The prime contractor's procurement officer just sent you a questionnaire with 147 questions about your cybersecurity program. Half of them reference NIST SP 800-171 controls you've never heard of. The other half want documentation you're not sure exists. And buried in the contract flow-down requirements is a clause about software bill of materials that your engineering team doesn't know how to produce.
This is defense supply chain security in 2024. The Department of Defense has made it clear that cybersecurity requirements flow down to every tier of the supply chain, and prime contractors are enforcing these requirements with increasing rigor. If you're a subcontractor in the defense industrial base, you need to understand what's coming and prepare accordingly.
Why Primes Are Getting Aggressive About Sub Assessment
Prime contractors didn't wake up one day and decide to make life harder for their supply chain. They're responding to direct pressure from DoD and explicit contractual liability. When a sub gets breached and CUI is compromised, the prime is on the hook with the government customer. They're also facing increased scrutiny from DCSA and other oversight bodies that are specifically examining how well primes are managing supply chain risk.
The CMMC regulation, even in its current form, makes primes responsible for verifying that subs meet appropriate cybersecurity standards before contract award. But beyond CMMC, primes are dealing with DFARS 7012 breach reporting requirements, 7019 and 7020 contractual obligations, and a growing body of case law that holds them accountable for their supply chain's security failures.
In my experience working with both primes and subs, the assessment rigor has increased dramatically in the past 18 months. Primes that used to accept a simple attestation now want evidence. Those that wanted evidence now want third-party validation. And nearly all of them are implementing formal supplier cybersecurity risk management programs that include regular reassessment.
The Liability Question
Primes are writing flow-down clauses that explicitly transfer liability for cyber incidents to the sub where the incident occurred. These clauses include indemnification language, insurance requirements, and breach notification timelines that mirror what the prime owes to DoD. If you're signing contracts without legal review of the cyber liability provisions, you're accepting risk you might not be able to manage.
What's Actually Flowing Down to Subcontractors
The specific requirements depend on the contract and the data involved, but there's a common core that applies to most subs handling controlled unclassified information or operating in the defense industrial base:
DFARS 252.204-7012 is the most common flow-down. It requires safeguarding of covered defense information and incident reporting within 72 hours. This clause applies whether you're a Tier 1 or Tier 3 sub, and primes are required to include it in subcontracts where CUI will be processed, stored, or transmitted.
NIST SP 800-171 compliance flows down through DFARS 7012. You need to implement all 110 security requirements (or document POA&Ms for those you haven't implemented yet). Primes increasingly want to see your System Security Plan, your POA&M, and evidence of your scoring methodology. The pattern I see is that primes are no longer accepting "we're working on it" without detailed plans and timelines.
CMMC requirements are starting to flow down even before the regulation is finalized. Many primes are requiring subs to achieve Level 2 certification on timelines that align with the prime's own certification schedule. This creates a cascading effect where subs need to be certified before the prime can include them in their own CMMC boundary assessment.
Export control compliance for ITAR and EAR controlled technical data is standard in defense contracts. Primes want verification that your systems handling technical data are properly access-controlled and that your employees have appropriate export authorization or are U.S. persons for ITAR-controlled work.
What's notable is how these requirements interact. You can't satisfy DFARS 7012 without NIST 800-171 compliance. You can't achieve CMMC Level 2 without both. And all of it sits on top of basic export control compliance that's been required for decades but is now being enforced with actual verification.
How Primes Are Actually Auditing Suppliers
The audit approaches vary widely. At one end, you have primes that send a standardized questionnaire and accept attestation responses. At the other end, you have sophisticated supplier risk management programs that include on-site assessments, technical testing, and continuous monitoring requirements.
Most mid-size and larger primes have moved to a tiered approach based on risk. If you're handling CUI, providing software components, or having access to the prime's networks, you're in the high-risk tier. That means more scrutiny, more frequent assessments, and higher expectations for evidence and validation.
The Assessment Process
The typical supplier cybersecurity assessment follows this pattern:
Pre-qualification questionnaire: This usually covers basic security controls, compliance status, insurance coverage, and incident history. Many primes use standardized formats like the DoD's Supplier Performance Risk System (SPRS) score requirement or the NIST 800-171 DoD Assessment Methodology score.
Documentation review: For higher-risk suppliers, primes want to see actual security documentation. That means your System Security Plan, your incident response plan, your configuration management documentation, and your access control policies. Generic templates don't cut it—they're looking for documentation that reflects your actual implementation.
Technical validation: Some primes are now requiring technical evidence. This might include vulnerability scan results, penetration test reports, or configuration snapshots from your security tools. I've seen primes require quarterly vulnerability scan reports and annual third-party penetration tests as contract conditions.
On-site or virtual assessment: For critical suppliers or those with poor questionnaire results, primes are conducting actual assessments. These range from structured interviews with your IT and security staff to full CMMC-style assessments using C3PAO methodologies.
