Subcontractor Cybersecurity Checklist (GC Requirements)

If you're getting vendor questionnaires, start with identity and access. Related: MFA and CMMC and NIST 800-171 readiness.

# Subcontractor Cybersecurity Checklist (GC Baseline)

## Identity and access
- [ ] Multi-Factor Authentication (MFA) enforced for email and admin accounts
- [ ] Admin access is limited and reviewed (no local admin by default)
- [ ] Offboarding process removes access the same day when people leave

## Devices and patching
- [ ] Device inventory exists (company-managed devices are preferred for sensitive work)
- [ ] Patching cadence is documented and measured
- [ ] Endpoint protection is enabled and reporting

## Data handling
- [ ] Data classification exists and guides what can be emailed/shared
- [ ] Approved file sharing is used (avoid personal storage for project data)
- [ ] Access to shared folders/portals is role-based

## Remote access and networks
- [ ] Remote access is protected (MFA, conditional access where available)
- [ ] Guest Wi-Fi is separated from business systems on job sites
- [ ] Unknown devices are investigated

## Backups and recovery
- [ ] Backups exist for critical business data and are tested with restores
- [ ] Recovery steps are documented for key systems

## Incident response and reporting
- [ ] An incident response contact is defined (who to notify and how)
- [ ] Evidence is preserved and incidents are escalated quickly
- [ ] Subcontractor understands customer reporting expectations where applicable

Related resources: construction and real estate brief, vendor risk management, and questionnaire help.

Most GC security questionnaires center on the same areas, and those areas are not arbitrary. They reflect the risks that actually cause incidents on shared projects.

Email and identity come first. GCs want to see MFA enforced, access reviews in place, and offboarding that removes access the same day someone leaves. Weak email credentials are the most common attack vector, and a compromised subcontractor account can reach shared project data, schedules, and contracts.

The focus areas also reflect how incidents propagate on shared projects. A compromised subcontractor email account can be used to send fraudulent invoices or payment change requests to the GC and other subs on the same project. Unmanaged devices connecting to shared job site networks can introduce malware that spreads laterally. Inadequate backups mean a ransomware incident at one subcontractor can delay the entire project schedule. These cascading effects are why GCs care about subcontractor security even when the subcontractor's own data is not the primary target.

Device baseline follows. Known devices, documented patching cadences, and active endpoint protection are table stakes for most questionnaires. Data handling expectations focus on file sharing, retention, and role-based access to shared folders and portals. Incident readiness rounds it out: who to contact, how to escalate, and what the customer reporting expectations are.

Related: identity foundations, patch management, and incident response plan template.

A checklist is a statement of intent. Evidence is what makes it credible. When a GC or customer asks for proof that controls are in place, you need artifacts that demonstrate both policy and practice.

For identity and access, be ready to show that MFA is enforced across your organization, not just available. A screenshot of your identity provider's enforcement policy, combined with an access review record showing regular reviews of admin and privileged accounts, demonstrates that the control is operational. Offboarding evidence is particularly persuasive: a log showing that accounts and device access were removed on the same day as an employee's last day proves the process is followed, not just documented.

Device evidence should include a current device inventory with patch compliance status, endpoint protection deployment confirmation, and a documented patching cadence. A snapshot from your endpoint management tool showing that devices are within policy thresholds is more convincing than a written statement that devices are patched. For backups, produce restore testing logs that show when backups were last validated and that recovery met your defined timelines.

Incident response evidence should include a current plan with named contacts, evidence of tabletop exercises or tests, and any after-action reports from real incidents. The absence of incidents is not evidence of readiness. A tested plan with identified gaps and improvement actions is more credible than an untested plan that claims to be perfect.

Related: vendor security questionnaire help and vendor security questionnaire checklist.

In our experience working with subcontractors, the same gaps appear repeatedly and cause delays in security review approvals. Addressing these before a questionnaire arrives saves time and avoids the perception that security is an afterthought.

The most common gap is MFA that is enabled but not enforced. Many organizations have MFA available for users but do not require it, which means some accounts remain protected by password only. GC questionnaires typically ask whether MFA is enforced, not whether it is available. The distinction matters because an account without MFA is the most likely entry point for an attacker targeting your organization.

Local admin rights are another frequent finding. When standard users have administrator access to their workstations, malware and unauthorized software have broader reach, and the principle of least privilege is undermined. Removing local admin rights is a straightforward control that signals maturity to security reviewers and materially reduces risk. See our guide on removing local admin rights for implementation guidance.

Offboarding speed is often a blind spot. Subcontractors with high turnover may have accounts that linger for days or weeks after employees leave. Each orphaned account is a potential entry point. An offboarding checklist that triggers on the same day as departure, covering accounts, devices, and shared access, closes this gap efficiently.

Related: evaluating hosted app providers and SaaS sprawl governance.

Some subcontractor engagements involve Controlled Unclassified Information (CUI) under defense contracts, which triggers specific compliance obligations. If your contracts reference DFARS 252.204-7012 or include CUI flow-down clauses, you may need to meet NIST SP 800-171 requirements and potentially undergo CMMC assessment.

The baseline checklist in this guide addresses many of the same control areas that NIST 800-171 covers: access control, awareness and training, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity. However, the formal framework requires documentation, evidence, and assessment that go beyond a simple checklist.

If you are unsure whether your contracts require CMMC or NIST 800-171 compliance, check your subcontract agreements for CUI or DFARS references, and confirm with your contracting officer or legal counsel. Starting with the controls in this checklist puts you in a stronger position if formal compliance becomes a requirement, even if it does not satisfy every assessment criterion today.

Related: CMMC guide, CUI guide, and POAM guide.

If you respond to multiple GC or customer security questionnaires, building a reusable evidence pack saves substantial time. The idea is to maintain a current set of artifacts that address the most common questionnaire areas so you can respond quickly without scrambling for screenshots and policy documents each time.

Start with the categories that appear in nearly every questionnaire: identity and access control, device management, patching, backups, and incident response. For each category, maintain a one-page summary that describes your control, how it is enforced, and when it was last validated. Attach supporting evidence such as policy screenshots, compliance reports, and test results.

Review and update the evidence pack quarterly or before a known renewal cycle. Stale evidence is worse than no evidence because it suggests the controls are documented but not maintained. Assign someone to own the pack and set a calendar reminder to refresh it. Over time, the pack becomes a living document that reflects your security posture and reduces the friction of security reviews.

When a new questionnaire arrives that asks for something not in your standard pack, add it. Most GC questionnaires overlap significantly, so each new response becomes a permanent addition that makes the next one faster. Within a year of active maintenance, most subcontractors find that they can respond to the majority of questionnaire items from the existing pack with only minor updates for dates, contact changes, and any new controls implemented since the last review.

Related: vendor risk management and security awareness training.