. Assurance.

IT Audit | Cybersecurity | IT Assurance | IT Security Consultants – OCD Tech is a technology consulting firm serving the IT security and consulting needs of businesses in Boston (MA), Braintree (MA) and across New England. We primarily serve Fortune 500 companies including auto dealers, financial institutions, higher education, government contractors, and not-for-profit organizations with SOC 2 reporting, CMMC readiness, IT Security Audits, Penetration Testing and Vulnerability Assessments. We also provide dark web monitoring, DFARS compliance, and IT general controls review.

Contact Info

  • OCD Tech
  • 25 BHOP, Suite 407, Braintree MA, 02184
  • 844-623-8324
  • https://ocd-tech.com

Follow Us

Videos

Check Out the Latest Videos From OCD Tech!

Services

SOC Reporting Services
– SOC 2 ® Readiness Assessment
– SOC 2 ®
– SOC 3 ®
– SOC for Cybersecurity ®

IT Advisory Services
– IT Vulnerability Assessment
– Penetration Testing
– Privileged Access Management
– Social Engineering
– WISP
– General IT Controls Review

IT Government Compliance Services
– CMMC
– DFARS Compliance
– FTC Safeguards vCISO

Industries

  • Financial Services
  • Government
  • Enterprise
  • Auto Dealerships

© 2025 — OCD Tech: IT Audit - Cybersecurity - IT Assurance

  • OCD Tech
  • About Us
  • Contact Us
Prev Next