Supplier Cyber Security Requirements

Leonardo DRS believes in working with customers, colleagues, and suppliers to mitigate cyber risks

Global cybercrime is expected to grow by over 15% per year over the next five years, reaching $10.5 trillion USD annually by 2025. Intellectual Property (IP) theft accounts for one of the largest slices of overall global- cybercrime. The DoD is working with industry to safeguard controlled unclassified information (CUI), and to ensure products are delivered uncompromised through the implementation and flow down of DFARS 252.204-7012, 252.204-7019, 252.204-7020, and 252.204-7021.

Leonardo DRS is an active collaborator in the DIB Cyber Security Program (DIB CS) and strongly supports the mission of Deliver Uncompromised. Leonardo DRS works across the DIB with customers, colleagues, and suppliers to mitigate cyber risks through information sharing, collaborative risk mitigation, and DFARS compliance.

The Path to Compliance

If you are a Leonardo DRS supplier supporting DoD programs, you are not exclusively providing COTS items, and require the receipt of Controlled Technical Information (CTI), your organization must:

  1. Be DFARS 7012 compliant (This is how:)
    Implement NIST 800-171 requirements on your information system and document an implementation strategy for each of the 110 NIST 800-171 requirements in a System Security Plan (SSP).
    Ensure the next tier subcontractors are doing the same via a Certs and Reps form attestation.
    Report unauthorized disclosure of CTI to the DIBnet within 72 hours of discovery.
  2. Have a System Security Plan (per NIST 800-171 3.12.4) (This is how:)
    Develop, document, and periodically update a SSP that describes system boundaries, how each NIST 800-171 requirement is implemented, and the relationship with or connections to other systems. If the implementation of the NIST 800-171 requirements is not complete, contractors must develop and implement plans of action via a POAM to describe when and how any unimplemented security requirements will be met.
  3. Be compliant with DFARS 7019, 7020, and 7021 (This is how:)
    At a minimum, conduct a basic assessment (self-audit) of your NIST 800-171 implementation, in accordance with the NIST SP 800-171 DoD Assessment Methodology, and upload your score into the DoD Supplier Performance Risk System (SPRS). Re-assess at least every three years and update your SPRS score accordingly.
    Ensure the next tier subcontractors are doing the same via a Certs and Reps form attestation.
    Note: 252.204-7021 Cybersecurity Maturity Model Certification (CMMC) Requirements will be phased into contracts in the coming years.
  4. Upload your basic assessment score into SPRS (This is how:)
    Create and register for a PIEE account, create a SPRS account as a Cyber Vendor User, and enter your basic assessment information. See the SPRS Quick Entry Guide for additional suppo

Let Leonardo DRS know you’re compliant by completing your Certs and Reps form. If your organization does not attest to A, B, C, and D, you may lose the ability to:

  • Receive technical program information from Leonardo DRS
  • Compete for new Leonardo DRS subcontracts

Below are outside resources we have worked with and chosen to be our trusted partners in this journey:
[email protected]

Strategic Cyber Partners has more than six years of experience implementing and designing risk-based information security programs, based on NIST SP 800-171, for commercial entities of all sizes and industries, as well as nearly 20 years of Government and DoD experience. Contact them for a no-cost initial consult. Services include gap assessments, documentation development, security program development, training, incident and continuity planning, executive advisory services, and more.

Feature in Cybercrime Magazine

CSS offers solutions on varying scales to help you assess and reach compliance with the DFARS interim rule and CMMC. They offer a variety of services from policies and procedures, training, 24/7 monitoring and help desk, a compliance dashboard tool, and more.

[email protected]

Data Magic Computer Services provides NIST consulting for Dallas organizations. Data Magic can help you conform to the NIST cybersecurity guidelines, future regulatory requirements, and provide long-term risk management solutions.


Frequently Asked Questions

More Supplier Resources