The Defense Contract Management Agency has revised its Contractor Purchasing System Review Guidebook to incorporate new standards its auditors will use to assess contractor supply chain management under DFARS.
Contractors are now required to “validate” that their subcontractors have information systems “that can receive and protect” Covered Defense Information and to “determine” whether subcontractor systems are “acceptable.” Contractors must also demonstrate:
- How CDI is properly marked and securely transferred to subcontractors;
- How they manage and document subcontractor notifications regarding requests to vary from the NIST requirements and the submission of cyber incident reports.
These requirements only apply where the subcontractor will be utilized for operationally critical support or performing duties that involve CDI.