DoD requirements

How to Meet New DoD Requirements for Managing Suppliers’ NIST 800-171 Compliance

Updates to the DoD’s PGI 204.73 reveal new documentation requirements, which are expected to be included in future contracts. These requirements (called Contract Data Requirement Lists, or CDRL’s) are a way for acquisition officers within the DoD to standardize the responses they receive from contractors.

Here’s how it works: an acquisition officer chooses to include a CDRL in section J of their contract solicitation or contract award:

The included CDRL will dictate a specific format and/or content requirements for your response. This format is called a Data Item Description (or DID).


In this case, the newly drafted DID (titled ‘Contractor’s Record of Tier 1 Level Suppliers Receiving/Developing Covered Defense Information’) requires the following content:

  • A Cover Page with the following information:
    • A standardized title (i.e., [Name of Contractor] Record of Tier 1 Level Suppliers Receiving/Developing Covered Defense Information)
    • Your DUNS Number and CAGE Code Number
    • The government contract numbers that you are involved in
  • Tier 1 Level Supplier Information (i.e. your suppliers, who receive subcontracts from you)
    • Supplier Name
    • Supplier contract/agreement number (if available)
    • Supplier Point of Contact: name, email, and phone number
    • Supplier contract/agreement contains or will contain substance of DFARS Clause 252.204-7012 Clause: Y/N
    • Supplier agreement/contract contains or will contain cyber security measures/requirements other than those identified in DFARS Clause 252.204-7012 and NIST SP 800-171: Y/N
    • Contractor’s Data Universal Numbering Systems (DUNS) and Commercial and Government Entity Code (CAGE) Numbers:
    • Supplier has conducted or will conduct a self-assessment in accordance with NIST SP 800-171A: Y/N
    • Supplier System Security Plan and Associated Plans of Action in accordance with NIST SP 800-171 Rev 1 Security Requirement 3.12.4 and 3.12.2.
    • List of Supplier’s Tier 1 Level Suppliers receiving and/or developing covered defense information.

What Does This All Mean?

The new contract data requirements list (CDRL) carries significant implications, both for direct recipients of DoD contracts (often called “prime” contractors) and for subcontractors of those direct recipients. By including this single requirement in section J of a solicitation or contract award, an acquisition officer will have full documentation of the following:

  • All of your Tier 1 Level Suppliers who receive covered defense information (CDI). For most DoD prime contractors: this represents an unprecedented amount of insight into their supply chain.
    • If you are a subcontractor: this may be the first time DoD knows who you are.
  • All of your Tier 2 Level Suppliers who receive CDI. This CDRL (tentatively titled DID-MGMT-XXXXX) is structured continue the trail of documentation (through as many supply chain tiers as necessary) until all entities who receive CDI have been identified (see section 2.3 on pages 13-14 of the DID draft).
  • Your System Security Plans and Plans of Action. See ‘CDRL – Request Contractor’s System Security Plan and Any Associated Plans of Action for Contractor’s Internal Information System’ and Data Item Description DI-MGMT-82247 for DoD’s new requirements for a standardized system security plan.

The result of these guidance enhancements is clear. The DoD will better understand the supply chain associated with each of its contracts. They will also be able to map the flow of CDI through that same supply chain, for compliance enforcement and cyber damage assessments. Additionally, these newly introduced CDRL’s and DID’s provide DoD with a standardized format and content for System Security Plans, allowing for the application of the NIST SP 800-171A assessment guide to contractors’ security documentation.

Next Steps for Contractors

DoD contractors should become familiar with the required format and content of the new DID’s for their System Security Plans, and make adjustments to their original format as needed.

Contractors should also establish a format for documenting their status as a Tier 1 Level supplier to any prime contractors they work with.

Finally, contractors should develop a method for gathering Tier 1 Level supplier information from each of their own suppliers expected to receive covered defense information as part of future contracts.