Supplier Cybersecurity

General Atomics is dedicated to safeguarding critical industry information and responding vigilantly to the growing threats posed to our customers. It is our responsibility to keep information in the right hands. As adversaries increase the frequency and effectiveness of their attacks, it is vital for the U.S. Government (USG) and all members of the Defense Industrial Base (DIB) to proactively protect Federal Contract Information (FCI), Controlled Unclassified Information (CUI) and Covered Defense Information (CDI).

As required by our Supplier Code of Conduct, Suppliers are expected to take all appropriate measures to combat the increasing frequency of cyberattacks. This includes implementing the required controls and processes necessary to safeguard information under their control as well as reporting and mitigating any compromise of systems or information.

Preparing for the Cybersecurity Maturity Model Certification (CMMC)

Is your company ready for the CMMC?

The Department of Defense (DoD) Chief Information Officer (CIO) recognizes that security is foundational to acquisition, on par with cost, schedule, and performance. The DoD is committed to working with the DIB to enhance the protection of controlled unclassified information (CUI) within the supply chain.

On August 15, 2024, the DoD published the proposed rule amending 48 CFR Parts 204, 212, 217 and 252 providing guidance to contracting officers and implementing the contractual requirements related to the Cybersecurity Maturity Model Certification (CMMC) 2.0 program. CMMC 2.0 provides a framework for assessing contractor implementation of cybersecurity requirements and enhancing the protection of unclassified information within the DoD supply chain.

Proposed changes to the existing Defense Federal Acquisition Regulation Supplement (DFARS) include:

  1. add references to the CMMC 2.0 program requirements proposed at 32 CFR part 170 to DFARS 252.204-7021;
  2. add definitions for controlled unclassified information (CUI) and DoD unique identifier (DOD UID) to the subpart to DFARS 252.204-7021;
  3. establish a solicitation provision (252.204-7YYY) and prescription; and
  4. revise the existing clause language (252.204-7021) and prescription.

The proposed rule's revisions to DFARS 252.204-7021, "Cybersecurity Maturity Model Certification Requirements", create additional requirements for contractors and subcontractors including:

  • Obtain a CMMC certificate from a CMMC Third-Party Assessment Organization (C3PAO) or a CMMC self-assessment for each contractor information system that will process, store, or transmit FCI or CUI prior to award and throughout performance of the contract
  • Complete and maintain annually, or when a change to compliance status occurs, in SPRS an affirmation by an Affirming Official of continuous compliance with the security requirements at 32 CFR part 170 for each of the information systems that will process, store, or transmit FCI or CUI during the performance of the contract
  • Notify the Contracting Officer within 72 hours when there are any lapses in information security or changes in the status of CMMC certificate or self-assessment during performance of the contract
  • Confirm Subcontractors complete and maintain on an annual basis or when changes occur in status, an affirmation of continuous compliance with the security requirements associated with the CMMC level required for the subcontract

GA Suppliers that handle FCI, CDI or CUI will be required to implement, and maintain for the life of the subcontract, the CMMC level commensurate with the type of information being handled. The CMMC level required under the subcontract will be flowed down to suppliers in accordance with the proposed rule.

The proposed rule indicates that CMMC will follow a phased-in approach. During the initial three years following the final rule's effective date, the information collection requirements will impact contractors only when the solicitation or contract requires an offeror to have a specific CMMC level. These refer to contracts for which the CMMC Program Office directs DoD component program offices to include a CMMC requirement. By the fourth year, the information collection requirements in the solicitation provision and contract clause will impact all DoD contracts when there will be a requirement to process, store or transmit FCI or CUI.

In October 2024, the final 32 Code of Federal Regulations (CFR) 170 was also published. This begins the market rollout of CMMC (where DIB companies can obtain their certification(s) prior to contractual obligation).

For additional information on cybersecurity in the DIB, click here

IDENTIFY FCI, CUI and CDI

Identify FCI, CUI and CDI

Proper identification and handling of FCI, CUI and CDI are critical components of any Cybersecurity program. Federal regulations mandate specific security controls based on the type of information a Supplier possesses or creates. Suppliers may be provided FCI, CUI and CDI as a requirement of order performance or create it themselves. In either case, Suppliers must ensure that the information retains its identification and appropriate markings. Definitions for FCI, CUI and CDI are outlined in their respective regulations.

CUI and CDI require a higher standard of protection and care than FCI.

PROTECT Information

GA Suppliers must take measures to protect information provided by, or created on behalf of GA. This means applying adequate security for all 'Covered Contractor Information Systems,' or information systems that process, store, or transmit FCI, CUI or CDI.

Protect Information

Adequate security refers to protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information. These measures are outlined in FAR 52.204-21 and DFARS 252.204-7012 and are derived from National Institute of Standards and Technology (NIST) Special Publication (SP) SP 800-171, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations". To facilitate the road to compliance, NIST offers a free System Security Plan (SSP) template.

Suppliers subject to DFARS 252-204-7020 must conduct or undergo a Cybersecurity assessment in accordance with the NIST SP 800-171 DoD Assessment Methodology. Suppliers must verify that the score of their completed assessment is posted to the Supplier Performance Risk System (SPRS) prior to receiving awards containing this clause.

When these clauses apply to GA solicitations or Orders, GA will seek confirmation of your compliance with these requirements using SAP Ariba® and/or other appropriate methods.

The DIB Sector Coordinating Council (SCC) has established the DIB SCC CyberAssist website to provide trusted resources to support DIB companies and Suppliers of varying sizes with the implementation of cyber protections, improve awareness of cyber risks, regulations, and supply chain accountability.

REPORT Cybersecurity Incidents

Report Cybersecurity Incidents

GA Suppliers, in accordance with their contractual commitments, are to notify their Purchasing Representative within 72 hours if they experience a Cybersecurity incident. Suppliers subject to DFARS 252.204-7012 must report Cybersecurity incidents to the DIBNet Portal within 72 hours of discovery. Should this occur, the DoD will assign an incident number which must be provided to GA and a Medium Assurance Certificate is required. Suppliers must abide by instructions provided by the DoD or GA, when applicable; and preserve and protect images of affected systems and data. All information related to, or suspected to be related to the incident should be preserved in case further analysis or access is requested by the DoD.

Additional Resources
Video Training