DCMA’s Cybersecurity Oversight Takes Shape: Revised CPSR Guidebook Outlines DFARS Safeguarding Clause Audit Standards

Client Alert | 1 min read | 03.06.19

Following guidance issued by Under Secretary of Defense Lord, the Defense Contract Management Agency (DCMA) has revised its Contractor Purchasing System Review (CPSR) Guidebook to incorporate new standards DCMA auditors will use to assess contractor supply chain management under the DFARS Safeguarding Clause 252.204-7012. Notably, the new standards require contractors to “validate” that their subcontractors have information systems “that can receive and protect” Covered Defense Information (CDI) and to “determine” whether subcontractor systems are “acceptable.” Other new standards require contractors to demonstrate:

How CDI is properly marked and securely transferred to subcontractors; and
How subcontractor notifications regarding requests to vary from the NIST requirements and the submission of cyber incident reports are managed and documented.

The revisions also emphasize that 252.204-7012 is not an indiscriminate flowdown and applies only where the subcontractor will be utilized for operationally critical support or performing duties that involve CDI.

Contacts

Christopher D. Garcia
Counsel
- Washington, D.C.
  - D | +1.202.688.3450
Y2dhcmNpYUBjcm93ZWxsLmNvbQ==
Michael G. Gruden
Partner
- Washington, D.C.
  - D | +1.202.624.2545
bWdydWRlbkBjcm93ZWxsLmNvbQ==
Kate M. Growley
Partner and Crowell Global Advisors Senior Director
- Washington, D.C.
  - D | +1.202.624.2698
- Washington, D.C. (CGA)
  - D | +1 202.624.2500
a2dyb3dsZXlAY3Jvd2VsbC5jb20=

Insights

Client Alert | 4 min read | 03.25.26

NAIC Intensifies AI Regulatory Focus: What Health Insurance Payors Need to Know

The National Association of Insurance Commissioners (NAIC) is intensifying its oversight of how insurers use AI — and the pace of regulatory activity shows no signs of slowing. Over the past several months, the NAIC has published a formal Issue Brief staking out its position on federal AI legislation, launched a multistate AI Evaluation Tool pilot aimed at examining insurers’ AI governance programs, and continued to expand adoption of its AI Model Bulletin across state lines. These developments continue a trend towards enhancing regulation; the NAIC adopted AI Principles in 2020 and a Model Bulletin in 2023 clarifying that existing insurance laws apply to AI systems and establishing expectations for governance, documentation, testing, and third-party oversight. That Model Bulletin has now been adopted in approximately 24 states....

Client Alert | 11 min read | 03.25.26
White House National AI Policy Framework Calls for Preempting State Laws, Protecting Children
Client Alert | 3 min read | 03.24.26
California Considering A Massive Expansion of Its Antitrust Laws
Client Alert | 2 min read | 03.23.26
ACTS Survey Compliance Deadline Temporarily Extended: What Higher Education Institutions Need to Know

View All Insights