DCMA’s Cybersecurity Oversight Takes Shape: Revised CPSR Guidebook Outlines DFARS Safeguarding Clause Audit Standards

Client Alert | 1 min read | 03.06.19

Following guidance issued by Under Secretary of Defense Lord, the Defense Contract Management Agency (DCMA) has revised its Contractor Purchasing System Review (CPSR) Guidebook to incorporate new standards DCMA auditors will use to assess contractor supply chain management under the DFARS Safeguarding Clause 252.204-7012. Notably, the new standards require contractors to “validate” that their subcontractors have information systems “that can receive and protect” Covered Defense Information (CDI) and to “determine” whether subcontractor systems are “acceptable.” Other new standards require contractors to demonstrate:

How CDI is properly marked and securely transferred to subcontractors; and
How subcontractor notifications regarding requests to vary from the NIST requirements and the submission of cyber incident reports are managed and documented.

The revisions also emphasize that 252.204-7012 is not an indiscriminate flowdown and applies only where the subcontractor will be utilized for operationally critical support or performing duties that involve CDI.

Contacts

Christopher D. Garcia
Counsel
- Washington, D.C.
  - D | +1.202.688.3450
Y2dhcmNpYUBjcm93ZWxsLmNvbQ==
Nicole Owren-Wiest
Partner
She/Her/Hers
- Washington, D.C.
  - D | +1.202.624.2863
bm93cmVud2llc3RAY3Jvd2VsbC5jb20=
Michael G. Gruden
Partner
- Washington, D.C.
  - D | +1.202.624.2545
bWdydWRlbkBjcm93ZWxsLmNvbQ==
Kate M. Growley
Partner, Crowell Global Advisors Senior Director
- Washington, D.C.
  - D | +1.202.624.2698
- Washington, D.C. (CGA)
  - D | +1 202.624.2500
a2dyb3dsZXlAY3Jvd2VsbC5jb20=

Insights

Client Alert | 7 min read | 12.17.25

CARB Proposes Regulations Implementing California GHG Emissions and Climate-Related Financial Risk Reporting Laws

After hosting a series of workshops and issuing multiple rounds of materials, including enforcement notices, checklists, templates, and other guidance, the California Air Resources Board (CARB) has proposed regulations to implement the Climate Corporate Data Accountability Act (SB 253) and the Climate-Related Financial Risk Act (SB 261) (both as amended by SB 219), which require large U.S.-based businesses operating in California to disclose greenhouse gas (GHG) emissions and climate-related risks. CARB also published a Notice of Public Hearing and an Initial Statement of Reasons along with the proposed regulations. While CARB’s final rules were statutorily required to be promulgated by July 1, 2025, these are still just proposals. CARB’s proposed rules largely track earlier guidance regarding how CARB intends to define compliance obligations, exemptions, and key deadlines, and establish fee programs to fund regulatory operations....

Client Alert | 1 min read | 12.17.25
CBCA’s FY 2025 Report – Examining the Numbers
Client Alert | 7 min read | 12.17.25
Executive Order Tries to Thwart “Onerous” AI State Regulation, Calls for National Framework
Client Alert | 4 min read | 12.17.25
The new EU Bioeconomy Strategy: a regulatory framework in transition

View All Insights