Oversight is Coming: How to Prepare for a DCMA Supply Chain Audit

This article is the first in a two-part series.

On January 21, 2019 the DoD released a memo requiring DCMA to validate contractor procedures for supply chain management. If you are a prime or sub on Department of Defense contracts, then your contracts are already subject to DCMA administrative oversight. This new memo adds to DCMA’s oversight role.
DCMA will now validate two things:
1. Procedures for marking and distribution statements on flow down to Tier 1 suppliers, and
2. Review of contractor’s procedures for assessing cyber compliance of their Tier 1 suppliers.

In this article, we discuss Part 1 – marking and distribution statements.

Marking and Distribution of Technical Documents Containing CUI
Procedures for marking and distribution are based on the marking guidance provided at 32 CFR, Part 2002, the CUI Registry, and DoD Instruction 5230.24, Distribution Statements on Technical Documents. However, we also highly recommend reviewing the definitions for controlled technical information and covered defense information in DOD’s cyber clause, DFARS 252.204-7012 as these may be helpful to inform your company’s procedures for marking and distribution.

Remember though, the data owner should initially categorize the data. Procedures for media marking and distribution are specifically addressed as a requirement under NIST 800-171, Control 3.8.4 but this requirement goes far beyond just media.

Most DOD contractors that provide deliverables are already familiar with the marking and distribution requirements when sending test data, analysis, and reports to the DOD customer. With this memo, contractors have to make sure that information from the DoD to the supply chain of vendors, consultants, subcontractors is not only marked correctly, but shared securely, and only shared to other Covered Contractor Information Systems (CCIS).

Prepare for the DCMA Audit

In February, the government released a revised Contractor Purchasing System Review (CPSR) Guidebook. Specific changes emphasize DFARS 252.204-7012 requirements for Supply Chain Management and references NIST 800-171. The new revision also states that the Supply Chain Management (SCM) process should include a method for safeguarding covered defense information and cyber incident reporting where the clause flows down.

Evaluation Criteria

There is a full list of questions in Appendix 24, six of which are new to this revision. The new revisions focus on the protection of CUI data. According to Appendix 24, contractors must demonstrate that:

  • the clause has flowed down where applicable
  • that CUI is properly marked in files, AND
  • how the CUI data was transferred to subcontractors

There must also be a process for managing variance requests and incident report numbers. In other words, you have to know what your subs are doing, and be able to evaluate the risk to CUI data as the threat environment changes.

We would caution that a written procedure IS NOT ENOUGH – you MUST be able to demonstrate that it is implemented and tracking the supply chain. So if the procedure exists but you cannot show that you have evaluated subcontractor compliance and are keeping vendor ratings up to date, your audit will show deficiencies.


According to Symantec’s 2019 Internet Security Threat Report, supply chain attacks were up 78% in 2018. Although much of the CPSR Guidebook is not new, in our experience supply chain management is often an organizational weakness, and supply chain security even more so.

In Part 2, we will look at the requirement that contractor’s assess their supply chain and provide a strategy for doing so in a cost-effective way.

Heather EngelHeather Engel is Chief Strategy Officer of Sera-Brynn. She has nineteen years of experience in cyber security, with an emphasis on cyber risk management including regulatory compliance, incident response, crisis communications, Continuity of Operations (COOP) planning, development and exercise execution; policy development, and computer network operations.

Sera-Brynn is internationally ranked as a top-tier cybersecurity firm. Sera-Brynn is a Payment Card Industry (PCI) Qualified Security Assessor (QSA) and a certified FedRAMP assessor. To speak to a team member, contact us at info@sera-brynn.com or via www.sera-brynn.com.


Hilary S. Cairnie

Hilary S. Cairnie  is a partner in the Government Contracts Practice Group of Pepper Hamilton LLP, resident in the Washington office. Mr. Cairnie’s practice is diverse and encompasses virtually all manner of government contracting matters, including contract formation, performance, administration, protests, REAs, claims and claim appeals; prime/sub disputes in federal and state court; APA cases, TROs and injunctions; security clearance controversies and appeals; small business protests and appeals; corporate due diligence in support of mergers, acquisitions and asset purchases; domestic preferences; Bayh-Dole, subject inventions and IP matters; Dodd-Frank conflict minerals and supply chain matters; small business set-aside programs; cost audits and disallowances and incurred cost submissions. Read full bio here.


Government Contracts Cyber Café Series
We have a monthly webinar series covering the top issues in government contracts and cybersecurity — all in just 45 minutes. The Government Contracts Cyber Café provides coaching, training and analysis to help you work through the technical, legal, accounting and other requirements confronting your organization, with the goal of helping you achieve compliance with the current DFARS and FAR cyber rules, regulations and contract clauses.
View our past webinar on How to Prepare Now for a DCMA Supply Chain Audit here.