If your company works as a defense subcontractor or is part of the Department of Defense (DoD) supply chain, you may have recently received a supplier cybersecurity questionnaire from a prime contractor or an upstream subcontractor.
This type of questionnaire is becoming increasingly common as primes and higher-tier contractors seek to meet their obligations under:
In short: primes and upstream subcontractors must be able to demonstrate cybersecurity compliance and resilience across their entire supply chain — a concept known as supply chain sustainability.
To achieve this, they must ask suppliers like you to provide evidence of compliance with cybersecurity requirements. This typically involves answering questions about your:
So, if you’ve received a questionnaire, what does it all mean, and what do you do next?
This FAQ explains the key concepts in practical terms.
Prime contractors and higher-tier suppliers are required by the Department of Defense (DoD) to ensure that their entire supply chain complies with specific cybersecurity standards. This is a formal obligation under DoD acquisition rules and contract clauses — it is not optional.
When a prime holds a contract that includes clauses such as DFARS 252.204-7012, 252.204-7019, 252.204-7020, or FAR 52.204-21, those requirements must be "flowed down" to their subcontractors and suppliers — including your company — if you process, store, or transmit Controlled Unclassified Information (CUI) or Federal Contract Information (FCI).
To meet these flowdown obligations, primes typically issue supplier cybersecurity questionnaires to all applicable subcontractors. The goal is to assess:
In short, the prime is trying to validate that your cybersecurity practices will not create a supply chain risk that could jeopardize their contract or the security of DoD information.
Here are some common topics based on real-world examples of questions you may encounter — and what they really mean for your organization:
This question is asking whether you have implemented all of the basic safeguarding controls for Federal Contract Information (FCI) — without gaps.
FAR 52.204-21 requires 17 controls to be in place at the time of contract award; you cannot use a POA&M to defer implementation of these controls.
Where does the answer come from? Your internal IT/cybersecurity team should review your current network and system configurations, and your policy/procedure documentation, to confirm compliance. If you don’t handle FCI, state that — but if you do, full implementation is required.
This is asking if you have fully implemented NIST SP 800-171 security controls on all systems where you store, process, or transmit Controlled Unclassified Information (CUI).
DFARS 252.204-7012 is the clause that mandates these protections for CUI.
Where does the answer come from? Your System Security Plan (SSP) must document your status. Your IT/cybersecurity leadership and compliance team should review the SSP and validate whether all 110 controls are implemented. If not, this leads to the next question…
This asks whether your company has a formal, written SSP, as required by NIST SP 800-171 and referenced in DFARS clauses 7012, 7019, and 7020.
The SSP must describe:
Where does the answer come from? Your cybersecurity leadership team should maintain this document. If you do not have an SSP, you will be unable to answer this question affirmatively — and you will be viewed as non-compliant.
If your SSP identifies gaps in compliance (some controls not fully implemented), this question asks whether you have a formal Plan of Action and Milestones (POA&M) in place to remediate them.
It also asks when you intend to close those gaps. There’s a very important caveat to this question, and that is the allowed remediation (closure) period for a POA&M item.
Where does the answer come from? Your POA&M should be a companion document to your SSP, owned by your cybersecurity and compliance team, and attested to by a senior executive (official).
Important: Under the CMMC 2.0 rule and 7019/7020 clauses, primes will scrutinize your closure dates — DFARS requires that POA&M items be resolved within a defined period (often 180 days) or else your score/status will be impacted.
This question is about your compliance with DFARS 252.204-7019 & 7020, which require contractors to self-assess (or undergo a DIBCAC assessment) against the 110 NIST 800-171 controls, and submit the resulting score to the SPRS database.
Where does the answer come from? Your compliance lead or contracting team should know whether you have an SPRS score on file, and what type of assessment was performed:
Be prepared to state the date of your submission and supporting evidence, like a closeout document. Do you have the capability to report cyber incidents within 72 hours as required by DFARS 252.204-7012? Do you have a Medium Level of Assurance (MLOA) certificate to access the DIB CS portal?
This asks whether your company has a process in place to detect and report cyber incidents affecting CUI, and whether you have access credentials (an MLOA certificate) to submit those reports via the Defense Industrial Base Cybersecurity (DIB CS) portal.
Where does the answer come from? Your incident response policy should document this process.
You should also know who holds an MLOA certificate within your organization. If no one does, you must apply for one via an approved certificate authority.
“Gotcha”: Some primes now ask for names of individuals holding the MLOA to ensure you’re not just answering “yes” without having operational capability.
Are you prepared to support audits or assessments by the prime or by the DoD if requested?
This is a readiness question. If your prime or the DoD performs an audit or on-site assessment, are you prepared to support it? That means:
Where does the answer come from? This is a leadership-level question — your cybersecurity, IT, and compliance leadership should collectively review your readiness.
In summary, these are not just "checkbox" questions. These questions are asking very detailed questions to evaluate whether your company is truly managing a sustainable, auditable, compliant cybersecurity program suitable for participation in the DoD supply chain.
Why does this matter?
Your answers, and your supporting documentation, to these questions directly impact whether you will be eligible to:
If your company cannot demonstrate adequate cybersecurity maturity, the prime may have to exclude you from CUI handling portions of the work or even from the program entirely.
Supply chain sustainability is the key issue: primes must show that their entire supplier network is compliant and sustainable from a cybersecurity standpoint. The receipt of (and requirement to complete) a questionnaire indicates that you are part of that network.
As you review and prepare to respond to the questionnaire, you’ll notice that many of the questions tie directly to specific contract clauses, especially the Defense Federal Acquisition Regulation Supplement (DFARS) clauses related to cybersecurity. One of the most important of these is DFARS 252.204-7012, which serves as the foundation for safeguarding Controlled Unclassified Information (CUI) across the entire supply chain. Understanding this clause is key to understanding the expectations behind the questionnaire.
DFARS 252.204-7012 is a clause in the Defense Federal Acquisition Regulation Supplement (DFARS) that mandates contractors and subcontractors to:
Compliance with this clause is essential for maintaining eligibility for DoD contracts.
A Plan of Action and Milestones (POA&M) is a document that outlines your plan to address and remediate deficiencies in your cybersecurity controls. If your organization has not fully implemented all required controls, a POA&M details the steps and timelines for achieving compliance.
There are important limitations to using a POA&M:
An MLOA certificate is a digital credential required to access the DoD's Defense Industrial Base (DIB) Cybersecurity (DIB CS) portal. This portal is used for reporting cyber incidents as mandated by DFARS 252.204-7012.
If your organization is required to report incidents, you must obtain an MLOA certificate. One "gotcha" to watch for is that your questionnaire response may ask who holds this certificate in your company — be prepared to name specific individuals to validate that this is not just a box-checking exercise.
Where Can I Find More Information?
CorpInfoTech, a Managed Service Provider (MSP) with over 25 years in the SMB space, is a trusted partner for business pursuing compliance and cybersecurity. We are a CMMC Level 2 (C3PAO) certified MSP and a Cyber AB Registered Provider Organization (RPO). Also, as the first CIS accredited organization, we help organizations implement the CIS controls as it pertains to CMMC and your overall cybersecurity posture. CorpInfoTech is your trusted partner for secure, compliant growth in every changing digital landscape.
CorpInfoTech is your trusted partner for secure, compliant growth in every changing digital landscape.