Complying with DFARS 252.204-7012 & Controlled Unclassified Information (CUI) Mandates

The DoD isn’t conducting full CUI audits as of this date, but that doesn’t mean that government contractors are free to ignore the mandate. Currently, DoD government contractors attest their compliance to DFARS 252.204-7012 and NIST SP 800-171 Rev. 1 when bidding for a DoD Government contract. In lieu of a full audit, the Defense Contract Management Agency (DCMA) does have a significant role in providing oversight into government contractor attestations. According to DoD:

  • DCMA will verify that System Security Plan (SSP) and any associate contractor plans of action are in-place
  • If a potential cybersecurity compliance issue is detected – DCMA notify the contractor, DoD program office, and the DoD CIO
  • During the normal Contract Receipt and Review process – DCMA will verify that applicable cybersecurity clauses are in the contract
  • DCMA will verify that the contractor possesses medium assurance certificate as required to report cyber incidents
  • As may be required – DCMA will facilitate the entry of government external assessment team into a contractor facilities via coordination with the cognizant government and contractor stakeholders

The NIST SP 800-171 Rev 1 requirements consist of 110 controls that may be met with policy, process, and configurations to secure information technology. Note, there are alternatives to be considered in satisfying the requirements. Some may be met with policy and process implementations, which are low-cost solutions. Others may require the purchase or outsourcing of security related services, hardware or software. In still other cases, you may choose to define new business processes that completely segregate and secure CUI from unauthorized users.

To begin the steps to compliance, your organization must assess its standing with regard to full compliance. This initial assessment can be undertaken internally or with external consulting resources.

NIST SP 800-171 Rev 1 requires the development of a Plan of Action and Milestones (POAM) and a Systems Security Plan (SSP). These documents result from a contractor’s system security assessment. (links to free templates below)

The POAM documents gaps and needed remediations to bring systems to full compliance.

The SSP documents your organization’s security posture and how your organization is complying with the CUI requirements. The SSP should document:

  • How the requirements are met or how organizations plan to meet requirements
  • Situations where a requirement cannot practically be applied (non-applicable)
  • DoD CIO approved alternative but equally effective security measures
  • Exception to accommodate special circumstances (e.g., CNC machines and/or shop floor machines)
  • Individual, isolated, or temporary deficiencies addressed by assessing risk and applying mitigations.

Note: The SSP may be requested by the requiring activity and considered as an element of source selection.

There are no secrets to compliance, and we maintain that an open process is the best way to build trust and confidence.

Zofia Consulting, LLC coaches clients through the development of an SSP and help identify/track corrective activities in a POAM system. Zofia also assists in prioritizing efforts for effective use of resources.  Zofia Consulting, LLC can advise on policies, budgets, and business processes that work to reduce risk and keep your compliance program running smoothly. We stand with our clients to ensure they know how to keep their organization running smoothly and confidently in compliance.


The Department of Homeland Security (DHS) has developed a Cyber Security Evaluation Tool (CSET) that is available at no cost and can be downloaded at: CSET consist of 298 questions and will help to produce an overall assessment of compliance.

 NIST released an updated final public draft of SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information. NIST also released example templates for an SSP and a POAM. An organization can use these templates or any others that provide the necessary compliance information.

NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements


Contact us!  Zofia Consulting is ready to assist you in meeting the security and compliance needs today and in the future through our many support programs that can be tailored just for you.

Mark Tanner is a senior advisor for Zofia Consulting and a senior executive with a wide range of experience in law enforcement, intelligence, and business. As a Special Agent of the Federal Bureau of Investigation (FBI) he led criminal and counterterrorism programs, including Southwest Border Initiatives in Arizona and the Foreign Terrorist Tracking Task Force (FTTTF) established after 9/11. He established FBI’s Office of the Chief Information Officer (CIO) while serving as the deputy CIO where he was responsible for enterprise architecture and was the accrediting authority for FBI systems. Following a 23-year career with the FBI has held director and executive level positions in small, medium, and large companies.

Mark manages security related areas such as continuity of operations and information security, including audits and compliance with NIST Special Publications 800-53 security and privacy controls, as well as SP800-171 for Controlled Unclassified Information (CUI). He also serves as Co-Chair of the FBI’s InfraGard, Cyber Security Special Interest Group (Cyber SIG) for the National Capital Region Members Alliance.

Mark Tanner holds an accounting degree from East Carolina University and is a Certified Protection Professional (CPP). Federal Computer Week magazine recognized and highlighted Mr. Tanner as one of the ten “new IT leaders” in the federal government, and he was a finalist for the Citigroup Smith Barney CIO of the Year Award. 

You can contact Mark directly at

Additional CUI and DFARS links of Interest:

  • DoD’s Frequently Asked Questions (FAQs) dated Jan. 27, 2017 – Implementation of DFARS Case 2013-D018, Network Penetration Reporting and Contracting for Cloud Services, available here;
  • DoD’s Procurement Toolbox Cybersecurity Resources, available here;
  • The National Archives Controlled Unclassified Information Registry – Categories and Subcategories, available here

Creative Commons License
This work by Zofia Consulting, LLC is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.

What is a Virtual CISO?

