The last day of 2017 marked the deadline for meeting a requirement that certain U.S. Department of Defense contractors and subcontractors provide “adequate security” for defense information on covered contractor information systems. Pursuant to a final rule amending the Defense Federal Acquisition Regulation Supplement: Network Penetration Reporting and Contracting for Cloud Services, the DOD gave contractors until December 31, 2017 to implement those security requirements. The Cybersecurity Law Report takes a closer look at the requirements and at what happens if a contractor has does not fully comply. We also examine other efforts to expand these security requirements beyond certain DOD contractors and subcontractors. See also “NIST Program Manager Explains Pending Changes to Its Cybersecurity Framework” (Jan. 17, 2018).