Last Minute MFA Options for DFARS Compliance

With Labor Day being on Monday, the end of summer is here. As the end of this season approaches, so does the compliance deadline for implementing multi-factor authentication controls for Department of Defense (DOD) contractors. As of the publishing date of this blog, there are only 123 days left to comply with NIST SP 800-171 security controls to meet the eligibility for defense contracts. When factoring in implementation time, weekends, and holidays, only 90 days are left.

Contract Eligibility and NIST SP 800-171

To ensure important government information stays secure, even when it is not being processed in a government system, DOD implemented a contract clause stating that all vendors doing business with DOD must have adequate security controls to even participate in the contracting process. These security controls, outlined in NIST SP 800-17 focus on Controlled Unclassified Information (CUI) and serve to provide consistency between the different corporations and to make sure the information is still staying secure.

Focus on multi-factor authentication

One of the founding security controls of NIST SP 800-17 is enforcing strong authentication. This is because the most devastating hacks have been due to insecure authentication techniques that allowed unauthorized users full control of an entire infrastructure because they simply guessed a password. The new MFA controls focus on eliminating this threat by enforcing controls that focus on:

  • Knowing exactly who is trying to gain access
  • Assure/certify the person is not able to get more information than they are privileged to
  • Track actions within the system by privileged users

Multi-factor authentication is a necessity in order to meet the requirements. This can be done with cryptographic software, smart cards, hardware tokens, email encryption and PKI’s. The best way to manage all of this is with a Credential Management System (CMS). You can track and issue credentials and it's all in one easy to use system.

What happens if I don’t comply?

If your organization does not comply, any existing contract becomes out of compliance resulting in a breach which consequently will disrupt payment. For new contracts, your organization will not meet the eligibility requirements to even submit a bid.  In other words, your ability to transact with the DOD is eliminated. Therefore, it is in your company’s best interest to comply so you can continue bidding for government contracts.

Last minute MFA options for compliance

Recognizing time is running out, we wanted to share some last minute options to help you reach compliance as soon as possible. We strongly support the use of PIV-C to meet your MFA needs because of its interoperability and scalability properties. As such, below are the options to help you get a PIV-C MFA card fast.

  • Use a cloud service: Various companies provide services that can quickly issue a PIV-C based token within hours.  Please contact us at and we can provide a list of recommended vendors.
  • Install a PIV-C turnkey system: For enterprises desiring a long term approach, they can install on premise system that is fully customizable and scalable for their needs. This system is completely turnkey, contains all of the software, smart cards, hardware tokens, digital certificates and can be installed in 2-3 days. Once installed, you can track and issue credentials and it's all in one easy to use system.
  • Do it yourself PIV-C: If you just want to issue a smart card based MFA token ASAP, you can manually load a certificate using HID ActivClient and the Crescendo 144K card. This approach can enable compliance within hours.

Click here to learn more reasons to use PIV-C to comply

Benefits of NIST SP 800-171 Compliance

Of course, change always presents challenges to any organization..especially when it comes to implementing new security controls. However, given the insecure nature of today’s computing infrastructure, NIST SP 800-171 will provide dramatic business and security dividends. For example:

  • You can save money by consolidating your MFA issuance infrastructure.
  • You will have peace of mind, knowing that your company is secure from hackers
  • You can see what is going on behind the scenes. By being up to these standards, you are creating digital fingerprint.
  • You will be able to see who is logged in and at what time the login occurred. This will allow you to verify if it is the person that is supposed to be logging in or not.
  • This can save you money in the long run, by not having to pay costs that come associated with being hacked.
  • You will also be able to save money by implementing a BYOD policy at your office. This could also increase employee happiness and productivity.
  • The whole system is simple to use, yet secure.


Overall, the NIST SP 800-171 security controls were designed with the American people’s best interest in mind to ensure our defense information is kept secret. Without this protection in place consistently, our information remains at risk. We hope these options help you realize you can still become compliant within a few days.