top of page

Axiotrop Blog

DIB Rulemaking Update (Q2)

The wheels of government may turn slowly, but they are turning and in the last few months we have a lot of movement to report concerning DIB primes and subcontractors.


First, last week the Department of Defense cleared up some potential confusion with the class deviation to DFARS 252.204-7012. This DFAR was updated to specifically require DIB contractors to meet “revision 2” of NIST SP 800-171. The previous DFAR wording stated that contractors must meet the version "in effect at the time the solicitation is issued or as authorized by the Contracting Officer."


That deviation was important because this week, NIST published the final versions of NIST SP 800-171 rev 3 and NIST SP 800-171A rev 3. These revision updates make material increases in the requirements. (More on these changes in a future blog post.)


At least for the time being, DIB suppliers know they must comply with NIST SP 800-171r2. This allows DIB suppliers time to scale up to the new requirements of revision 3.


Meanwhile, the CMMC 2.0 Proposed Rule is moving toward final publication this year. The word on the street is that DoD has already adjudicated all public comments and they want to get this completed before the November election to avoid additional red tape.


This will put more pressure on DIB contractors as primes will be driving suppliers to get their C3PAO assessments completed to maintain their DoD contracts. Subs who haven’t started their implementation of NIST SP 800-171r2 will be under the gun to keep their DIB contracts.


Companies that are already working on implementation will have an advantage with prime contractors who want to reduce their risk by selecting subcontractors that already have their cybersecurity program CMMC assessed.


If you haven’t made progress on your NIST SP 800-171r2 security program, the time to start is now. These implementations will take on average 12 to 24 months.


Schedule a free 15-minute consultation with our cybersecurity experts to answer your questions about starting your NIST SP 800-171r2 implementation.





AXIOTROP’s mission is to make cybersecurity accessible, attainable, and sustainable for small and medium-sized businesses so they remain competitive and poised for growth. We simplify cybersecurity by working closely with businesses to right-size their program for their needs, resulting in client retention, business expansion, and reduced risk.  


bottom of page