Contractors: Get ready for tighter DOD supply chain enforcement

Shutterstock image By Pasko Maksim Stock vector ID: 591206291

The Defense Department has been ramping up efforts to quash supply chain vulnerabilities with enhanced cybersecurity guidance that gives the organization greater access to contractors’ security protocols and controls even before awarding a contract.

According to Tom Tollerton of the accounting firm Dixon Hughes Goodman’s cybersecurity advisory team, DOD has been firing off a series of memos and guidance since late 2018 aimed at tweaking contracting language and improving security conditions pre-award.

The most recent of which was in January from Ellen Lord, DOD acquisition head, designating the Defense Contracting and Management Agency with assessing contractors’ compliance with the NIST 800-171 in the cybersecurity framework by reviewing purchasing systems.

“This is really a step beyond previously identified gaps, which is what contractors were doing previously,” Tollerton said of the potential of on-site assessments in the firm’s April 16 webinar. “This was just released in January so this process is gearing up. So just be aware that its coming down the pike.”

He called particular attention to a set of guidance documentsreleased in November by Kim Harrington, acting principal director for the Defense Pricing and Contracting Agency, gave contractors a new urgency when considering security and partnering with the DOD.

One requires self-attestation to comply with DFARS and the NIST Cybersecurity Framework, as well as on-site assessments and “enhanced cybersecurity measures in addition to the security requirements in NIST SP 800-171 to safeguard information stored on the contractor’s internal unclassified information system” before an award is made.

Tollerton said that overall the guidance “was a little vague” and gave DOD latitude to evaluate or add system controls if the organization believes its necessary.

Additionally, DOD expects contractors to already have a system security plan, along with plans of action and milestones, in place and outlines the consequences to the government if the security standards are not met.

There’s “a lot of subjectivity in that guidance suggests that contractors need to make every effort to consider security of data and systems even before considering compliance requirements,” he said.

About the Author

Lauren C. Williams is a staff writer at FCW covering defense and cybersecurity.

Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.

Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at, or follow her on Twitter @lalaurenista.

Click here for previous articles by Wiliams.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.