The Defense Industry is governed by strict trade, acquisition, and cyber security regulations and policies. Compliance with these regulations is mandatory in order to be successful with the award of business opportunities, new contracts, and successful program execution. GDLS must ensure that we can conduct business with our suppliers accordingly.
Cyber Security
Safeguarding Covered Defense Information and Cyber Incident Reporting The U.S. Department of Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting” requires contractors and subcontractors to provide adequate security on all covered contractor information systems in accordance with security requirements in the National Institute of Standards Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations”.
Suppliers that conduct business with GDLS may require to process, store or transmit Covered Defense Information (CDI) or Controlled Unclassified Information (CUI). Therefore GDLS collects information regarding implementation of cyber security as it relates to DFARS 252.204-7012. The requirement is applicable to activities supporting U.S. Government contracts. The information is being collected to support current and/or future contract requirements.
As of November 30, 2020, the US Department of Defense (DoD) Contracting Officers must include the new DFARS 252.204-7019 “Notice of NIST SP 800-171 DoD Assessment Requirements” and DFARS 252.204-7020 “NIST SP 800-171 DoD Assessment Requirements” clauses in all solicitations and contracts, with certain exceptions (including solicitations or contracts solely for the acquisition of Commercial-Off-The-Shelf (COTS) items). Pursuant to DFARS 252.204-7020, prime contractors such as GDLS may not award a subcontract or purchase order that contains NIST SP 800-171 security requirements (in accordance with DFARS 252.204-7012), unless the supplier has:
a. Completed at least a Basic Assessment in accordance with NIST SP 800-171 DoD Assessment Methodology within the last three (3) years for all Covered Contractor Information systems; and
b. Submitted the Basic Assessment with its summary level scores and other information required by paragraph (d) of DFARS 252.204-7020, directly into the US Government’s Supplier Performance Risk System (SPRS).
Reference Department of Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting. An electronic copy of the NIST SP 800-171 is available for free download at:
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r1.pdf