Supplier Cyber Security Requirements

It is estimated that malicious cyber activity or cybercrime cost the global economy over $600 Billon US dollars a year. Intellectual Property (IP) theft accounts for one of the largest slices of overall global- cybercrime. IP theft can take many forms large and small, crude and sophisticated, intentional and unintentional while targeting individuals and businesses regardless of size. Consequently, the DoD is working with industry to ensure the protection of controlled unclassified information through the DFARS “Cyber Clause” (252.204-7012) and the “Interim Rule” (7019, 7020 and 7021).

Leonardo DRS is an active collaborator in the DIB Cyber Security Program (DIB CS) and strongly supports the tenants of Deliver Uncompromised. Leonardo DRS believes in working together across the DIB with customers, colleagues and suppliers to mitigate cyber risks through information sharing, collaborative risk mitigation and DFARS compliance.
 

Overview

If you are a Leonardo DRS supplier supporting DoD programs and you are not exclusively providing COTS items or services not requiring the receipt of Controlled Technical Information (CTI), your organization must:

1. Be compliant with the “DFARS Cyber Clause” 252.204-7012 since January 1st, 2018
2. Submit a Basic Assessment of your NIST SP 800-171 implementation since November 30th, 2020 into the DoD Supplier Performance Risk System (SPRS) per the “Interim Rule”, and the assessment must be updated at least every three years
3. Update your Leonardo DRS CERTS and REPS that includes your attestations for A and B since (date of notification)

If your organization has not completed A, B and C, you may lose the ability to:

• Receive technical program information from Leonardo DRS
• Compete for new Leonardo DRS subcontracts
   

DFARS 252.204-7012

The DFARS Cyber Clause, aka 252.204-7012, went into effect on January 1st, 2018. The purpose of this clause is to ensure safeguarding of controlled unclassified information (CUI). This clause requires those handling CUI (contractors/subcontractors) to:

• Safeguard CUI by implementing the cybersecurity requirements in NIST SP 800-171
• Report cyber incidents (including lost or stolen devices)*
• Isolate and submit malicious software for analysis*
• Facilitate damage assessments
• Flow down the clause to subcontractors if CUI is conveyed

Note: COTS suppliers may be exempt from this clause as long as there is no technical modification of the supplied product. Further, if CUI will not be exchanged with the next tier supplier, then the clause is not applicable to the subcontract or purchase order with that next tier supplier.
 

Interim Rule

As of November 30th, 2020, the DoD has implemented three new DFARS clauses (DFARS 252.204-7019,7020,7021) that enact an assessment methodology and initiate the Cybersecurity Maturity Model Certification requirement (CMMC). This was done via an interim rule published in September of 2020 titled “Assessing Contractor Implementation of Cybersecurity Requirements”.

The Interim Rule establishes that Basic, Medium and High Assessments are an enforceable way of holding DoD contractors accountable to DFARS 252.204-7012 until the CMMC is fully implemented in October of 2025. Meaning 252.204-7019 and 7020 can apply now whereas 252.204-7021 (CMMC) is being rolled out gradually.

The table below provides a summary and we highly encourage you to review the clauses in full:

Until CMMC is fully implemented in all DoD contracts, contracting officers will use assessment scores as part of their risk evaluation for primes as well as their suppliers in addition to or instead of a CMMC rating.
 

NIST 800-171 DoD Assessment Methodology and DIBCAC

Since the DFARS 252.204-7012 went into effect in 2018, the DoD has gradually increased oversight of the Defense Industrial Base (DIB) to verify compliance.

The NIST SP 800-171 DoD Assessment Methodology (LINK) describes three assessment levels:

• Basic: A self-assessment conducted and submitted by the contractor or subcontractor.
• Medium: An assessment performed by the DIBCAC to verify the contractor’s documentation and review the Basic Assessment.
• High: An assessment performed by the DIBCAC that includes verification, examination, and demonstration of the contractor’s SSP.

The DoD, through DCMA, established the Defense Industrial Base Cyber Assessment Center (DIBCAC). DIBCAC assessment teams perform medium and high assessments.
 

CMMC

CMMC = Cyber Maturity Model Certification

CMMC is a third-party certification conducted by approved Certified Third Party Organization (C3PAO) accredited by the CMMC Accreditation Body (CMMC-AB). Currently it is only required when 252.204-7021 is included in a contract. The CMMC model includes five maturity levels broken into processes and practices which build upon each other, and include NIST 800-171, shown below: 

CMMC requirements will phase in through 2025, but suppliers should prepare now to undergo certification. CMM continues to evolve and change, your organization is responsible for staying up to date. All DRS suppliers handling CUI should review the the latest information including level assessment guides from the Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD) on CMMC located here.
 

Getting Help

Organizations handling CUI should appoint someone who understands information security programs and governance to design and maintain a compliant NIST SP 800-171 implementation and prepare for CMMC. If you do not have this subject matter expertise in-house, we strongly encourage you to engage with a capable external resource. DRS understands this can be challenging and we encourage you to make the best choice for your business.

Here are two outside resources we have worked with that we have chosen to be our trusted partners in this journey:

https://strategiccyberpartners.com/ info@strategiccyberpartners.com Strategic Cyber Partners has more than six years of experience implementing and designing risk-based information security programs based on NIST SP 800-171 for commercial entities of all sizes and industries, as well as nearly 20 years of Government and DoD experience. Contact them for a no-cost initial consult. Services include gap assessments, documentation development, security program development, training, incident and continuity planning, executive advisory services, and more. Feature in Cybercrime Magazine

https://securedbycss.com/ CSS offers solutions on varying scales to help you assess and reach compliance with the interim rule and CMMC. They offer a variety of services from policies and procedures, training, 24/7 monitoring & help desk, a compliance dashboard tool, and more. Commercial

FAQ

How do I know if I'm compliant with DFARS 252-204-7012?

