Zofia Buzz



If you are a Department of Defense (DoD) Government Contractor or sub-contractor to a Government Contractor and are required to comply with the NIST SP800-171 regulations supporting DoD Controlled Unclassified Information (CUI) (or Covered Defense Information(CDI [1])), the deadline for compliance is December 31, 2017. (The full set of NIST SP800-171 security controls are imposed on Department of Defense contractors in Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012)

The new statutory changes have been in the works for several years and should not come as a surprise. However, the new requirements and deadline have caught many government contractors and academic institutions unaware, leaving many to make hard choices: Comply and at what cost, don’t comply and risk losing contracts/funding and potential new business. Many other contractors have elected to no longer hold CUI information (where possible), or stop contracting where CUI compliance is necessary.

Many security professionals are supportive of the NIST SP800-171 guideline compliance requirement and believe this will not only add additional protection for sensitive CUI information, but if taken seriously and implemented properly, compliance to the 14 areas and 114 controls will provide additional protection for all organizational assets and thus some “due diligence” or “due care” defense in the event of a compromise.

NIST recently released the DRAFT NIST SP800-171A – Assessing Security Requirements for Controlled Unclassified Information for public comment. That comment period closes January 15, 2018 and our guess is some minor changes are in the making. If you are covered by the new requirements, your organization needs to review the DRAFT NIST SP 800-171A – Assessing Security Requirements for Controlled Unclassified Information.

While contractors have had several years to build up to these security controls and the government has issued extensions to help extend the compliance deadlines, we are now at the starting gate for compliance reviews, self-attestation and audits. Are you ready?



Here at Zofia Consulting, we have worked with many small to mid-sized contract companies who ultimately decide to “go it alone,” using in-house resources to drive compliance. Going it alone is a difficult and risky choice and while this may be a decision based on available resources, without compliance expertise, this could well lead to disaster. Your organization will have to attest to compliance with documented artifacts. Consider your organizational liability for getting it wrong and/or attempting to shortcut the regulations thinking, “it is good enough.” We always recommend a third-party review – even if you “go it alone” – just to give you the assurance you need for signing those government contracts.


Maybe your organization can do a lot of the work, but there are still questions to be answered. Perhaps you are going through some lifecycle upgrades and want to make sure your choices will keep you in compliance. Or perhaps you have other compliance standards (ITAR, ISO 27000 series, RMF and more) and are unsure how these all work together. Leveraging our Virtual CISO program, we assist our clients in their CUI/CDI Compliance assessment to help determine any “gaps” to compliance, check for potentially conflicting standards, and then work to implement the security controls. We coach clients through the development of a System Security Plan that they help to create, tracking gap corrective activities in a Plan of Action and Milestones (POAM) system and prioritizing their effort for effective use of resources. We can advise on policies, budgets, and business processes that work to keep your compliance program running smoothly. We stand with our clients to ensure they know how to keep their organization running smoothly and confidently in compliance.


Not every organization has the time or knowledge to assess, determine gaps and remediate systems and develop policies and processes to achieve compliance. These organizations opt to have a full outside assessment and review and then want continued direction and guidance for remediation– either as needed or by specified control area. We help your organization with developing budgets and roadmaps surrounding government contract compliance and any other new initiatives. If this describes your organization, don’t worry, our consultants are industry leaders in information security and compliance and we have you covered. We know you can’t do it all – that is why we are here.

Still making decisions in this last hour? Contact us! Zofia Consulting is ready to assist you in meeting the security and compliance needs today and in the future through our many support programs that can be tailored just for you.

20 DEC 2017


Charles L. (Chuck) McGann, Jr., is nationally recognized information security professional and senior advisor to Zofia Consulting. Chuck leads the Virtual CISO™ Program at Zofia Consulting and focuses on small to mid-sized organizations providing guidance in solidifying Cybersecurity programs and compliance requirements. Chuck’s broad range of experience from Policy and Procedures creation and review through Incident Response and Threat Mitigation ensures companies are prepared to handle any variety of cybersecurity challenges.

Chuck is the former Corporate Information Security Officer (CISO) for the United States Postal Service (USPS). In this capacity, he secured one of the largest maintained intranets by any organization in the world, with over 200,000 workstations; over 45,000 retail terminals; more than 16,000 servers and over 220,000 Mobile Delivery Devices. The USPS infrastructure encompasses over 600 business applications that support all aspects of business operations as well as movement of the mail.

In his 28 years with the Postal Service, Chuck held numerous positions, Including: Manager, Information Systems, Acting Postmaster, Business Systems Analyst, Business Project Leader, Distributed Systems Security Specialist, Manager, Information Security and Incident Response Team Manager.

Over his distinguished career has received numerous awards and recognition. He belongs to various national, regional, and local organizations such as the Government Technology Research Alliances’ group, FBI InfraGard, National Security Agency (NSA), and Information System Audit and Control Association (ISACA) to name a few.

[1] Covered defense information (CDI) means unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, and is –
(1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
(2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

This work by Zofia Consulting, LLC is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.