N2CON TECHNOLOGY
Open menu

Subcontractor Cybersecurity Checklist (GC Requirements)

General contractors (GCs) increasingly ask subcontractors for basic cybersecurity proof. This checklist focuses on the controls that most often show up in requests: identity, devices, data handling, backups, and incident reporting.

Note: This is general information and not legal advice.

Last reviewed: February 2026

Executive Summary

What it is
A baseline checklist a subcontractor can use to meet common GC security expectations and reduce risk.
Why it matters
  • Subcontractors often touch shared data, shared systems, and shared schedules.
  • Account compromise and data loss commonly start with weak identity and unmanaged devices.
  • Good evidence reduces questionnaire churn and protects relationships.
When you need it
  • You work with GCs that require vendor onboarding and periodic security attestations.
  • You access customer portals, job site networks, or shared file systems.
  • You are bidding work that includes sensitive plans, contracts, or regulated data.
What good looks like
  • MFA enforced, least privilege applied, and access removed quickly when people leave.
  • Devices are known, patched, and protected (not personal laptops with no baseline).
  • Backups are tested and you have a clear incident reporting contact path.
How N2CON helps
  • Implement the controls that show up most often in security reviews.
  • Build a lightweight evidence pack you can reuse for questionnaires and renewals.
  • Support ongoing operations through managed IT and managed security.

Copy/paste subcontractor checklist

If you're getting vendor questionnaires, start with identity and access. Related: MFA and CMMC and NIST 800-171 readiness. 

# Subcontractor Cybersecurity Checklist (GC Baseline)

## Identity and access
- [ ] Multi-Factor Authentication (MFA) enforced for email and admin accounts
- [ ] Admin access is limited and reviewed (no local admin by default)
- [ ] Offboarding process removes access the same day when people leave

## Devices and patching
- [ ] Device inventory exists (company-managed devices are preferred for sensitive work)
- [ ] Patching cadence is documented and measured
- [ ] Endpoint protection is enabled and reporting

## Data handling
- [ ] Data classification exists and guides what can be emailed/shared
- [ ] Approved file sharing is used (avoid personal storage for project data)
- [ ] Access to shared folders/portals is role-based

## Remote access and networks
- [ ] Remote access is protected (MFA, conditional access where available)
- [ ] Guest Wi-Fi is separated from business systems on job sites
- [ ] Unknown devices are investigated

## Backups and recovery
- [ ] Backups exist for critical business data and are tested with restores
- [ ] Recovery steps are documented for key systems

## Incident response and reporting
- [ ] An incident response contact is defined (who to notify and how)
- [ ] Evidence is preserved and incidents are escalated quickly
- [ ] Subcontractor understands customer reporting expectations where applicable

Related resources: construction and real estate brief, vendor risk management, and questionnaire help.

Where GCs usually focus

  • Email and identity: MFA, access reviews, and offboarding.
  • Device baseline: known devices, patching, and endpoint protection.
  • Data handling: file sharing, retention, and who can access what.
  • Incident readiness: who to contact and how to escalate quickly.

Related: identity foundations, patch management, and incident response plan template.

Common Questions

What does a general contractor (GC) usually expect from subcontractors?

Most expectations are basic hygiene: MFA for email, controlled access, patched devices, backup readiness, and a clear incident reporting path. The buyer wants confidence you will not become the weak link.

Do subcontractors need to follow NIST 800-171 or CMMC?

Sometimes. If you handle Controlled Unclassified Information (CUI) under certain defense requirements, you may have specific obligations (for example: NIST 800-171 and CMMC). Many subcontractor checklists are a lighter baseline. This guide is not legal advice; confirm your contract requirements.

What is the fastest way to reduce risk without buying a pile of tools?

Start with identity controls (MFA, least privilege), patching discipline, backups you can restore, and clear offboarding for accounts and devices.

What evidence should we be able to show?

Policy intent plus proof: MFA enforcement, device inventory, patch compliance snapshots, backup restore testing logs, and an incident response contact path.

Related resources

Sources & References

Need help passing customer and GC security reviews without slowing projects down?

We can harden identity, standardize device and patching baselines, and build a lightweight evidence pack you can reuse for questionnaires.

Contact N2CON