Upping the Cyber Oversight Ante: DoD Deploys DCMA to Audit Contractor Supply Chain Compliance

Client Alert | 1 min read | 01.28.19

The Defense Department has unveiled plans to audit contractors’ supply chain compliance with the DFARS Safeguarding Clause 252.204-7012. Under the auspices of 252.244-7001, Contractor Purchasing System Administration, Under Secretary of Defense Ellen Lord has directed the Defense Contract Management Agency (DCMA) to review contractors’ purchasing systems with the intent of verifying compliance with the Safeguarding Clause’s flowdown requirements. Notably though, the scope of DCMA’s review appears broader than the Clause’s textual requirements. Specifically, DCMA will review contractor procedures to:

Ensure that Tier 1 Level Suppliers are receiving properly marked Covered Defense Information (CDI), or instructions on how to do so; and
“Assess compliance” of Tier 1 Level Suppliers with both the Clause and NIST SP 800-171.

The memorandum is the latest signal from the DoD that it views the Safeguarding Clause’s flowdown requirements as more than a check-the-box exercise and an increasingly important piece of its overall cybersecurity.

Contacts

Nicole Owren-Wiest
Partner
She/Her/Hers
- Washington, D.C.
  - D | +1.202.624.2863
bm93cmVud2llc3RAY3Jvd2VsbC5jb20=
Michael G. Gruden
Partner
- Washington, D.C.
  - D | +1.202.624.2545
bWdydWRlbkBjcm93ZWxsLmNvbQ==
Kate M. Growley
Partner, Crowell Global Advisors Senior Director
- Washington, D.C.
  - D | +1.202.624.2698
- Washington, D.C. (CGA)
  - D | +1 202.624.2500
a2dyb3dsZXlAY3Jvd2VsbC5jb20=

Insights

Client Alert | 7 min read | 12.17.25

CARB Proposes Regulations Implementing California GHG Emissions and Climate-Related Financial Risk Reporting Laws

After hosting a series of workshops and issuing multiple rounds of materials, including enforcement notices, checklists, templates, and other guidance, the California Air Resources Board (CARB) has proposed regulations to implement the Climate Corporate Data Accountability Act (SB 253) and the Climate-Related Financial Risk Act (SB 261) (both as amended by SB 219), which require large U.S.-based businesses operating in California to disclose greenhouse gas (GHG) emissions and climate-related risks. CARB also published a Notice of Public Hearing and an Initial Statement of Reasons along with the proposed regulations. While CARB’s final rules were statutorily required to be promulgated by July 1, 2025, these are still just proposals. CARB’s proposed rules largely track earlier guidance regarding how CARB intends to define compliance obligations, exemptions, and key deadlines, and establish fee programs to fund regulatory operations....

Client Alert | 1 min read | 12.17.25
CBCA’s FY 2025 Report – Examining the Numbers
Client Alert | 7 min read | 12.17.25
Executive Order Tries to Thwart “Onerous” AI State Regulation, Calls for National Framework
Client Alert | 4 min read | 12.17.25
The new EU Bioeconomy Strategy: a regulatory framework in transition

View All Insights