Supplier Cyber Security Requirements

Leonardo DRS believes in working with customers, colleagues, and suppliers to mitigate cyber risks.

Global cybercrime is expected to grow by over 15% per year over the next five years, reaching $10.5 trillion USD annually by 2025. Intellectual Property (IP) theft accounts for one of the largest slices of overall global- cybercrime. The DoD is working with industry to safeguard controlled unclassified information (CUI), and to ensure products are delivered uncompromised through the implementation and flow down of DFARS 252.204-7012, 252.204-7019, 252.204-7020, and 252.204-7021.

Leonardo DRS is an active collaborator in the DIB Cyber Security Program (DIB CS) and strongly supports the mission of Deliver Uncompromised. Leonardo DRS works across the DIB with customers, colleagues, and suppliers to mitigate cyber risks through information sharing, collaborative risk mitigation, and DFARS compliance.

The Path to Compliance

If you are a Leonardo DRS supplier supporting DoD programs, you are not exclusively providing COTS items, and require the receipt of Controlled Technical Information (CTI), your organization must:

1. Be DFARS 7012 compliant (This is how:)
1. Implement NIST 800-171 requirements on your information system and document an implementation strategy for each of the 110 NIST 800-171 requirements in a System Security Plan (SSP).
2. Ensure the next tier subcontractors are doing the same via a Certs and Reps form attestation.
3. Report unauthorized disclosure of CTI to the DIBnet within 72 hours of discovery.
2. Have a System Security Plan (per NIST 800-171 3.12.4) (This is how:)
1. Develop, document, and periodically update a SSP that describes system boundaries, how each NIST 800-171 requirement is implemented, and the relationship with or connections to other systems. If the implementation of the NIST 800-171 requirements is not complete, contractors must develop and implement plans of action via a POAM to describe when and how any unimplemented security requirements will be met.
3. Be compliant with DFARS 7019, 7020, and 7021 (This is how:)
1. At a minimum, conduct a basic assessment (self-audit) of your NIST 800-171 implementation, in accordance with the NIST SP 800-171 DoD Assessment Methodology, and upload your score into the DoD Supplier Performance Risk System (SPRS). Re-assess at least every three years and update your SPRS score accordingly.
2. Ensure the next tier subcontractors are doing the same via a Certs and Reps form attestation.
   
   Note: 252.204-7021 Cybersecurity Maturity Model Certification (CMMC) Requirements will be phased into contracts in the coming years.
4. Upload your basic assessment score into SPRS (This is how:)
1. Create and register for a PIEE account, create a SPRS account as a Cyber Vendor User, and enter your basic assessment information. See the SPRS Quick Entry Guide for additional support.

Let Leonardo DRS know you’re compliant by completing your Certs and Reps form. If your organization does not attest to A, B, C, and D, you may lose the ability to:

• Receive technical program information from Leonardo DRS
• Compete for new Leonardo DRS subcontracts
   

Below are outside resources we have worked with and chosen to be our trusted partners in this journey:

	https://strategiccyberpartners.com/ info@strategiccyberpartners.com Strategic Cyber Partners has more than six years of experience implementing and designing risk-based information security programs, based on NIST SP 800-171, for commercial entities of all sizes and industries, as well as nearly 20 years of Government and DoD experience. Contact them for a no-cost initial consult. Services include gap assessments, documentation development, security program development, training, incident and continuity planning, executive advisory services, and more. Feature in Cybercrime Magazine
	https://securedbycss.com/ CSS offers solutions on varying scales to help you assess and reach compliance with the DFARS interim rule and CMMC. They offer a variety of services from policies and procedures, training, 24/7 monitoring and help desk, a compliance dashboard tool, and more. Commercial
	https://datamagicinc.com/ datamagic@datamagicinc.com Data Magic Computer Services provides NIST consulting for Dallas organizations. Data Magic can help you conform to the NIST cybersecurity guidelines, future regulatory requirements, and provide long-term risk management solutions. Commercial

Frequently Asked Questions

What is the DFARS Clause?
Effective since December 31st, 2017, DFARS Clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting is a Department of Defense (DoD) regulation that requires the safeguarding of Controlled Technical Information (CTI) by implementing National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. Known as the “Cyber Clause,” DFARS 7012, was created in response to increased cybersecurity threats and data breaches within the Defense Industrial Base (DIB).

