Suppliers will need to show documentation of their own contractor relationships.
While the defense industry is still recovering from the recent shutdown, the Under Secretary of Defense released a new memorandum requesting that the Defense Contract Management Agency (DCMA) validate contractor compliance in several key areas.
Leveraging the criteria outlined in DFARS 252.244-7001, DCMA will commence reviews of contractors in the following ways:
Reviewing DFARS 252.204-7012 (Paragraph M) Flow Down to Suppliers.
Many contractors are unaware that strict guidelines must be followed when redistributing covered defense information (CDI) to their own supply chain. As a whole, much of the defense industrial base is guilty of sending CDI to suppliers without appropriate document control, continuation of DFARS 252.204-7012 (in both solicitations and awards), and tracking compliance responses from those same suppliers.
Leveraging the review methodology (i.e. reviews of the Contractor Purchasing System Administration) already practiced by DCMA, acquisition officers will begin assessing each prime’s management of their suppliers. This will likely be accomplished through the use of a new contract data requirement (or CDRL), introduced in November as part of updates to DoD PGI 204.73. This CDRL, titled “Contractor’s Record of Tier 1 Level Suppliers Receiving/Developing Covered Defense Information” will require prime contractors to return a list of the suppliers used on a contract, along with copies of each supplier’s system security plan (SSP) and plans of action (PoAM).
Any contractor who cannot provide DCMA with a list of the suppliers who received CDI (or copies of their SSP and PoAM) on a particular contract would, of course, be in violation of DFARS 252.204-7012.
Reviewing Contractors’ Procedures for Compliance Assessments of Their Suppliers.
A critical component of PGI 204.73 (and its new CDRL’s) is a standardized format (or Data Item Description) for use by DCMA. Under this format, DCMA can measure a contractor’s management of their suppliers against the following metrics:
- Whether or not the contractor flowed down DFARS 252.204-7012 to their suppliers (whenever CDI was redistributed).
- Whether or not the contractor defined any security requirements other than those outlined in NIST SP 800-171. An example of this would be recent Exostar Questionnaires (used by many prime contractors) which ask suppliers to measure themselves against the Center for Internet Security (CIS) Critical Security Controls (in addition to complying with NIST SP 800-171). If meeting these ancillary requirements were mandated by a prime in order to participate in a contract, DCMA would need to be notified of these added requirements for that contract.
- Whether the Tier 1 Level Suppliers used by the prime have conducted (or will conduct) a self-assessment in accordance with NIST’s assessment guide for SP 800-171 (NIST SP 800-171-A). If prime contractors do not have documentation of this commitment by their suppliers, this would constitute a failure to meet CDRL requirements.
If the documentation and supply chain management metrics listed by PGI 204.73 are not daunting enough, contractors should also be aware of a critical mechanism found in this new CDRL. The final content requirement for “Record of Tier 1 Level Suppliers Receiving/Developing Covered Defense Information” contains the following:
- List of Supplier’s Tier 1 Level Suppliers receiving and/or developing covered defense information.
You did not read that incorrectly. This is a requirement for the Tier 1 supplier of the prime contractor to maintain a list of their own supplier’s suppliers (representing a Tier 2 Level Supplier to the prime contractor). This means that, as long as this CDRL flows down to suppliers (in concert with DFARS 252.204-7012), prime contractors (and DCMA) will be able to track the flow of CDI through multiple tiers of the supply chain.
This memo represents the DoD’s grand strategy for ensuring compliance at the prime contractor level, requiring that primes manage subsequent relationships in a detailed and accurate fashion. Once DCMA begins leveraging DFARS 252.244-7001 to enforce DFARS 252.204-7012, market consolidation (and the reduction of eligible suppliers) will become a reality for much of the defense industrial base.