The reality is that many subs aren't prepared for this level of scrutiny. They have controls in place but lack documentation. They have documentation but it doesn't match reality. Or they have neither and are running on hope and outdated certifications.
Need to Brief Your Board on Supply Chain Security Requirements?
Carl delivers keynotes that translate complex defense supply chain security requirements into strategic business imperatives. Drawing from real CISO experience with defense contractors and regulated industries, he helps leadership teams understand what's at stake and what actions matter most.
Book Carl to SpeakThe SBOM Expectation Is Real
Software Bill of Materials requirements are moving from theoretical to contractual. The executive order on cybersecurity, the Secure Software Development Framework from NIST, and specific DoD guidance have all emphasized SBOM as a fundamental component of software supply chain security. Primes are now including SBOM delivery requirements in software and system contracts.
If you're delivering software, firmware, or systems with embedded software to a prime, you should expect SBOM requirements in your next contract if they're not already in your current one. The question isn't whether SBOMs will be required, but whether you'll be ready when they are.
What SBOMs Actually Require
An SBOM is a comprehensive inventory of all components in your software. That includes open source libraries, commercial components, proprietary code, and dependencies—down through multiple layers. The minimum requirements usually follow the NTIA's minimum elements standard: supplier name, component name, version, unique identifier, dependency relationships, and SBOM author.
The format matters. Most primes are asking for machine-readable SBOMs in standard formats like SPDX or CycloneDX. A spreadsheet or PDF doesn't meet the requirement—the SBOM needs to be structured data that can be ingested into automated tools for vulnerability tracking and license compliance.
The harder part is the process. You need to generate SBOMs as part of your build process, not as an afterthought when the contract requires one. That means integrating SBOM generation tools into your CI/CD pipeline, establishing processes for tracking third-party components, and maintaining accurate component inventories throughout the development lifecycle.
The Vulnerability Management Connection
SBOMs exist to enable vulnerability management. When a new CVE is published affecting a popular open source library, the prime needs to know whether that component is in the system you delivered. Without an SBOM, that requires extensive manual research or waiting for you to investigate and report back. With an SBOM, it's an automated query.
This means you're also going to face questions about your vulnerability remediation timelines, your patch management process, and your communication protocols when vulnerabilities are discovered in delivered systems. The SBOM requirement brings with it an ongoing obligation to support vulnerability management for the life of the delivered system.
Third-Party Risk Gets Its Own Requirements
If you're using cloud services, managed security providers, or any third-party vendor that touches CUI or connects to your network, primes want to know about it. The regulatory compliance framework that governs defense contracting treats your vendors as an extension of your risk surface.
NIST 800-171 includes specific requirements for supply chain risk management (control 3.13.11) and external system services (controls in the 3.14 family). Primes are increasingly asking for documentation of your third-party risk management program, including vendor assessments, contractual security requirements, and monitoring processes.
The cloud question comes up constantly. If you're using AWS, Azure, or Google Cloud for systems that handle CUI, you need to ensure you're using FedRAMP authorized services at the appropriate impact level and that you have proper contractual agreements in place. Using commercial cloud services that aren't FedRAMP authorized for CUI is a compliance violation that will show up in any serious assessment.
Managed service providers are another area of focus. If your IT or security operations are outsourced, the prime wants to verify that your MSP meets the same security standards you do. That often means requiring your MSP to have their own CMMC certification or demonstrable NIST 800-171 compliance.
What Subcontractors Need to Prepare Now
Waiting until you receive a supplier security questionnaire to start working on defense supply chain security is too late. The documentation, implementation, and validation processes take months, not weeks. Here's what you should have in place before the next assessment lands:
Know your NIST 800-171 score. Not what you think it is or what you hope it is—conduct an actual assessment using the DoD Assessment Methodology and calculate your score. Document POA&Ms for any controls you haven't fully implemented. Your score goes into SPRS, and primes are checking.
Document your environment and your controls. You need a System Security Plan that accurately describes where CUI lives, what boundaries exist, how access is controlled, and what security tools protect it. The SSP needs to map to the 110 NIST 800-171 controls with specific descriptions of how each is implemented in your environment.
Get your incident response plan current and tested. You have 72 hours to report a cyber incident to DoD under DFARS 7012. That reporting obligation requires you to know an incident occurred, assess whether it affected CUI, and submit a report through the DoD Cyber Crime Center portal. If you've never done this, you're not ready. Table-top exercises and documented procedures are minimum requirements.
Build SBOM capability if you deliver software. Start with your most critical or most frequently updated products. Integrate SBOM generation into your build pipeline. Validate that your SBOMs are accurate and complete. Establish a process for updating SBOMs when components change.
Review your subcontracts and vendor agreements. Make sure your vendors' security obligations flow down from what you've committed to the prime. If you've promised CMMC Level 2 but your cloud provider isn't FedRAMP authorized, you have a gap that will fail assessment. If you've agreed to SBOM delivery but your commercial software vendors won't provide component information, you can't fulfill the requirement.
