State of DFARS Compliance 5 Months From 31 Dec 2017 Deadline

As of Q2 2017, 87% of all defense contracts contained DFARS clause 252.204-7012.

As of July 2017, 93% of Navy contracts, 83% of Air Force contracts, and 72% of Army contracts had the clause, with a goal of 100%.

Source: Defense Procurement and Acquisition Policy

Based on non-attributable statistical data we have collected through our DFARS 7012 compliance services, we have assembled a quick view of some metrics associated with the state of compliance as of 1 August, 2017:

  • Of initial gap assessments Sera-Brynn has performed, the average score for compliance (at the beginning of the engagement) with NIST 800-171 controls is only 46%.
  • Of initial gap assessments, 95% were not compliant with the requirements for multi-factor authentication.
  • 73% did not have a properly configured tool for audit log reduction and correlation.
  • 66% did not have a System Security Plan (SSP), which the DoD CIO has noted is a key requirement and a control in NIST 800-171.
  • 96% did not have a written Plan of Action and Milestones identifying tasks to complete and assigning a role or timeline, another key requirement and a control in NIST 800-171.

Sera-Brynn advises clients on compliance and works with the client to create an SSP and Plan Of Action and Milestones (POA&M). Of those clients for whom a POA&M was created:

  • 55% of tasks that needed to be completed were assigned a minimum lead time of 60 days. Approximately 15% of tasks were expected to take 180 or more days.
  • 26% of controls may be met with policy or process.
  • The remainder require a combination of proper configuration, software, and hardware.

The applicability of the compliance requirements found in DFARS 7012 will be expanded beyond the DoD to all federal contracting companies via a FAR clause in 2018.

If you’d like to learn more about more Governance, Risk & Compliance (GRC) trends, this Cybersecurity Ventures report provides statistics, best practices, and resources for C-Suite executives, CIOs, chief information security officers (CISOs) and IT security teams.