Cybersecurity is crucial for suppliers* in the Defense Industrial Base (DIB) serving the Department of Defense (DoD) due to the sensitive nature of the information and technology involved. A cyberattack could compromise sensitive information, disrupt critical defense programs, and impact reputation in the marketplace. General Dynamics Information Technology (GDIT) along with our suppliers, must implement robust cybersecurity measures to safeguard sensitive information and ensure the integrity of the defense supply chain*.
Additionally, DoD policy states that “cybersecurity be fully considered and implemented in all aspects of acquisition programs across the life cycle and responsibility for cybersecurity extends to all members of the acquisition workforce.”
GDIT is committed to a proactive and compliant cybersecurity approach to safeguarding our networks, information, and systems. Below are resources for our Suppliers on federal regulations and how to report cybersecurity incidents.
Please note, "suppliers" or "supply chain" may include contractors, subcontractors, consultants, vendors or OEMs.
FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems
This above reference FAR clause is applicable to all solicitations and contracts when a Supplier at any tier may have federal contract information residing in or transiting through its information systems, including commercial items other than commercially available off-the-shelf items (COTS).
Synopsis of FAR 52.204-21:
Requires basic safeguarding requirements and procedures to protect covered contractor information systems
Imposes a set of fifteen (15) basic cybersecurity controls for contractor information systems upon which “Federal contract information” is stored, processed or transmitted
Although not specifically stated, contractors in compliance with the more expansive NIST SP 800-171 security controls will presumably be in compliance with the FAR requirements
Applicable to all solicitations and contracts when a contractor or subcontractor at any tier may have federal contract information residing in or transiting through its information systems. Does not apply to contracts or subcontracts for COTS products.
Additional Defense Federal Acquisition Regulation Supplement (DFARS) provisions:
204.73 Safeguarding Covered Defense Information and Cyber Incident Reporting
204.7304 Solicitation provision and contract clauses.
DFARS: 252.204-7008 Compliance with Safeguarding Covered Defense Information (May 2024)
DFARS: 252.204-7009 Limitation on the Use or Disclosure of Third Party Contractor Reported Cyber Incident Information (May 2024)
DFARS: 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting (May 2024)
DFARS: 252.204-7019 Notice of NIST SP 800-171 DoD Assessment Requirements (May 2024)
DFARS: 252.204-7020 NIST SP 800-171 DoD Assessment Requirements (May 2024)
NIST SP 800-171 defines the security requirements for protecting Controlled Unclassified Information (CUI) in non-federal information systems and organizations. Generally, Department of Defense contractors, except COTS suppliers, were required to implement these security requirements prior to December 31, 2017.
Overview
The Cybersecurity Maturity Model Certification (CMMC) program is aligned to the Department of Defense (the Department, DoD) information security requirements for Defense Industrial Base (DIB) partners. It is designed to enforce protection of sensitive unclassified information that is shared by the Department with its contractors and subcontractors. The program provides the Department increased assurance that contractors and subcontractors are meeting the cybersecurity requirements that apply to acquisition programs and systems that process information considered sensitive to the DoD.
Status
On December 26, 2023, the DoD released the highly anticipated proposed rule for CMMC which requires contractors, including suppliers/subcontractors, entrusted with Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) to implement cybersecurity standards at progressively advanced levels depending on the type and sensitivity of the information.
While the rulemaking process is ongoing, contractors should ensure they are prepared for the upcoming requirements of CMMC. Companies should make sure they have the appropriate investment across multiple groups within the organization, including cyber, information security, legal, compliance, supply chain and critical business stakeholders.
Proposed Levels and Assessments
CMMC Assessments, based on the proposed rule, will be conducted by three different groups, based on level of achievement. Results of those assessments will be reported in DoD’s Supplier Performance Risk System (SPRS)
Affirmations by a senior official from the prime contractor and any applicable subcontractor will be required to affirm continuing compliance with the specified security requirements after every assessment, including POAM closeout and annually thereafter. These affirmations will be entered electronically in SPRS.
Proposed Schedule
There is a notional timeline that assumes DFARS 252.204-7021 CMMC Requirements are finalized and effective on 1/1/2025. The phases will be conducted as such:
For additional information please refer to the DoD CIO website.
Supplier Impact
Certification of cybersecurity compliance will be required for suppliers to do business with GDIT and the U.S. DoD, unless the supplier solely provides COTS items. Certification of cybersecurity compliance is led by the Office of Under Secretary of Defense for Acquisition and Sustainment, and CMMC scores will be tracked by the DoD. Again, all companies will require a CMMC rating from 1 to 5 (except COTS suppliers), and DoD solicitations may restrict the use of suppliers below a specified CMMC level. In order for a supplier to process, store or transmit CUI, it must be certified at least at CMMC level 3.
Suppliers will be responsible for sourcing, conducting and reporting their CMMC audits via accredited third- party entities.
The CMMC Accreditation Body is developing the process for certifications. Refer to the “Organizations Seeking Certification” section of the CMMC Accreditation Body site for additional information.
The applicable flow-down clauses are included in General Dynamics Information Technology terms and conditions for its Suppliers.
In accordance with DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, Suppliers are required to rapidly report cyber incidents within 72 hours of discovery.
The GDIT Cyber Security team responds to and investigates cyber security incidents related to misuse or abuse of GDIT information and information technology resources. A cyber security incident is defined as any event that adversely impacts GDIT data or information systems or is a real or suspected action inconsistent with GDIT Privacy or Acceptable Use policies.
If you experience, observe, or are made aware of activity which you believe may be related to a cyber security incident, immediately email the relevant information to CyberSecurity@gdit.com or call the GDIT SOC Hotline number 1-571-386-3500.