Cybersecurity for Suppliers

The Need for Cybersecurity Throughout Our Supply Chain

The threats facing industry’s ability to adequately safeguard its critical infrastructure are escalating dramatically. Hacking tools that require little or no skill to execute are increasingly available online, lowering the barrier of entry for bad actors and increasing their capabilities. Cybersecurity attacks are complex and often go undetected.

Additionally, DoD policy states that “cybersecurity be fully considered and implemented in all aspects of acquisition programs across the life cycle and responsibility for cybersecurity extends to all members of the acquisition workforce.”

General Dynamics Mission Systems is committed to a proactive and compliant cybersecurity approach to safeguarding our networks, information, and systems. Below are resources for our suppliers on federal regulations and how to report cybersecurity incidents.

Regulatory References

Federal Acquisition Regulation (FAR):

FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems

This clause is applicable to all solicitations and contracts when a contractor or subcontractor at any tier may have federal contract information residing in or transiting through its information systems, including commercial items other than commercially available off-the-shelf items (COTS).

Synopsis:

Requires basic safeguarding requirements and procedures to protect covered contractor information systems
Imposes 15 categories of security controls focused on safeguarding contractor systems that process, store or transmit Federal contract information
Although not specifically stated, contractors in compliance with the more expansive NIST SP 800-171 security controls will presumably be in compliance with the FAR requirements
Applicable to all solicitations and contracts when a contractor or subcontract at any tier may have federal contract information residing in or transiting through its information systems. Does not apply to contracts or subcontracts for COTS.

Defense Federal Acquisition Regulation Supplement (DFARS):

DFARS	Prescription
252.204-7008 Compliance with Safeguarding Covered Defense Information	All solicitations, including solicitations using FAR part 12 procedures for the acquisition of commercial items, except for solicitations solely for the acquisition of commercially available off-the-shelf (COTS) items
252.204-7009 Limitation on the Use or Disclosure of Third Party Contractor Reported Cyber Incident Information	All solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items, for services that include support for the Government’s activities related to safeguarding covered defense information and cyber incident reporting
252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting	All solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items, except for solicitations and contracts solely for the acquisition of COTS items
252.239-7009 Representation of Use of Cloud Computing	All solicitations, including solicitations using FAR part 12 procedures for the acquisition of commercial item, for information technology services
252.239-7010 Cloud Computing Services	All solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial item, for information technology services

NIST SP 800-171 defines the security requirements for protecting Controlled Unclassified Information (CUI) in non-federal information systems and organizations. Generally, Department of Defense contractors, except COTS suppliers, are required to implement these security requirements by no later than December 31, 2017. Please refer to DFARS 252.204-7008, DFARS 252.204-7012 and NIST SP 800-171 for more details.

Flow-down Clauses to General Dynamics Suppliers

The applicable flow-down clauses are included in General Dynamics Mission Systems terms and conditions for its suppliers. Our terms and conditions are available at the following link: https://gdmissionsystems.com/suppliers/terms-conditions/

Reporting a Cybersecurity Incident

In accordance with DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, subcontractors, including vendors and consultants, are required to rapidly report cyber incidents within 72 hours of discovery to the GDMS Buyer point of contact, the GDMS Security Operations Center hotline at (210) 638-7050, and directly to Department of Defense (DoD) at https://dibnet.dod.mil/dibnet/#reporting. This includes providing the incident report number, automatically assigned by DoD to General Dynamics Mission Systems as soon as practical.

Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) and NIST SP 800-171 DoD Assessment Requirements

Overview

CMMC is a DoD certification process to measure a company’s ability to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CMMC combines cybersecurity standards and maps these best practices and processes to maturity levels, from basic cyber hygiene to advanced/progressive.

All DoD contractors and subcontractors with access to FCI or CUI will have their cyber acumen scored on a scale of 1 to 3. The Department of Defense will use the same scale to stipulate in solicitations the CMMC level required.

The CMMC Accreditation Body (Cyber AB) -- a neutral third party that will maintain the standard for DoD –- was established to train and verify third-party cybersecurity certifiers who will conduct audits. Additional information regarding the Cyber AB is available at https://cyberab.org/What-is-CMMC.

All contractors and subcontractors with access to FCI or CUI must have a current DoD Assessment score in the DoD Supplier Performance Risk System (SPRS) for all CAGE codes covered by your System Security Plan (SSP). Refer to COMPLIANCE WITH DFARS 252.204-7020 NIST SP 800-171 DoD ASSESSMENT REQUIREMENTS for additional information.

Additional information regarding DoD’s CMMC is available at: Department of Defense CMMC Information

Supplier Impact

Certification of cybersecurity compliance will be required for suppliers to do business with General Dynamics Mission Systems and the U.S. DoD, unless the supplier solely provides COTS. Certification of cybersecurity compliance is led by the Office of Under Secretary of Defense for Acquisition and Sustainment, and CMMC scores will be tracked by the DoD. Again, all companies will require a CMMC rating from 1 to 5 (except COTS suppliers), and DoD solicitations may restrict the use of suppliers below a specified CMMC level. In order for a supplier to process, store or transmit CUI, it must be certified at least at CMMC level 3.

Suppliers will be responsible for sourcing, conducting and reporting their CMMC audits via accredited third-party entities.

The CMMC Accreditation Body (Cyber AB) is developing the process for certification. Refer to the “Accreditation” section of the Cyber AB site for additional information: https://cyberab.org/Accreditation/General-Accreditation

For more information on CMMC, as well as other DoD cybersecurity initiatives, Project Spectrum is a recommended resource (https://projectspectrum.io). Project Spectrum is supported by the DoD Office of Small Business Programs, and provides information, training, and risk assessments to help vendors improve cyber readiness and comply with DoD requirements. Additionally, the Procurement Technical Assistance Centers (PTACs) provide vendors free assistance, including assistance related to DoD cybersecurity initiatives, to help them pursue contracts from DLA and other federal agencies. For more information refer to - https://www.dla.mil/SmallBusiness/PTAP/.

Additional Information

https://www.dla.mil/SmallBusiness/PTAP/PTAC/

https://www.dau.edu/

https://cyberab.org/What-is-CMMC

https://dodcio.defense.gov/CMMC/

Defense Industrial Base (DIB) Sector Coordinating Council (SCC) launched a new CyberAssist Website.