What are the three main elements of the DFARS Clause 252.204-7012?

1. Safeguard CTI (technical program information) wherever it is stored or processed, in accordance with NIST SP 800-171
2. Ensure the next tier subcontractors in our Supply Chain are also doing the same, via their Certs and Reps attestation
   
   Important Note:Suppliers must attest to the following four Cybersecurity requirements (a.k.a. the 4 yes’) in the DRS Certs and Reps form:
1. Do you attest to being compliant with DFARS 252.204-7012? Y/N
2. Do you have a System Security Plan (per NIST SP 800-171 3.12.4)? Y/N
   (This question helps tests the validity of the first question.)
3. Do you attest to being compliant with DFARS 7019, 7020, and 7021? Y/N
4. Have you uploaded your basic assessment score into SPRS? Y/N
   (This question helps tests the validity of the third question.)
3. Report unauthorized disclosure of CTI to the DIBnet within 72 hours of discovery

What is Controlled Unclassified Information (CUI)?
Per the National Archives, Controlled Unclassified Information (CUI) is data that requires safeguarding and dissemination controls, in accordance with US Government laws and regulations. There are currently 20 CUI categories (and 125 subcategories) which requiring safeguarding, per the Executive Order 13556 – Controlled Unclassified Information signed by President Obama on May 7, 2008. Defense contractors should focus on thoroughly comprehending the “Defense” CUI category/subcategories, which includes Controlled Technical Information (CTI), ITAR, & EAR. CTI shall be properly marked, safeguarded, and transmitted by Defense contractors in accordance with the NIST 800-171 requirements, and compliance shall be flowed down the supply chain to subcontractors in order to deliver uncompromised products and solutions to our customers.


What is Covered Defense Information?
In accordance with DFARS 252.204-7012, Covered Defense Information (CDI) is Controlled Technical Information (CTI). CTI is information that has a specific military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. In more simpler terms, for DRS, CTI is technical program information, such as engineering designs, research, specifications, process sheets, data sets, computer software, and code.


What is the difference between CTI and CUI?
CUI stands for Controlled Unclassified Information, and CTI stands for Controlled Technical Information. CTI is a form of CUI. However, CUI can encompass more than just CTI. For example, CUI also includes Naval Nuclear Propulsion Information (NNPI) and Export Controlled Unclassified Information (such as ITAR and EAR). CTI may come in the form of engineering data, drawings, lists, specifications, standards, etc. (Note: CUI is not limited to the examples listed here.)


Does DFARS apply to foreign suppliers?
If any of the aforementioned DFARS clauses (to include 7012, 7019, 7020, 7021) have been flowed down through your contract with DRS, they apply to you and may apply to your suppliers as well if they also need to handle CUI, regardless of your geographical location.


Does DFARS 252.204-7012 apply to me?
If DFARS 252.204-7012 has been flowed down to you, it applies to you. The same is true for any other DFARS clause.


How do I know if I need to flow down the DFARS to my suppliers?
If the subcontractor/supplier must receive, store, or handle CUI during the performance of the contract, the DFARS clause for Safeguarding CUI must be flowed down to the subcontractor/supplier.


How do I know if I'm compliant with DFARS 252-204-7012?
Organizations must have a current System Security Plan (SSP) and Plan of Actions and Milestones (POAM). The POAM must list each unimplemented security requirement from NIST 800-171, to describe how and when the security requirement will be met. Please note: compliance does not require immediate implementation of all 110 NIST 800-171 security requirements, but instead should outline the path to compliance in detail.


