The Defense Contract Management Agency, or DCMA, is an agency of the United States Federal Government that reports to the Under Secretary of Defense for Acquisition and Sustainment. DCMA is responsible for administering contracts for the Department of Defense (DoD), along with other federal agencies.
Recently, the Assistant Secretary of Defense for Acquisition and Sustainment released a memo stating “… it is imperative for the Department to identify and track flow down of DoD’s CUI, and to ensure these requirements are addressed and assessed as part of the procurement process.” This memo directs DCMA to validate contractor compliance with DFARS 252.204.7012 for contracts on which they provide oversight. Auditors will review marking and distribution statements on CUI flow down as well as procedures to assess compliance of their subcontractors with DFARS 252.204.7012.
The Presumed Audit Timeline
Prior to the audit, a procurement analyst, or “auditor”, reviews the contracts where the DFARS 7012 clause is present and notes special marking requirements. Then the analyst should review supply chain management (SCM) policies and ensure that they require contract flow down of the clause for operationally critical support or where the support involves CDI/CUI. The procurement analyst also ensures that policies and contracts require subcontractors to submit a NIST 800-171 variance request to the prime contractor or next higher subcontractor. There is a final check on incident reporting practices and respective requirement flow down.
During the audit, the auditor will likely ask the contractor to demonstrate their ability to protect CUI in accordance with DFARS 7012 and NIST 800-171 requirements. This may come in the form of an SSP (System Security Plan) review or a live demonstration audit. The auditor is also likely to validate that the contractor flow down is occurring appropriately and that any and all CUI is properly marked in procurement files. The auditor will then require the contractor to demonstrate the ability to transfer CUI to a subcontractor.
Post audit activity might consist of several key validations:
- Validate that a subcontractor accepts DFARS 252.204.7012 as part of subcontract Terms and Conditions, and asserts compliance with NIST 800-171
- Validate that the subcontractor has an information system (CCIS) that can receive, label, and protect CUI. Furthermore, prime contractors must determine and document that each subcontractor has an acceptable CCIS and SSP
- Provide examples of how CUI is transferred and marked appropriately
- Demonstrate how the contractor is managing and documenting subcontractor request for variances
- Demonstrate how the contractor is managing and documenting subcontractor incident report numbers
The procurement analyst then notates if the contractor’s ability to protect CUI cannot be reviewed or if government officials should not rely on the report as an evaluation of the contractor’s ability to protect CUI for any proposed or ongoing acquisitions. If the auditor is unable to evaluate the systems due to a lack of information from a procurement standpoint, this will essentially be a black mark on your audit and may result in a change of award.
What to Expect From an Audit and Some Pure Imagination
Unfortunately we don’t know for sure what every audit has been or will be like.
While we know some contractors have had two to four weeks’ notice that an audit was coming, some organizations had less than two days.
It is clear, however, that DCMA will go through your SSP with a fine-tooth comb. Know it and prepare for it. Also, know now that if your SSP and ‘Policies and Procedures’ don’t line up, it won’t go well for your audit. Your SSP therefore needs to be updated continuously.
Next, having a third-party auditor to come in and assess your environment is a plus. It shows them that you went through additional steps to ensure your compliance. The third-party assessment also identifies gaps in your NIST 800-171 compliance and provides more accurate information for your organization's Plan of Actions and Milestones (POA&M).
Get compliant. Show compliance. Stay compliant.
Five Questions About DCMA’s Role in NIST Compliance
- What if a subcontractor will never receive (presumably) any CUI from a prime contractor? Does the prime contractor still need to flow everything down (contractually) to the subcontractor?
According to the Contractor Purchasing Guidebook, as long as prime contractors don’t send any CUI to a subcontractor, it just needs to be notated. Likely, the prime contractor will not be required to flow everything down to the subcontractor. However, prime contractors should always check if a subcontractor can create CUI during the execution of the contract. Be safe, not sorry.
- Is DCMA focused primarily on the prime contractor?
The prime contractor is very important, yes, but any organization who has a subcontract also falls under the purview of the audit. If you are a mid-tier sub, but also have subcontractors, you’re going to have all of the same requirements as the prime contractor. This means that your subcontractors will have to flow this information to you, and then you must track it, manage it, maintain it, and flow the information up to the contract’s prime contractor.
This being said, DCMA will be focused on prime contractors and larger subcontractors on the outset. Still, being DFARS 7012 and NIST 800-171 compliant is critical, especially if you are an organization who primarily secures business through subcontracting.
- Can a prime contractor flow down a questionnaire of sorts to subcontractors about their own DFARS 7012 and NIST 800-171 compliance status in order to ‘check the boxes’ for DCMA audit requirements?
The short answer is no. The requirements specifically state that a prime contractor must review the subcontractor’s SSP and POA&M, as prime contractors need to have an working knowledge of the environment(s). If you have a subcontractor, you essentially take on some of the burden of insuring that anyone who subcontracts to you (as the prime contractor) is meeting the standard, and a questionnaire can provide some insight but not all.
- What actions are being taken when DCMA finds control weaknesses?
It changes company to company, but there have been situations where a company was required to make modifications to their SSP and have it back to the auditors within the week. It’s becoming commonplace for auditors to identify weaknesses and then give the company a very short turn-around time for improvements.
- Once DCMA completes an audit, do they send the company a letter of sorts saying that they are NIST compliant?
Wouldn’t that be nice. At the moment, no. They’re essentially going to do their audits and then move on. Sending a letter is an extra step and the resources are already limited. There are also a litany of legal ramifications with formal approval letters; so, I wouldn’t expect one. It would be nice to get a golden ticket nevertheless.
There are many unanswered questions on DCMA’s role in compliance, how audits work, and what to expect from an audit. While we hope to answer as many questions as we can, the best thing an organization can do is get compliant, as the amount of checks and balances will only increase. At the end of the day we are securing our country and its servicemen and women.
UPDATE (06/2019): DoD announced a new Cybersecurity Maturity Model Certification (CMMC) that will likely operate instead or in concert with DCMA's responsibilities.