What is a Zofia Consulting Virtual CISO?

Businessman working at the wooden table on laptop.Closeup view of Man pointing hand on thouch screen of mobile phone.Concept of virtual screen,connections icon and digital interfaces display.Flares.

Put in more common terms – A “Virtual Chief Information Security Officer” (VCISO) is similar to “CISO as a Service.”  With the VCISO, businesses contract for a specified person (assuming that is the offering.) “CISO as a Service” is a service where an organization might get any number of people to satisfy requirements and tasks. In practice, many companies offer hybrids of the two services.

Our Virtual CISOs are available on an “as-needed” or contracted hours basis and responsible for providing Cybersecurity or overall security support for the organization. These responsibilities can be as simple as validating existing policies, procedures, controls, responding to audit findings and developing a cybersecurity roadmap for a specific company.

The Needs for a Virtual CISO

There are multiple reasons why a company may decide to use a Virtual CISO

  • EXPENSE. Small- to Mid-sized organizations may not be in a financial position to allocate a high level of resources to a full-time CISO or Chief Security Officer position, or they may have outsourced computing technology resulting in a less-robust need for a full-time person.
  • TRAINING.Zofia Consulting VCISOs assist companies that might have a CISO that is under-trained, or over-tasked. In that case, Zofia Consulting VCISOs can operate as coaches and/or force multipliers saving corporate costs and reducing risk.
  • GAPS. Zofia Consulting VCISOs can assist companies experiencing a vacancy in a full-time position while the selection process is being worked and candidates are being vetted. Companies may also want to consider using a VCISO to support the technology assessment portion of a selection process. Having an experienced CISO work with your organization on a short-term basis could optimize your selection process time and increase the likelihood of selecting a valuable long-term employee.
  • COMPLIANCE. Zofia Consulting VCISOs provide an objective assessment of your current situation or to perform the duties of a CISO either on an interim basis or as needed based on regulations (some states are starting or considering requiring a named CISO in specific industries) to support the overall desire to strengthen the protection of organizational assets. Organizations also may experience confusion or anxiety with trying to comply with a myriad of new compliance schemes (ISO 27001, GDPR, NIST SP800-53 or SP800-171, RMF, PCI, HIPAA, ITAR, and many more.)
  • EMERGENCY. It happens. An unexpected breach or other incident can create chaos and threaten an organization. This is a time for “all hands on deck,” but some organizations find out they lack the skillsets to recover smartly and address the technical and regulatory requirements. Zofia Consulting VCISOs come to your aid quickly and work with your general counsel, incident response team (if available), acquisition support, and IT team to get your organization quickly, safely and legally back up to speed in full operations. Our VCISOs will also help prepare communications to the C-Suite and shareholders to shore up confidence in an organization’s ability to recover smartly.

Why Zofia Consulting

The multiple benefits of a Zofia Consulting VCISO is the experience they bring to your organization through many years of real on-the-ground work experience – most have worked their way up through technology, business or the security discipline. Zofia Consulting VCISOs also carry certifications to indicate a level of knowledge obtained and validated by accrediting organizations.

Zofia Consulting VCISOs have a demonstrated wealth of experience (often in multiple disciplines) and it’s important to request one with experience in an area where your organization has an identified weakness. It might be in policy development or education and awareness, audit response, risk management or threat detection capability.

If an organization isn’t sure what capabilities they need, Zofia Consulting can perform an overall health assessment and identify areas that are strong and other areas that may require professional attention.

Zofia Consulting has a staff of experienced CISOs with a broad range of experience in multiple environments able to support your cybersecurity needs with our Virtual Chief Information Security Officer service, whether it is a monthly retainer, single engagement or staff augmentation. Learn more on our Virtual CISO page. To request VCISO support for your organization, please contact us.



Charles L. (Chuck) McGann, Jr., is nationally recognized information security professional and senior advisor to Zofia Consulting. Chuck leads the Virtual CISO™ Program at Zofia Consulting and focuses on small to mid-sized organizations providing guidance in solidifying Cybersecurity programs and compliance requirements. Chuck’s broad range of experience from Policy and Procedures creation and review through Incident Response and Threat Mitigation ensures companies are prepared to handle any variety of cybersecurity challenges.

Chuck is the former Corporate Information Security Officer (CISO) for the United States Postal Service (USPS). In this capacity, he secured one of the largest maintained intranets by any organization in the world, with over 200,000 workstations; over 45,000 retail terminals; more than 16,000 servers and over 220,000 Mobile Delivery Devices. The USPS infrastructure encompasses over 600 business applications that support all aspects of business operations as well as movement of the mail.

In his 28 years with the Postal Service, Chuck held numerous positions, Including: Manager, Information Systems, Acting Postmaster, Business Systems Analyst, Business Project Leader, Distributed Systems Security Specialist, Manager, Information Security and Incident Response Team Manager.

Over his distinguished career has received numerous awards and recognition. He belongs to various national, regional, and local organizations such as the Government Technology Research Alliances’ group, FBI InfraGard, National Security Agency (NSA), and Information System Audit and Control Association (ISACA) to name a few.

Creative Commons License
This work by Zofia Consulting, LLC is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.