Supplier Cybersecurity

General Atomics is committed to protecting and securing critical industry information and responding vigilantly to the growing threats posed to our customers. It is our duty to keep information in the right hands. Adversaries are increasing the frequency and effectiveness of their attacks requiring the U.S. Government (USG) and all members of the Defense Industrial Base (DIB) to proactively protect Federal Contract Information (FCI), Controlled Unclassified Information (CUI) and Covered Defense Information (CDI).

As required by our Supplier Code of Conduct, Suppliers will take all appropriate measures to combat the increasing frequency of cyberattacks. They will implement the controls and processes necessary to safeguard information under their control while reporting and mitigating any compromise of systems or information.

The information on this site includes updates from the DFARS interim rules released on September 29, 2020 and is subject to change pending finalization of the rules. Full text of the interim rule can be found here.

IDENTIFY FCI, CUI and CDI

Identify FCI, CUI and CDI

Proper identification and handling of FCI, CUI and CDI is a critical component of any Cybersecurity program. Federal regulations mandate specific security controls based upon the type of information a Supplier possesses or creates. FCI, CUI and CDI may be provided to Suppliers as a requirement of order performance, or it may be created by the Supplier. In either case, Suppliers must ensure that that information retains its identification and that markings are applied to derivatives. The definitions for FCI, CUI and CDI are found in their respective regulations.

CUI and CDI require a higher standard of protection and care than FCI.

PROTECT Information

GA Suppliers must take measures to protect information provided by, or created on behalf of, GA. This means applying adequate security for all 'Covered Contractor Information Systems,' or information systems that process, store, or transmit FCI, CUI or CDI.

Protect Information

Adequate security means protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information. These measures are outlined in FAR 52.204-21 and DFARS 252.204-7012 and are derived from National Institute of Standards and Technology (NIST) Special Publication (SP) SP 800-171, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations". To facilitate the road to compliance, NIST offers a free System Security Plan (SSP) template.

Suppliers subject to DFARS 252-204-7020 must conduct or undergo a Cybersecurity assessment in accordance with the NIST SP 800-171 DoD Assessment Methodology. Suppliers must verify that the score of their completed assessment is posted to the Supplier Performance Risk System (SPRS) prior to receiving awards containing this clause.

When these clauses apply to GA solicitations or Orders, GA will seek confirmation of your compliance with these requirements using SAP Ariba® and/or other appropriate methods.

The DIB Sector Coordinating Council (SCC) has established the DIB SCC CyberAssist website to provide trusted resources to support DIB companies and Suppliers of varying sizes with the implementation of cyber protections, improve awareness of cyber risks, regulations, and supply chain accountability.

REPORT Cybersecurity Incidents

Report Cybersecurity Incidents

GA Suppliers, in accordance with their contractual commitments, should notify their Purchasing Representative within 72 hours if they experience a Cybersecurity incident. Suppliers subject to DFARS 252.204-7012 must report Cybersecurity incidents to the DIBNet Portal within 72 hours of discovery. Note that a Medium Assurance Certificate is required. DoD will assign an incident number which must be provided to GA. Suppliers must abide by instructions provided by the DoD or GA, when applicable; and preserve and protect images of affected systems and data. All information related to, or suspected to be related to, the incident should be preserved in the event further analysis, or access, is requested by the DoD.

 

The Future

Preparing for the Cybersecurity Maturity Model Certification (CMMC)

Is your company ready for the CMMC?

The Department of Defense (DoD) Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD A&S) recognizes that security is foundational to acquisition, on par with cost, schedule, and performance. The DoD is committed to working with the DIB to enhance the protection of controlled unclassified information (CUI) within the supply chain. On January 31, 2020, CMMC was introduced as a critical step toward meeting this goal.

The CMMC model "combines various Cybersecurity standards and best practices and maps these controls and processes across several maturity levels that range from basic cyber hygiene to advanced." Each of the five CMMC levels introduce additional security controls and processes that, when implemented, enhance the Cybersecurity posture of the organization and protect against progressively sophisticated cyber threats.

GA Suppliers that handle Federal Contract Information (FCI), CUI or Covered Defense Information (CDI, also referred to as DoD CUI) will be required to implement the CMMC at the level commensurate with the type of information being handled.

CMMC builds upon existing requirements in the Federal Acquisition Regulation (FAR) 52.204-21 "Basic Safeguarding of Covered Contractor Information Systems" and the Defense Federal Acquisition Regulations Supplement (DFARS) 252.204-7012, "Safeguarding Covered Defense Information and Cyber Incident Reporting".

The CMMC Accreditation Body (CMMC-AB) is a newly formed entity which will provide training and certification to establish certified third party assessor organizations (C3PAOs). All suppliers subject to CMMC will be required to recertify their CMMC level no less than once every three years by undergoing a Cybersecurity audit performed by a CMMC-AB certified C3PAO.

In accordance with DFARS 252.204-2021, CMMC will be implemented in phases across a limited number of contracts subject to approval from the OUSD A&S, with full implementation across the DIB by October 1, 2025.

Prepare for CMMC by reviewing the framework, available for download at https://acq.osd.mil/cmmc.draft.html.