Organizations must have a current System Security Plan and Plan of Actions and Milestones. Any controls from NIST 800-171 that are not fully implemented must have an action item associated with it. Establishing these two documents, actively working on full implementation of all controls, and a projected date of completion complies with DFARS 252.204-7012.
 

If I am compliant with DFARS 252.204-7012 does that mean I am ready for CMMC assessment?

No. Under the CMMC, organizations may not have controls that are not implemented. In addition, CMMC requires more detailed documentation and additional controls depending on the level your organization is working towards.
 

What do I need to do to become compliant with 7019, 7020, & 7021?

If you supply anything that is not commercial off the shelf (COTS) to any LDRS business unit and to do so must handle or store CUI you should already have completed a NIST 800-171 self-assessment.

How do you upload documents to SPRS?

Leonardo DRS is not able to help you set-up, or navigate the SPRS system. SPRS has “Quick Entry Guide” specifically for NIST SP800-171. Please note you will need a Commercial and Government Facility Entity or CAGE Code here, and a Procurement Integrated Enterprise Environment or PIEE account. To access PIEE you will need a SAM Account, and to get a SAM account you will need a DUNS number.
 

Can I edit my assessment once it has been submitted?

Yes. Assessments can be edited after being submitted as NIST SP 800-171 controls are updated.
 

What is Controlled Unclassified Information (CUI)?

Controlled Unclassified Information (CUI): According to the Office of the Undersecretary of defense for Acquisition & Sustainment CMMC FAQ website; “CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. A CUI Registry provides information on the specific categories and subcategories of information that the Executive branch protects. The CUI Registry can be found at: www.archives.gov/cui and www.dodcui.mil/Home/DoD-CUI-Registry/ and includes the following organizational index groupings:

Resources, including online training to better understand CUI can be found on National Archives’ website as well as the Department of Defense’s website.
 

What is Federal Contract Information (FCI)?

Federal Contract Information (FCI): FAR 52.204-21 defines Federal Contract information as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.”
 

What is the difference between CTI and CUI?

CUI stands for Controlled Unclassified Information, and CTI stands for Controlled Technical Information. CTI is a form of CUI. CUI can encompass more than just CTI such as Naval Nuclear Propulsion Information or NNPI, and Export Controlled Unclassified Information such as ITAR and EAR where as CTI is technical information that needs to be protected but may not fall into other categories. It may come in the form of engineering data, drawings, lists, specifications, standards, etc.. For Leonardo DRS CTI is information that has a specific military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. CUI is not limited to those examples listed here.
 

Does this apply to foreign suppliers?

If the any of the aforementioned DFARS (...7012,7019,7020,7021) have been flowed down through your contract with DRS they apply to you and may apply to your suppliers regardless of your geographical location.
 

Does DFARS-252.204-7012 apply to me?

If 7012 has been flowed down to you, it applies to you. The same is true for any other DFAR.
 

How do I know if I need to flow down the DFARS to my suppliers?

If CUI is being shared flow down must occur.
 

What CMMC level does my organization need?

This depends on the type of information you store, process, and transmit and how your organization handles it. If your organization handles and will continue to handle CUI in the future, then CMMC Level 3 will likely be most applicable.
 

How can my organization be CMMC certified?

You will need to be assessed and certified by a Certified Third Party Organization (C3PAO), which must be accredited by the CMMC Accreditation Body (CMMC-AB).
 

When will CMMC be required?

DFARS 252.204-7021 will be phased into DoD contracts through 2025. We are encouraging all of our applicable suppliers to seek CMMC level 3 certification or higher as soon as possible as inability to be certified can have grave consequences including loss of business from LDRS.
 

Why was CMMC added in addition to NIST SP800-171?

The DoD has made cybersecurity a foundational requirement in acquisitions and is moving to a model that validates suppliers have implemented mature cybersecurity programs to protect CUI. The CMMC provides the framework and methods to validate that DoD suppliers are protecting information as required.
 

I am a sub-contractor on a DoD contract do I need to be CMMC certified?

If a DIB company does not possess, store, or transmit CUI but possesses Federal Contract Information (FCI), it is required to meet FAR clause 52.204-21 and must be certified at a minimum of CMMC Level 1. Companies that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification.
 

How far down the supply chain are CMMC Certifications required?

As far down as CUI is being shared. If the DoD contract has a CMMC requirement and the product being provided is not COTS it is likely that the supplier providing that good will need a CMMC certification regardless of their level in the supply chain.
 

Who is excluded from CMMC and DFARS 252.204-7021?

The interim rule states:

“DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, is included in all solicitations and contracts, including those using Federal Acquisition Regulation (FAR) part 12 commercial item procedures, except for acquisitions solely for commercially available off- the-shelf (COTS) items.”
 

How often does my organization need to be reassessed?

CMMC certifications will be valid for three years unless otherwise noted in the contract.

Helpful Links

General

• Office of the Under Secretary of Defense for Acquisition & Sustainment – CMMC FAQ’s
• DIB Cyber Assist Task Force (Main) , (CMMC Resource Page)

Small Business Focused

• NIST Small Business Cybersecurity Corner, Training