Upping the Cyber Oversight Ante: DoD Deploys DCMA to Audit Contractor Supply Chain Compliance

Client Alert | 1 min read | 01.28.19

The Defense Department has unveiled plans to audit contractors’ supply chain compliance with the DFARS Safeguarding Clause 252.204-7012. Under the auspices of 252.244-7001, Contractor Purchasing System Administration, Under Secretary of Defense Ellen Lord has directed the Defense Contract Management Agency (DCMA) to review contractors’ purchasing systems with the intent of verifying compliance with the Safeguarding Clause’s flowdown requirements. Notably though, the scope of DCMA’s review appears broader than the Clause’s textual requirements. Specifically, DCMA will review contractor procedures to:

Ensure that Tier 1 Level Suppliers are receiving properly marked Covered Defense Information (CDI), or instructions on how to do so; and
“Assess compliance” of Tier 1 Level Suppliers with both the Clause and NIST SP 800-171.

The memorandum is the latest signal from the DoD that it views the Safeguarding Clause’s flowdown requirements as more than a check-the-box exercise and an increasingly important piece of its overall cybersecurity.

Contacts

Evan D. Wolff
Partner
He/Him/His
- Washington, D.C.
  - D | +1.202.624.2615
ewolff@crowell.com
Maida Oringher Lerner
Senior Counsel
She/Her/Hers
- Washington, D.C.
  - D | +1.202.624.2596
mlerner@crowell.com
Nicole Owren-Wiest
Partner
She/Her/Hers
- Washington, D.C.
  - D | +1.202.624.2863
nowrenwiest@crowell.com
Michael G. Gruden
Partner
- Washington, D.C.
  - D | +1.202.624.2545
mgruden@crowell.com

Insights

Client Alert | 6 min read | 04.18.25

Ready To Know Your Data? DOJ Issues Implementation and Enforcement Guidance for Data Security Program Protecting Bulk Sensitive Data

On April 11, 2025, the U.S. Department of Justice (DOJ) issued guidance regarding the implementation and enforcement of the newly enacted final rule,
“Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons,” now referred to as the Data
Security Program (DSP). The release included an Implementation and Enforcement Policy, a Compliance Guide, and Frequently Asked Questions (FAQs).
Collectively, these documents are designed to help entities subject to the DSP understand and comply with the obligations set out under the Final Rule....

Client Alert | 2 min read | 04.18.25
Trump Executive Order Calls for Substantial FAR Reform
Client Alert | 2 min read | 04.17.25
Will the Supreme Court Address Whether the Ninth Circuit’s Server Test Comports With the Display Right Accorded Copyright Owners?
Client Alert | 5 min read | 04.15.25
Is Section 230 Going to Change? The FTC, DOJ and FCC Signal Significant Change for Online Businesses

View All Insights