Anyone pointing out that this was a subcontractor not CISA itself should review the FedRAMP requirements that CISA played a big hand in shaping.

Contractors and subcontractors are subject to the same requirements/standards as the main project. And are supposed to be audited for compliance on a regular basis, usually every 90 or 180 days