Managed service providers (MSPs) should be aware when potential or existing clients are a defense contractor, since companies that are subject to DFARS (252.204-7012 and -7021) require more security controls, documentation, and support than your average client.
But there’s a problem: many organizations don’t identify as a defense contractor. They think of themselves as a commercial company, selling commercial products and services. This is even more common among defense subcontractors who sell to “prime contractors” rather than directly to a government agency.
How can MSPs and managed security service providers (MSSPs) better understand a company’s needs to avoid surprises like the DoD’s Cybersecurity Maturity Model Certification (CMMC), NIST 800-171 assessments, and annual compliance affirmations?
By doing some research and asking better questions, we can cut through the noise and see an organization’s needs for what they really are.
The research
You can look at valuable public information to see how much an organization overlaps with the defense industry.
USASpending.gov: The federal government maintains public records of its contracting activities.
Click the “Start Searching Awards” button
Expand the “Recipient” tab
Search for your client’s company name.
Search results let you click on the recipient’s profile to confirm the company name and address.
These results won’t include subcontract awards, but seeing the individual contract awards, transactions over time, and dollar amounts can help your team establish whether a company is active in the defense industrial base. It’ll also help you understand how much direct business can be impacted by CMMC.
Company websites: You might be surprised how many companies don’t see themselves as a defense contractor yet advertise defense expertise on their own website. Solid indicators might include:
ITAR registration: Registering with the Directorate of Defense Trade Controls (DDTC) indicates that a company is prepared to develop, manufacture, or generally handle “defense articles” governed by the International Traffic in Arms Regulations (ITAR).
AS9100: This is a quality management standard for the aerospace, aviation, and defense industries. While purely commercial companies are ISO 9001 certified, defense contractors often have this additional certification.
Nadcap accreditation: Manufacturers performing critical processes like chemical processing, welding, or nondestructive testing are sometimes accredited under the National Aerospace and Defense Contractors Accreditation Program (Nadcap). Check the public directories of accredited manufacturers to see if your client is listed. If so, chances are they do subcontracted work for large aerospace prime contractors, which often involves Controlled Unclassified Information (CUI).
“Contract Vehicles”: This means the company has already gone through extensive vetting processes, and government agencies can buy from them without an open competition. Companies will often list these contracts (IDIQ, GWAC, BPA, OTA, etc.) on their website.
“Defense” is listed in their “Industries Served” site navigation.
Other indicators: Does the website have a screeching bald eagle on the front page? How about an F-35 Joint Strike Fighter? A photo of special forces operators holding the company’s product while marching and pointing at things? Defense contractors generally want website visitors to know their products and services are used by the military.
The questions
Once you’ve done some initial research of your own, you can ask a client these questions to identify whether they are truly a defense contractor:
Do any of your contracts, task orders, or purchase orders include Federal Acquisition Regulation (FAR) or Defense Federal Acquisition Regulation Supplement (DFARS) clauses?
Private companies are required to flow down specific FAR/DFARS clauses to subcontractors when work is performed on behalf of an agency. Getting DFARS clauses in subcontracts means you are a defense subcontractor.
Do you receive customer technical data marked with DoD distribution statements?
Documents with DoD distribution statements either came from an agency or are marked with these statements because they’ll eventually be delivered to an agency. If a company is receiving these documents, verify if they’re related to a contract, task order, or purchase order containing DFARS clauses (if yes, then they’re a defense contractor).
Not all documents with distribution statements qualify as CUI. However, if even a few of them qualify, or future documents arrive with CUI markings, the systems that process, store, or transmit these documents are probably your current/future CUI data flows, as well.
Does your company have an account in the Procurement Integrated Enterprise Environment (PIEE) system?
PIEE access is necessary for defense contractors receiving reports and requesting progress payments through Wide Area Workflow (WAWF).
PIEE is also required to submit NIST 800-171 self-assessments in the Supplier Performance Risk System (SPRS) module. Companies will have PIEE access if they previously performed on defense contracts. If your client has PIEE access, ask them if they’ve submitted a “Basic self-assessment” for NIST 800-171 in the past. Only defense contractors submit them.
How Huntress helps
Huntress satisfies 51 of the 110 controls required for your CMMC Level 2 assessment, with proof in our Shared Responsibility Matrix.
If you have DoD contracts or work with clients who do, CMMC compliance is a must-have as of November 10, 2025. Huntress covers almost half of the required controls with CMMC-compliant tech and assessor-ready documentation. If you hadn’t considered Huntress before, the time is now.
Get a demo today and see how Huntress helps you achieve CMMC compliance.
Ryan Bonner is the founder and CEO of DEFCERT. Ryan has led DFARS and CMMC compliance transformation projects for over 150 contractors in the Defense Industrial Base (DIB), often involving MSPs.
