REPORTING A CYBERSECURITY INCIDENT
In accordance with DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, subcontractors, including vendors and consultants, are required to rapidly report cyber incidents within 72 hours of discovery directly to Department of Defense (DoD) at https://www.dc3.mil/Missions/DIB-Cybersecurity/DIB-Cybersecurity-DCISE/. This includes providing the incident report number, automatically assigned by DoD and to General Dynamics Land Systems as soon as practical.
In the event of a Cybersecurity Incident:
Access: DoD-Defense Industrial Base (DIB) Collaborative Information Sharing Environment (DCISE)
You will fill out your reporting information as you do in the current portal. There is an additional necessary step. The site will generate a .xml file for you to download. You must submit this file to DC3 via encrypted email or DoD SAFE in order to comply with the DFARS reporting requirement. DC3 will respond to confirm receipt and provide an incident number and a copy of the ICF in txt format for reference.
In addition, please notify your GDLS Buyer and the GDLS Security team at [email protected] or 586-825-8646. Please include a detailed report of the incident including the following, as able:
- Date and Time of when the Event took place
- Summary on the Event and how it was detected
- Detectors name, email, and phone number
- Scope (Functional Impact, Informational Impact, and Recoverability Impact) of the Incident
- Severity of the Incident
- Method of detection
Defense Federal Acquisition Regulation Supplement (DFARS)
252.204-7008 Compliance with Safeguarding Covered Defense Information (Oct 2016)
All solicitations, including solicitations using FAR part 12 procedures for the acquisition of commercial items, except for solicitations solely for the acquisition of commercially available off-the-shelf (COTS) items
252.204-7009 Limitation on the Use or Disclosure of Third Party Contractor Reported Cyber Incident Information (Oct 2016)
All solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items, for services that include support for the Government’s activities related to safeguarding covered defense information and cyber incident reporting
252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting (Oct 2016)
All solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items, except for solicitations and contracts solely for the acquisition of COTS items
252.239-7009 Representation of Use of Cloud Computing (Sept 2015)
All solicitations, including solicitations using FAR part 12 procedures for the acquisition of commercial item, for information technology services
252.239-7010 Cloud Computing Services (Oct 2016)
All solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial item, for information technology services
NIST SP 800-171 Security Requirements for Protecting Controlled Unclassified Information (CUI)
NIST SP 800-171 defines the security requirements for protecting Controlled Unclassified Information (CUI) in non-federal information systems and organizations. Generally, Department of Defense contractors, except COTS suppliers, are required to implement these security requirements
252.204-7019 Notice of NIST SP 800-171 DoD Assessment Requirements
All solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items, except for solicitations and contracts solely for the acquisition of COTS items
252.204-7020 NIST SP 800-171 DoD Assessment Requirements
Suppliers must submit cyber self-assessment into the Supplier Performance Risk System (SPRS) against NIST 800-171
252.204-7021 Cybersecurity Maturity Model Certification Requirement
DRAFT NIST SP 800-171 Rev. 3 Security Requirements for Protecting Controlled Unclassified Information (CUI)
For all solicitations with DFARS clause on CMMC, contractors must be certified at the required CMMC level at time of award.
Draft release of the NIST SP 800-171 Rev. 3. This update to NIST SP 800-171 represents over one year of data collection, technical analyses, customer interaction, redesign, and development of the security requirements and supporting information for the protection of Controlled Unclassified Information (CUI).
Cybersecurity Maturity Model Certification (CMMC)
OVERVIEW
All DoD contractors and subcontractors with access to FCI or CUI will have their cyber acumen scored on a scale of 1 to 3. The Department of Defense will use the same scale to stipulate in solicitations the CMMC level required.
CMMC level 1 will be a minimum contractual requirement for all suppliers. In order for a supplier to process, store or transmit CUI, it must be certified at least at CMMC level 2.
Companies that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification.
Additional information regarding DoD’s CMMC 2.0 is available at:
SUPPLIER IMPACT
Certification of cybersecurity compliance will be required for suppliers to do business with General Dynamics Land Systems and the U.S. DoD, unless the supplier solely provides COTS. Certification of cybersecurity compliance is led by the Office of Under Secretary of Defense for Acquisition and Sustainment, and CMMC scores will be tracked by the DoD. Again, all companies will require a CMMC rating from 1 to 3 (except COTS suppliers), and DoD solicitations may restrict the use of suppliers below a specified CMMC level. In order for a supplier to process, store or transmit CUI, it must be certified at least at CMMC level 2.
Suppliers will be responsible for sourcing, conducting and reporting their CMMC audits via accredited third-party entities.