Products Intelligence Pricing Methodology Contact
DEFENSE & GOVERNMENT CONTRACTING

Third-party risk management

Third-party risk management in Defense and Government Contracting is now a direct compliance obligation, not a best practice. The U.S. Department of Defense's Cybersecurity Maturity Model Certification program requires contractors to flow down security requirements to subcontractors, the Defense Contract Audit Agency scrutinizes vendor documentation during contract audits, and the General Services Administration has tightened supply chain integrity standards under Federal Acquisition Regulation clause 52.204-23. Compliance teams are currently mapping subcontractor and supplier networks against these requirements ahead of CMMC Phase 2 enforcement timelines.

Watch

  • CMMC 2.0 final rule: flow-down obligations to subcontractors at all tiers
  • FAR 52.204-23 and 52.204-25 compliance deadlines for covered contractor systems
  • Defense Contract Audit Agency scrutiny of third-party cybersecurity documentation during audits
  • GSA supply chain risk management policy updates affecting schedule contract holders
  • NDAA Section 889 enforcement: identifying prohibited-source components in vendor hardware

Recent material activity in Defense & Government Contracting

Active monitoring in place across Defense & Government Contracting. Material developments related to third-party risk management will appear here as they are published.