Supplier Cybersecurity

General Atomics (GA) is dedicated to safeguarding critical industry information and responding vigilantly to the growing threats posed to our customers. It is our responsibility to keep information in the right hands.

As required by our Supplier Code of Conduct, Suppliers are expected to take all appropriate measures to combat the increasing frequency of cyberattacks. This includes implementing the required controls and processes necessary to safeguard information under their control as well as reporting and mitigating any compromise of systems or information.

The Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC)

The Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) program rule became effective on November 10, 2025, and amended DFARS Parts 204, 212, 217, and 252 to incorporate requirements from 32 CFR Part 170. CMMC is the DoD framework for assessing contractor implementation of cybersecurity requirements aimed at enhancing the protection of unclassified information within the DoD supply chain.
The final rule formally implements DFARS clause 252.204-7021, “Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirements’’. This clause requires contractor compliance and is, when applicable, a mandatory flowdown to subcontractors. DoD contractors and subcontractors subject to the CMMC are required to, at a minimum:

  1. Obtain and maintain a CMMC at the level specified by their customer and commensurate with the type of information they may handle, and
  2. Maintain self-assessment scores and/or any third-party obtained certification in the Supplier Performance Rating System (SPRS), and
  3. Affirm continuous compliance, and
  4. Update SPRS upon any material change in cybersecurity posture, and
  5. Flowdown CMMC requirements to subcontractors, as applicable; oversee and document subcontractor compliance.

Note that compliance must be maintained throughout contract performance.
CMMC will be implemented through a phased approach. During the first three (3) years, requirements will apply only where specified in solicitations or contracts. After that, requirements are expected to apply broadly to all DoD contracts involving FCI, CDI, or CUI. In parallel, 32 CFR Part 170 has been finalized, enabling DIB companies to obtain certification ahead of contractual requirements. We encourage our Valued Suppliers to seek certification soon if CMMC requirements will apply to them.
For additional information on cybersecurity in the DIB, click here

IDENTIFY FCI, CUI and CDI

Identify FCI, CUI and CDI

Proper identification and handling of FCI, CUI, and/or CDI are critical components of any Cybersecurity program. Federal regulations mandate specific security controls based on the type of information a Supplier possesses or creates. Suppliers may be provided FCI, CUI and/or CDI as a requirement of Order performance, or they may create it themselves. In either case, Suppliers must ensure that the information retains its identification and appropriate markings. Definitions for FCI, CUI and CDI are outlined in their respective regulations.

CUI and CDI require a higher standard of protection and care than FCI.

PROTECT Information

Protect Information

Adequate security refers to protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information. These measures are outlined in FAR 52.204-21 and DFARS 252.204-7012 and are derived from the National Institute of Standards and Technology (NIST) Special Publication (SP) SP 800-171, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations". To facilitate the road to compliance, NIST offers a free System Security Plan (SSP) template.
Suppliers subject to DFARS 252-204-7020 must conduct or undergo a Cybersecurity assessment in accordance with the NIST SP 800-171 DoD Assessment Methodology. While Suppliers subject to DFARS 252-204.7021 must conduct self-assessments or obtain third-party certifications to demonstrate compliance. Suppliers must verify that the score of their completed assessment, any applicable certification and/or annual affirmation is posted to the SPRS prior to handling FCI, CUI and/or CDI.
When these clauses or their respective provisions apply to GA solicitations or Orders, GA will seek confirmation of your compliance with these requirements.
The DIB Sector Coordinating Council (SCC) has established the DIB SCC CyberAssist website to provide trusted resources to support DIB companies and Suppliers of varying sizes with the implementation of cyber protections, improve awareness of cyber risks, regulations, and supply chain accountability.

REPORT Cybersecurity Incidents

Report Cybersecurity Incidents

GA Suppliers, in accordance with their contractual commitments, are to notify their Purchasing Representative within 72 hours if they experience a Cybersecurity incident. Suppliers subject to DFARS 252.204-7012 must report Cybersecurity incidents to the DIBNet Portal within 72 hours of discovery. Should this occur, the DoD will assign an incident number which must be provided to GA and a Medium Assurance Certificate is required. Suppliers must abide by instructions provided by the DoD or GA, when applicable; and preserve and protect images of affected systems and data. All information related to, or suspected to be related to the incident should be preserved in case further analysis or access is requested by the DoD.

Additional Resources
Video Training