Subcontractors

If you’re a subcontractor or supplier involved in DoD contracts, your cybersecurity requirements and information security requirements will be similar to those requirements levied upon the Prime Contractor. It is necessary to follow these to ensure sensitive information (CUI) is safeguarded. These requirements are laid out by the Federal Customer and included in the Prime contractor’s contract. These requirements referred to as “flow-down clauses” are passed to you through purchase orders or general terms and conditions. Many of these requirements include flow-down requirements which require that you flow-down requirements to the next tier subcontractor/supplier.

For example, if the Prime contractor includes requirements for Federal Contract Information (FCI) under FAR 52.204-21, then you, the subcontractor – supplier are not only responsible for complying with those requirements, you must also flow down these requirements to your subcontractors – suppliers when passing FCI to them. This concept of flowing down requirements applies to other categories of information such as Controlled Unclassified Information (CUI) and possibly other types of information.

Prior to issuing a subcontract or a financial vehicle and sharing controlled information, each contractor at all levels of the supply chain has the responsibility to vet its subcontractors and suppliers to make sure they’re eligible to access and handle this information. Vetting steps may include verification of appropriate registrations and compliance with other requirements such as having conducted their DoD Basic Self-assessment and uploaded the required information to the SPRS database or being actively registered in the Joint Certification Program (JCP) or ITAR registered.

When sharing sensitive information with your own subcontractors, it’s crucial to follow similar procedures as the Prime contractor. Any company in the supply chain receiving FCI, CUI, JCP, or ITAR data must meet these standards and have the proper eligibility. If, for instance, you’re a subcontractor several tiers down and you need to work with another contractor, you must verify that the contractor is eligible to handle the information you intend to share. Then, include the proper markings and flow-down requirements in their purchase order.