I Received a Cybersecurity Questionnaire — What Does This Mean for My Company?

If your company works as a defense subcontractor or is part of the Department of Defense (DoD) supply chain, you may have recently received a supplier cybersecurity questionnaire from a prime contractor or an upstream subcontractor.

This type of questionnaire is becoming increasingly common as primes and higher-tier contractors seek to meet their obligations under:

• the Cybersecurity Maturity Model Certification (CMMC) 2.0 rule,
• DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting),
• DFARS 252.204-7019 (Notice of NIST SP 800-171 DoD Assessment Requirements),
• DFARS 252.204-7020 (NIST SP 800-171 DoD Assessment Requirements), and
• FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems).

In short: primes and upstream subcontractors must be able to demonstrate cybersecurity compliance and resilience across their entire supply chain — a concept known as supply chain sustainability.

To achieve this, they must ask suppliers like you to provide evidence of compliance with cybersecurity requirements. This typically involves answering questions about your:

• System Security Plan (SSP),
• compliance with NIST SP 800-171 security controls,
• status of any Plan of Action and Milestones (POA&M) you may be using,
• ability to report cyber incidents,
• and other key obligations.

So, if you’ve received a questionnaire, what does it all mean, and what do you do next?
This FAQ explains the key concepts in practical terms.

Why Did I Receive This Cybersecurity Questionnaire?

Prime contractors and higher-tier suppliers are required by the Department of Defense (DoD) to ensure that their entire supply chain complies with specific cybersecurity standards. This is a formal obligation under DoD acquisition rules and contract clauses — it is not optional.

When a prime holds a contract that includes clauses such as DFARS 252.204-7012, 252.204-7019, 252.204-7020, or FAR 52.204-21, those requirements must be "flowed down" to their subcontractors and suppliers — including your company — if you process, store, or transmit Controlled Unclassified Information (CUI) or Federal Contract Information (FCI).

To meet these flowdown obligations, primes typically issue supplier cybersecurity questionnaires to all applicable subcontractors. The goal is to assess:

• whether your company has implemented the required security controls,
• whether your company has a System Security Plan (SSP),
• whether you are fully compliant with NIST SP 800-171, and
• whether there are any gaps or weaknesses (and if so, how they are being addressed).

In short, the prime is trying to validate that your cybersecurity practices will not create a supply chain risk that could jeopardize their contract or the security of DoD information.

What types of questions are included in these questionnaires?

Here are some common topics based on real-world examples of questions you may encounter — and what they really mean for your organization:

Are you fully compliant with FAR 52.204-21? Are all 17 required controls implemented without a POA&M?

This question is asking whether you have implemented all of the basic safeguarding controls for Federal Contract Information (FCI) — without gaps.
FAR 52.204-21 requires 17 controls to be in place at the time of contract award; you cannot use a POA&M to defer implementation of these controls.

Where does the answer come from? Your internal IT/cybersecurity team should review your current network and system configurations, and your policy/procedure documentation, to confirm compliance. If you don’t handle FCI, state that — but if you do, full implementation is required.

Are you compliant with DFARS 252.204-7012? Have you implemented all 110 NIST SP 800-171 Controls?

This is asking if you have fully implemented NIST SP 800-171 security controls on all systems where you store, process, or transmit Controlled Unclassified Information (CUI).
DFARS 252.204-7012 is the clause that mandates these protections for CUI.

Where does the answer come from? Your System Security Plan (SSP) must document your status. Your IT/cybersecurity leadership and compliance team should review the SSP and validate whether all 110 controls are implemented. If not, this leads to the next question…

Do you have a documented and current System Security Plan (SSP) for the information systems that will handle CUI/CDI?

This asks whether your company has a formal, written SSP, as required by NIST SP 800-171 and referenced in DFARS clauses 7012, 7019, and 7020.
The SSP must describe:

• your system boundaries,
• the CUI environment,
• how you’ve implemented each NIST 800-171 control.

Where does the answer come from? Your cybersecurity leadership team should maintain this document. If you do not have an SSP, you will be unable to answer this question affirmatively — and you will be viewed as non-compliant.

If you are not fully compliant, are you using a POA&M to track corrective actions? What is the target closure date?

If your SSP identifies gaps in compliance (some controls not fully implemented), this question asks whether you have a formal Plan of Action and Milestones (POA&M) in place to remediate them.
It also asks when you intend to close those gaps. There’s a very important caveat to this question, and that is the allowed remediation (closure) period for a POA&M item.

Where does the answer come from? Your POA&M should be a companion document to your SSP, owned by your cybersecurity and compliance team, and attested to by a senior executive (official). 

Important: Under the CMMC 2.0 rule and 7019/7020 clauses, primes will scrutinize your closure dates — DFARS requires that POA&M items be resolved within a defined period (often 180 days) or else your score/status will be impacted. 

Have you submitted a Basic, Medium, or High DoD Assessment score to SPRS (Supplier Performance Risk System)? What type of assessment was performed?

This question is about your compliance with DFARS 252.204-7019 & 7020, which require contractors to self-assess (or undergo a DIBCAC assessment) against the 110 NIST 800-171 controls, and submit the resulting score to the SPRS database.

Where does the answer come from? Your compliance lead or contracting team should know whether you have an SPRS score on file, and what type of assessment was performed:

• Self-assessment,
• DIBCAC Medium,
• DIBCAC High.

Be prepared to state the date of your submission and supporting evidence, like a closeout document. Do you have the capability to report cyber incidents within 72 hours as required by DFARS 252.204-7012? Do you have a Medium Level of Assurance (MLOA) certificate to access the DIB CS portal?

