Complying with DFARS 252.204-7012 & Controlled Unclassified Information (CUI) Mandates

The DoD isn’t conducting full CUI audits as of this date, but that doesn’t mean that government contractors are free to ignore the mandate. Currently, DoD government contractors attest their compliance to DFARS 252.204-7012 and NIST SP 800-171 Rev. 1 when bidding for a DoD Government contract. In lieu of a full audit, the Defense Contract Management Agency (DCMA) does have a significant role in providing oversight into government contractor attestations. According to DoD:

  • DCMA will verify that System Security Plan (SSP) and any associate contractor plans of action are in-place
  • If a potential cybersecurity compliance issue is detected – DCMA notify the contractor, DoD program office, and the DoD CIO
  • During the normal Contract Receipt and Review process – DCMA will verify that applicable cybersecurity clauses are in the contract
  • DCMA will verify that the contractor possesses medium assurance certificate as required to report cyber incidents
  • As may be required – DCMA will facilitate the entry of government external assessment team into a contractor facilities via coordination with the cognizant government and contractor stakeholders

The NIST SP 800-171 Rev 1 requirements consist of 110 controls that may be met with policy, process, and configurations to secure information technology. Note, there are alternatives to be considered in satisfying the requirements. Some may be met with policy and process implementations, which are low-cost solutions. Others may require the purchase or outsourcing of security related services, hardware or software. In still other cases, you may choose to define new business processes that completely segregate and secure CUI from unauthorized users.

To begin the steps to compliance, your organization must assess its standing with regard to full compliance. This initial assessment can be undertaken internally or with external consulting resources.

NIST SP 800-171 Rev 1 requires the development of a Plan of Action and Milestones (POAM) and a Systems Security Plan (SSP). These documents result from a contractor’s system security assessment. (links to free templates below)

The POAM documents gaps and needed remediations to bring systems to full compliance.

The SSP documents your organization’s security posture and how your organization is complying with the CUI requirements. The SSP should document:

  • How the requirements are met or how organizations plan to meet requirements
  • Situations where a requirement cannot practically be applied (non-applicable)
  • DoD CIO approved alternative but equally effective security measures
  • Exception to accommodate special circumstances (e.g., CNC machines and/or shop floor machines)
  • Individual, isolated, or temporary deficiencies addressed by assessing risk and applying mitigations.

Note: The SSP may be requested by the requiring activity and considered as an element of source selection.

There are no secrets to compliance, and we maintain that an open process is the best way to build trust and confidence.

Zofia Consulting, LLC coaches clients through the development of an SSP and help identify/track corrective activities in a POAM system. Zofia also assists in prioritizing efforts for effective use of resources.  Zofia Consulting, LLC can advise on policies, budgets, and business processes that work to reduce risk and keep your compliance program running smoothly. We stand with our clients to ensure they know how to keep their organization running smoothly and confidently in compliance.


The Department of Homeland Security (DHS) has developed a Cyber Security Evaluation Tool (CSET) that is available at no cost and can be downloaded at: CSET consist of 298 questions and will help to produce an overall assessment of compliance.

 NIST released an updated final public draft of SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information. NIST also released example templates for an SSP and a POAM. An organization can use these templates or any others that provide the necessary compliance information.

NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements


Contact us!  Zofia Consulting is ready to assist you in meeting the security and compliance needs today and in the future through our many support programs that can be tailored just for you.

Mark Tanner is a senior advisor for Zofia Consulting and a senior executive with a wide range of experience in law enforcement, intelligence, and business. As a Special Agent of the Federal Bureau of Investigation (FBI) he led criminal and counterterrorism programs, including Southwest Border Initiatives in Arizona and the Foreign Terrorist Tracking Task Force (FTTTF) established after 9/11. He established FBI’s Office of the Chief Information Officer (CIO) while serving as the deputy CIO where he was responsible for enterprise architecture and was the accrediting authority for FBI systems. Following a 23-year career with the FBI has held director and executive level positions in small, medium, and large companies.

Mark manages security related areas such as continuity of operations and information security, including audits and compliance with NIST Special Publications 800-53 security and privacy controls, as well as SP800-171 for Controlled Unclassified Information (CUI). He also serves as Co-Chair of the FBI’s InfraGard, Cyber Security Special Interest Group (Cyber SIG) for the National Capital Region Members Alliance.

Mark Tanner holds an accounting degree from East Carolina University and is a Certified Protection Professional (CPP). Federal Computer Week magazine recognized and highlighted Mr. Tanner as one of the ten “new IT leaders” in the federal government, and he was a finalist for the Citigroup Smith Barney CIO of the Year Award. 

You can contact Mark directly at

Additional CUI and DFARS links of Interest:

  • DoD’s Frequently Asked Questions (FAQs) dated Jan. 27, 2017 – Implementation of DFARS Case 2013-D018, Network Penetration Reporting and Contracting for Cloud Services, available here;
  • DoD’s Procurement Toolbox Cybersecurity Resources, available here;
  • The National Archives Controlled Unclassified Information Registry – Categories and Subcategories, available here

Creative Commons License
This work by Zofia Consulting, LLC is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.