Cybersecurity for Suppliers

The Need for Cybersecurity Throughout Our Supply Chain

The threats facing industry’s ability to adequately safeguard its critical infrastructure are escalating dramatically. Hacking tools that require little or no skill to execute are increasingly available online, lowering the barrier of entry for bad actors and increasing their capabilities. Cybersecurity attacks are complex and often go undetected.

Additionally, DoD policy states that “cybersecurity be fully considered and implemented in all aspects of acquisition programs across the life cycle and responsibility for cybersecurity extends to all members of the acquisition workforce.”

General Dynamics Mission Systems is committed to a proactive and compliant cybersecurity approach to safeguarding our networks, information, and systems. Below are resources for our suppliers on federal regulations and how to report cybersecurity incidents.

 

Regulatory References

Federal Acquisition Regulation (FAR):

This clause is applicable to all solicitations and contracts when a contractor or subcontractor at any tier may have Federal Contract Information (FCI) residing in or transiting through its information systems, including commercial items other than commercially available off-the-shelf items (COTS).

Synopsis:

  • Requires basic safeguarding requirements and procedures to protect covered contractor information systems
  • Includes 15 requirements: maps to 17 security requirements in NIST SP 800-171
  • Applicable to all solicitations and contracts when a contractor or subcontract at any tier may have federal contract information residing in or transiting through its information systems. Does not apply to contracts or subcontracts for COTS.
 

Defense Federal Acquisition Regulation Supplement (DFARS):

DFARS

Prescription
252.204-7008 Compliance with Safeguarding Covered Defense Information All solicitations, including solicitations using FAR part 12 procedures for the acquisition of commercial items, except for solicitations solely for the acquisition of commercially available off-the-shelf (COTS) items
252.204-7009 Limitation on the Use or Disclosure of Third Party Contractor Reported Cyber Incident Information All solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items, for services that include support for the Government’s activities related to safeguarding covered defense information and cyber incident reporting
252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting All solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items, except for solicitations and contracts solely for the acquisition of COTS items
252.239-7009 Representation of Use of Cloud Computing All solicitations, including solicitations using FAR part 12 procedures for the acquisition of commercial item, for information technology services
252.204-7020 NIST SP 900-171
DoD Assessment Requirements		 All solicitations, including FAR part 12 commercial items; Exceptions: Solely COTS or acquisitions at/below the micro-purchase threshold
252.239-7010 Cloud Computing Services All solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial item, for information technology services
 

NIST SP 800-171 defines the security requirements for protecting Controlled Unclassified Information (CUI) in non-federal information systems and organizations. Generally, Department of Defense contractors, except COTS suppliers, are required to implement these security requirements by no later than December 31, 2017. Please refer to DFARS 252.204-7008, DFARS 252.204-7012 and NIST SP 800-171 for more details.

 

Flow-down Clauses to General Dynamics Suppliers

The applicable flow-down clauses are included in General Dynamics Mission Systems terms and conditions for its suppliers. Our terms and conditions are available at the following link: https://gdmissionsystems.com/suppliers/terms-conditions/

 

Reporting a Cybersecurity Incident

In accordance with DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, subcontractors, including vendors and consultants, are required to rapidly report cyber incidents within 72 hours of discovery to the General Dynamics Mission Systems Buyer point of contact, the General Dynamics Mission Systems Security Operations Center hotline at (210) 638-7050, and directly to Department of Defense (DoD) at https://dibnet.dod.mil/dibnet/#reporting. This includes providing the incident report number, automatically assigned by DoD to General Dynamics Mission Systems as soon as practical.

 

Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) and NIST SP 800-171 DoD Assessment Requirements

Overview

On December 26, 2023, DoD issued a proposed rule for the Cybersecurity Maturity Model Certification (CMMC) Program.  DoD is proposing to establish requirements for a comprehensive and scalable assessment mechanism to ensure defense contractors and subcontractors have implemented security requirements.  The CMMC Program provides the DoD a mechanism to verify that defense contractors or subcontractors have implemented the security requirements at each CMMC Level and is maintaining that status during the contract or subcontract period of performance.

CMMC builds on existing trust-based regulations (DFARS 252.204-7012) by measuring implementation of cybersecurity requirements at three levels through assessments and certifications based on the sensitivity of the information to be protected.

All DoD contractors and subcontractors with access to FCI or CUI will have requirements for CMMC Level 1, 2, or 3. The Department of Defense will stipulate the CMMC Level in solicitations and contracts.

Currently, all contractors and subcontractors with access to FCI or CUI must have a current DoD Assessment score in the DoD Supplier Performance Risk System (SPRS) for all CAGE codes covered by your System Security Plan (SSP).  Refer to COMPLIANCE WITH DFARS 252.204-7020 NIST SP 800-171 DoD ASSESSMENT REQUIREMENTS for additional information.

Supplier Impact

When CMMC is finalized, complying with CMMC will be required for suppliers to do business with General Dynamics Mission Systems and the U.S. DoD, unless the supplier solely provides COTS.The CMMC Program is led by the Chief Information Officer, U.S. Department of Defense, and CMMC scores will be reported to DoD on the Supplier Performance Risk System. All companies supporting DoD will require CMMC  Level 1, 2 or 3  (except COTS suppliers). In order for a supplier to process, store or transmit CUI, it must at a minimum meet the requirements for CMMC Level 2.

Suppliers will be responsible for their CMMC audits including sourcing and conducting CMMC Level 2 certification requirements with authorized or accredited C3PAOs.   .

The Cyber Accreditation Body (Cyber AB) is the official accreditation body of the CMMC Ecosystem and authorizes and accredits the CMMC Third-Party Assessment Organizations (C3PAOs) that conduct CMMC Assessments of DoD companies.  The Cyber AB maintains a list of its authorized and approved C3PAOs on the Cyber AB Marketplace at the Cyber AB site:

CyberAB Home

Suppliers should continue to monitor the CMMC rule-making process and resulting final cybersecurity requirements.

 

Cyber Security Maturity Model Certification (CMCC) Resources:

 

Achieving Cybersecurity Compliance – Other Helpful Cybersecurity References:

Copyright 2024 General Dynamics Mission Systems, Inc.

A General Dynamics Business
GD.COM