Contractors: Get ready for tighter DOD supply chain enforcement

Shutterstock image By Pasko Maksim Stock vector ID: 591206291

The Defense Department has been ramping up efforts to quash supply chain vulnerabilities with enhanced cybersecurity guidance that gives the organization greater access to contractors’ security protocols and controls even before awarding a contract.

According to Tom Tollerton of the accounting firm Dixon Hughes Goodman’s cybersecurity advisory team, DOD has been firing off a series of memos and guidance since late 2018 aimed at tweaking contracting language and improving security conditions pre-award.

The most recent of which was in January from Ellen Lord, DOD acquisition head, designating the Defense Contracting and Management Agency with assessing contractors’ compliance with the NIST 800-171 in the cybersecurity framework by reviewing purchasing systems.

“This is really a step beyond previously identified gaps, which is what contractors were doing previously,” Tollerton said of the potential of on-site assessments in the firm’s April 16 webinar. “This was just released in January so this process is gearing up. So just be aware that its coming down the pike.”

He called particular attention to a set of guidance documentsreleased in November by Kim Harrington, acting principal director for the Defense Pricing and Contracting Agency, gave contractors a new urgency when considering security and partnering with the DOD.

One requires self-attestation to comply with DFARS and the NIST Cybersecurity Framework, as well as on-site assessments and “enhanced cybersecurity measures in addition to the security requirements in NIST SP 800-171 to safeguard information stored on the contractor’s internal unclassified information system” before an award is made.

Tollerton said that overall the guidance “was a little vague” and gave DOD latitude to evaluate or add system controls if the organization believes its necessary.

Additionally, DOD expects contractors to already have a system security plan, along with plans of action and milestones, in place and outlines the consequences to the government if the security standards are not met.

There’s “a lot of subjectivity in that guidance suggests that contractors need to make every effort to consider security of data and systems even before considering compliance requirements,” he said.

About the Author

Lauren C. Williams is a staff writer at FCW covering defense and cybersecurity.

Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.

Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at, or follow her on Twitter @lalaurenista.

Click here for previous articles by Wiliams.


  • Management
    people standing on keyboard (Who is Danny/

    OPM-GSA merger plan detailed in legislative proposal

    The White House is proposing legislation for a dramatic overhaul of human resources inside government and wants $50 million to execute the plan.

  • Cloud
    cloud applications (chanpipat/

    GSA plans civilian DEOS counterpart

    GSA is developing a cloud email and enterprise services contract inspired by the single-source vehicle the Department of Defense devised for back-office software.

  • Defense
    software (whiteMocca/

    DOD looks to unify software spending for 2020

    Defense Department acquisition head, Ellen Lord, hopes to simplify software buying and improve business systems following the release of the Defense Innovation Board's final software acquisition study.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.