Prepare actual evidence. Attestation without evidence is increasingly unacceptable. That means screenshots, configuration exports, policy documents with approval signatures, training records, audit logs, and test results. When a prime asks how you implement multi-factor authentication, they want to see the configuration and the access logs, not a statement that you have MFA enabled.
Training Your Team on DoD Compliance Requirements?
Carl's keynotes help compliance, security, and leadership teams understand the practical implications of CMMC, DFARS, and supply chain security requirements in the defense industrial base. See all keynote speaking topics or reach out about your event.
Book Carl for Your EventThe Certification Timeline Problem
CMMC creates a sequencing challenge for the supply chain. Primes need to be certified before they can bid on contracts requiring CMMC. But primes also need to define their certification boundary, which determines whether subs are included in the prime's assessment or need their own separate certification.
Most primes are choosing boundaries that exclude subs, which means subs need their own CMMC certification. But the certification capacity is limited—there aren't enough C3PAOs to assess every company in the defense industrial base simultaneously. This creates a queue, and companies at the back of the queue may find themselves unable to compete for work.
The practical implication is that subs need to start the certification process now, even if the contract doesn't require it yet. Getting on a C3PAO's schedule, conducting the readiness assessment, remediating the gaps, and scheduling the formal assessment takes six to twelve months under current conditions. Waiting until a contract requires certification means you're six to twelve months behind competitors who started earlier.
Some subs are pursuing provisional certification strategies using the POA&M process in CMMC, which allows certain gaps to be addressed over time rather than before certification. This can accelerate the timeline but requires careful management of which controls are eligible for POA&Ms and which must be fully implemented before assessment.
When Primes and Subs Disagree on Requirements
A common point of friction is whether a particular security requirement actually applies to the subcontract work. The sub might argue that they never handle CUI, so NIST 800-171 doesn't apply. The prime, looking at contractual liability and regulatory interpretation, may disagree.
These disputes usually trace back to poor scoping during contract negotiation. The statement of work didn't clearly define what data would be shared, where it would be processed, and what security controls were required. Both parties made assumptions, and those assumptions didn't align.
The solution is specificity at contract formation. Define exactly what data is covered defense information or CUI. Identify which systems will process or store it. Agree on the applicable security framework and the assessment methodology. Document the flow-down requirements explicitly rather than incorporating them by reference to master terms that nobody actually reads.
When disagreements arise after contract award, they need to be resolved through technical scoping, not legal argument. Conduct a data flow analysis. Map the information exchange points. Determine where CUI actually exists in the contracted work. If CUI truly isn't involved, document that determination and get the prime's written concurrence. If it is involved, acknowledge the requirement and build a remediation plan.
The Strategic Implications for Subcontractors
Defense supply chain security requirements are a competitive differentiator, not just a compliance burden. Subs that achieve early CMMC certification, that can demonstrate robust NIST 800-171 implementation, and that can provide SBOMs and security evidence on demand will win work that less-prepared competitors cannot.
I've watched this play out in procurement decisions. Two subs bid similar technical solutions at similar prices. One has a current CMMC Level 2 certification and a documented security program. The other is still working on their System Security Plan and hasn't started the certification process. The decision isn't difficult—the certified sub represents lower risk and faster contract award.
This creates a consolidation pressure in the supply chain. Primes are reducing their supplier base to work with fewer, more capable, more compliant subs rather than managing risk across hundreds of small suppliers with varying security postures. If you're not investing in meeting these requirements, you're positioning yourself to be squeezed out of the defense industrial base over the next few years.
The companies that treat defense supply chain security as a strategic investment rather than a compliance tax will be the ones still doing defense work in 2027. The ones that delay, that cut corners, or that hope requirements won't be enforced will find themselves unable to compete. The margin for error is shrinking, and the consequences of getting it wrong—whether through contract loss, breach liability, or regulatory action—are becoming material business risks.
For CISOs and security leaders at subcontractor organizations, this means you need a seat at the business development table. When your company is evaluating a potential prime contract opportunity, the security requirements need to be assessed alongside the technical and financial requirements. Can you meet the flow-down obligations? Do you have the necessary certifications or the time to get them? Are there gaps that would require significant investment to close? These aren't IT questions—they're business questions that affect whether the opportunity is actually viable.
The relationship between compliance and security in defense contracting is tight and getting tighter. Meeting the compliance requirements without actual security creates liability. Implementing security without the compliance documentation creates friction with primes who need evidence of your controls. You need both, and you need them to align with what DoD is requiring and what primes are enforcing.
Understanding the broader context of regulatory compliance requirements helps frame these defense-specific obligations within your overall compliance program. The same principles of documentation, evidence, and validation apply across regulatory frameworks. Building competency in one area strengthens your capability in others.
The bottom line is this: defense supply chain security is no longer optional or aspirational for subcontractors. It's contractual, it's enforceable, and primes are enforcing it. The expectations are clear, the requirements are documented, and the assessment rigor is increasing. Companies that prepare now will compete successfully. Those that don't will find themselves unable to participate in defense work at all.