What do I need to do to become compliant with DFARS 7019, 7020, & 7021?
If you supply anything that is not commercial off the shelf (COTS) to any Leonardo DRS business unit, and to do so must handle/store CUI, you should have already completed a NIST 800-171 self-assessment. Please see the table below for additional compliance guidance.

What is the difference between a Basic, Medium, and High assessment?
In accordance with DFARS 7020, there are three assessment levels (Basic, Medium, and High), which reflect the depth of the assessment performed and the associated level of confidence in the score resulting from the assessment. A Basic Assessment is a self-review completed by the contractor, while Medium and High Assessments are completed by the US Government.


How do I perform a basic assessment?
Basic assessments consist of a self-review of each of the 110 security requirements outlined in NIST SP 800-171, to validate that each requirement has been fully implemented, based on the contractor’s System Security Plan. The basic assessment shall be conducted in accordance with Annex A of the NIST SP 800-171 Assessment Methodology.


I've completed my basic assessment and have my score but haven't uploaded my score into SPRS. Am I still compliant?
No, in accordance with DFARS 7020, basic assessment scores must be uploaded to the SPRS in order to be in full compliance with the clause.


Does a basic assessment require a government or third-party audit of the 110 NIST 800-171 requirements?
No; the basic assessment is a self-review/inspection and self-attestation to the 110 security requirements outlined in NIST 800-171, in accordance with the DFARS 7020 clause.


Do I need a minimum basic assessment score to be compliant?
There is no minimum basic assessment score required, per DFARS 252.204-7019 Notice of NIST SP 800-171 DoD Assessment Requirements.


What's a System Security Plan (SSP)?
A SSP outlines a contractor's implementation description of the 110 security requirements outlined in NIST SP 800-171, and implementation status for each requirement. An entry on the Plan of Action & Milestones (POAM) must be made for each unimplemented security requirement, describing how and when the security requirement will be met.


What is the Supplier Performance Risk System (SPRS)?
SPRS is the official record system used by USG Contracting Office Representatives to validate DFARS compliance, and the contractor’s ability to properly safeguard CUI. The SPRS database maintains the NIST SP 800-171 basic assessment scores for Defense contractors. Please note: the NIST SP 800-171 Basic Assessment cannot be performed in SPRS, instead the Basic Assessment score/results shall be uploaded in SPRS.


How do you upload documents in SPRS?
Leonardo DRS is not able to help you set-up or navigate the SPRS system. However, SPRS has a Quick Entry Guide specifically for NIST SP 800-171 entries. You will need a Commercial and Government Facility Entity or (CAGE) and a Procurement Integrated Enterprise Environment (PIEE) account. To access PIEE, you will need a SAM Account, and to get a SAM account you will need a DUNS number.


How do I enter my score in the Supplier Performance Risk System (SPRS)?
To access the NIST SP 800-171 Assessments module, users must first be registered in the Procurement Integrated Enterprise Environment (PIEE) and be approved for access to SPRS. A SPRS Cyber Vendor User role is required for companies to enter/edit basic self-assessment information. Please navigate to the SPRS website for additional NIST SP 800-171 tutorials and related guidance.


Can I edit my assessment once it has been submitted?
Yes. Assessment scores can be edited or updated after being submitted, as the NIST SP 800-171 security requirements are being implemented by the contractor.


When will CMMC be required?
At of the time of this response, CMMC is still pending final rulemaking. DFARS 252.204-7021 will be phased into DoD contracts in the coming years. We are encouraging all of our applicable suppliers to seek CMMC level 2 certification or higher as soon as possible as inability to be certified can have grave consequences including loss of business from LDRS.


Why was CMMC added in addition to NIST SP 800-171?
The DoD has made Cybersecurity a foundational requirement in acquisitions and is moving to a model which validates that suppliers have a robust Cybersecurity posture and program. The CMMC provides the framework and methods to validate that DoD suppliers are protecting information as required.