Cybersecurity
Synopsis
- Requires basic safeguarding requirements and procedures to protect covered contractor information systems.
- Imposes 15 categories of security controls focused on safeguarding contractor systems that process, store or transmit Federal contract information per DFAR 252.204-7012 and NIST SP 800-171.
- Applicable to all solicitations and contracts when a contractor or subcontract at any tier may have federal contract information residing in or transiting through its information systems. Does not apply to contracts or subcontracts for COTS.
Reporting a Cybersecurity Incident
In accordance with DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, subcontractors, including vendors and consultants, are required to rapidly report cyber incidents within 72 hours of discovery directly to Department of Defense (DoD) at https://dibnet.dod.mil/portal/intranet/ . This includes providing the incident report number, automatically assigned by DoD and to General Dynamics Land Systems as soon as practical.
In addition, please notify your GDLS Buyer and the GDLS Security team at [email protected] or 586-825-8646. Please include a detailed report of the incident including the following, as able:
- Date and Time of when the Event took place
- Summary on the Event and how it was detected
- Detectors name, email, and phone number
- Scope (Functional Impact, Informational Impact, and Recoverability Impact) of the Incident
- Severity of the Incident
- Method of detection
Defense Federal Acquisition Regulation Supplement (DFARS)
252.204-7008 Compliance with Safeguarding Covered Defense Information (Oct 2016)
All solicitations, including solicitations using FAR part 12 procedures for the acquisition of commercial items, except for solicitations solely for the acquisition of commercially available off-the-shelf (COTS) items
252.204-7009 Limitation on the Use or Disclosure of Third Party Contractor Reported Cyber Incident Information (Oct 2016)
All solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items, for services that include support for the Government’s activities related to safeguarding covered defense information and cyber incident reporting
252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting (Oct 2016)
All solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items, except for solicitations and contracts solely for the acquisition of COTS items
252.239-7009 Representation of Use of Cloud Computing (Sept 2015)
All solicitations, including solicitations using FAR part 12 procedures for the acquisition of commercial item, for information technology services
252.239-7010 Cloud Computing Services (Oct 2016)
All solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial item, for information technology services
NIST SP 800-171 Security Requirements for Protecting Controlled Unclassified Information (CUI)
NIST SP 800-171 defines the security requirements for protecting Controlled Unclassified Information (CUI) in non-federal information systems and organizations. Generally, Department of Defense contractors, except COTS suppliers, are required to implement these security requirements
252.204-7019 Notice of NIST SP 800-171 DoD Assessment Requirements.
All solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items, except for solicitations and contracts solely for the acquisition of COTS items
252.204-7020 NIST SP 800-171 DoD Assessment Requirements.
Suppliers must submit cyber self-assessment into the Supplier Performance Risk System (SPRS) against NIST 800-171
252.204-7021 Cybersecurity Maturity Model Certification Requirement.
DRAFT NIST SP 800-171 Rev. 3 Security Requirements for Protecting Controlled Unclassified Information (CUI)
For all solicitations with DFARS clause on CMMC, contractors must be certified at the required CMMC level at time of award.
Draft release of the NIST SP 800-171 Rev. 3. This update to NIST SP 800-171 represents over one year of data collection, technical analyses, customer interaction, redesign, and development of the security requirements and supporting information for the protection of Controlled Unclassified Information (CUI).
Cybersecurity Maturity Model Certification (CMMC)
Overview
All DoD contractors and subcontractors with access to FCI or CUI will have their cyber acumen scored on a scale of 1 to 3. The Department of Defense will use the same scale to stipulate in solicitations the CMMC level required.
CMMC level 1 will be a minimum contractual requirement for all suppliers. In order for a supplier to process, store or transmit CUI, it must be certified at least at CMMC level 2.
Companies that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification.
Additional information regarding DoD’s CMMC 2.0 is available at:
Supplier Impact
Certification of cybersecurity compliance will be required for suppliers to do business with General Dynamics Land Systems and the U.S. DoD, unless the supplier solely provides COTS. Certification of cybersecurity compliance is led by the Office of Under Secretary of Defense for Acquisition and Sustainment, and CMMC scores will be tracked by the DoD. Again, all companies will require a CMMC rating from 1 to 3 (except COTS suppliers), and DoD solicitations may restrict the use of suppliers below a specified CMMC level. In order for a supplier to process, store or transmit CUI, it must be certified at least at CMMC level 2.
Suppliers will be responsible for sourcing, conducting and reporting their CMMC audits via accredited third-party entities.