This asks whether your company has a process in place to detect and report cyber incidents affecting CUI, and whether you have access credentials (an MLOA certificate) to submit those reports via the Defense Industrial Base Cybersecurity (DIB CS) portal.

Where does the answer come from? Your incident response policy should document this process.
You should also know who holds an MLOA certificate within your organization. If no one does, you must apply for one via an approved certificate authority.
“Gotcha”: Some primes now ask for names of individuals holding the MLOA to ensure you’re not just answering “yes” without having operational capability.

Are you prepared to support audits or assessments by the prime or by the DoD if requested?

This is a readiness question. If your prime or the DoD performs an audit or on-site assessment, are you prepared to support it? That means:

• having a current SSP and POA&M,
• having staff ready to answer questions and provide evidence,
• knowing where all key documents (SPRS submissions, MLOA certificates, incident response plans, etc.) are maintained.

Where does the answer come from? This is a leadership-level question — your cybersecurity, IT, and compliance leadership should collectively review your readiness.

In summary, these are not just "checkbox" questions. These questions are asking very detailed questions to evaluate whether your company is truly managing a sustainable, auditable, compliant cybersecurity program suitable for participation in the DoD supply chain.

 Why does this matter? 

 Your answers, and your supporting documentation, to these questions directly impact whether you will be eligible to: 

• continue participating in the contract,
• handle CUI, and
• remain in the DoD supply chain in the future.

If your company cannot demonstrate adequate cybersecurity maturity, the prime may have to exclude you from CUI handling portions of the work or even from the program entirely.

Supply chain sustainability is the key issue: primes must show that their entire supplier network is compliant and sustainable from a cybersecurity standpoint. The receipt of (and requirement to complete) a questionnaire indicates that you are part of that network.

As you review and prepare to respond to the questionnaire, you’ll notice that many of the questions tie directly to specific contract clauses, especially the Defense Federal Acquisition Regulation Supplement (DFARS) clauses related to cybersecurity. One of the most important of these is DFARS 252.204-7012, which serves as the foundation for safeguarding Controlled Unclassified Information (CUI) across the entire supply chain. Understanding this clause is key to understanding the expectations behind the questionnaire.

What Is DFARS 252.204-7012, and Why Is It Important?

DFARS 252.204-7012 is a clause in the Defense Federal Acquisition Regulation Supplement (DFARS) that mandates contractors and subcontractors to:

• Implement NIST SP 800-171 to safeguard CUI.
• Report cyber incidents to the DoD within 72 hours.
• Submit malicious software discovered during incidents.
• Preserve and protect images of affected systems and relevant monitoring data for at least 90 days.

Compliance with this clause is essential for maintaining eligibility for DoD contracts.

What is a POA&M and what are their limitations?

A Plan of Action and Milestones (POA&M) is a document that outlines your plan to address and remediate deficiencies in your cybersecurity controls. If your organization has not fully implemented all required controls, a POA&M details the steps and timelines for achieving compliance.

There are important limitations to using a POA&M:

• Under FAR 52.204-21, which governs basic safeguarding of FCI, POA&Ms are not permitted. That means all 17 controls must be fully implemented at the time of contract award. So, no POA&M’s for your CMMC ‘Level 1 – FCI’ scope.
• Under DFARS 252.204-7012, POA&Ms are allowed for certain NIST 800-171 controls. However, per the CMMC 2.0 Final Rule, any POA&M items must be closed out within 180 days of receiving a Conditional CMMC Status.
• Failure to close POA&M items in time could result in loss of your CMMC status and contract eligibility.

What Is a Medium Level of Assurance (MLOA) Certificate?

An MLOA certificate is a digital credential required to access the DoD's Defense Industrial Base (DIB) Cybersecurity (DIB CS) portal. This portal is used for reporting cyber incidents as mandated by DFARS 252.204-7012.

If your organization is required to report incidents, you must obtain an MLOA certificate. One "gotcha" to watch for is that your questionnaire response may ask who holds this certificate in your company — be prepared to name specific individuals to validate that this is not just a box-checking exercise.

What Are My Next Steps?

1. Review the Questionnaire Carefully: Understand each question and determine what information or documentation is required.
2. Assess Your Current Compliance Status: Evaluate your organization's adherence to the relevant cybersecurity requirements, especially NIST SP 800-171.
3. Develop or Update Your System Security Plan (SSP): Document how your organization meets each security requirement.
4. Create a POA&M if Necessary: If there are gaps in compliance, outline your plan to address them, including timelines and responsible parties. Remember the 180-day closeout window if pursuing a Conditional CMMC Status.
5. Obtain an MLOA Certificate: If required, apply for and acquire the necessary digital certificate for incident reporting, and identify who holds it.
6. Submit the Completed Questionnaire: Provide accurate and complete responses, along with any requested documentation, to the requesting prime contractor or supplier.
7. Maintain Supply Chain Sustainability: Continue improving your cybersecurity program and be ready for follow-up reviews or audit requests from primes or the DoD.

Where Can I Find More Information?

• NIST SP 800-171 Revision 2
• DFARS 252.204-7012 Clause
• DFARS 252.204-7019 Clause
• DFARS 252.204-7020 Clause
• CMMC Model Overview
  
  

CorpInfoTech, a Managed Service Provider (MSP) with over 25 years in the SMB space, is a trusted partner for business pursuing compliance and cybersecurity. We are a CMMC Level 2 (C3PAO) certified MSP and a Cyber AB Registered Provider Organization (RPO). Also, as the first CIS accredited organization, we help organizations implement the CIS controls as it pertains to CMMC and your overall cybersecurity posture. CorpInfoTech is your trusted partner for secure, compliant growth in every changing digital landscape.

CorpInfoTech is your trusted partner for secure, compliant growth in every changing digital landscape.