Supply Chain Cybersecurity
Sep. 28, 2016 --
In August 2015, the Department of Defense (DoD) issued an updated interim rule that imposed significant expanded obligations on defense contractors and subcontractors with regard to the protection of unclassified Covered Defense Information (CDI) and the reporting of cyber incidents
occurring on unclassified information systems that contain such information. This interim rule, which was updated in December 2015, replaced the DoD’s prior Unclassified Controlled Technical Information (“UCTI”) Rule, imposing new baseline security standards and significantly expanding the information that is subject to safeguarding and can trigger reporting requirements. Additionally, the interim
rule implements policies and procedures for safeguarding data and reporting cyber incidents when contracting for cloud computing services.
Four main elements of the December 2015 version of the DFARS Clause 252.204-7012 include:
- Contractors have until December 2017 to be in full compliance with the requirements outlined in the clause and NIST 800-171
- Areas of non-compliance need to be reported to the DoD CIOs office within 30 days after contract award
- Contractors have 72 hours to report cyber incidents to the DoD CIO
- The cyber DFARS clause will be flowed down to all suppliers/subcontractors storing, processing and/or generating Covered Defense Information as part of contract performance
Expectations for Suppliers
- Suppliers/subcontractors are expected to be fully aware
of all applicable DFAR clauses.
- Suppliers/subcontractors must complete the cybersecurity maturity questionnaire if they process and store Lockheed Martin Sensitive Information.
- Suppliers/subcontractors must complete the DFARS/NIST questionnaire if they process and store Covered Defense Information (CDI).
- Suppliers/subcontractors must first register in Exostar and then complete the required questionnaires.
Complete the NIST 800-171 questionnaire at Exostar. Instructions are found within “Understanding Posture”
- The DoD has a FAQ which has answers to a few of the most common technical questions received by the DoD. This site will be continually updated by the DoD.
- Lockheed Martin may choose to perform a virtual validation of the supplier’s submitted cyber security maturity model questionnaire.
Frequently Asked Questions
Do I as a supplier need to notify Lockheed Martin of my compliance status on DFARS Clause 252.204-7012?
- If a supplier is non-compliant with the NIST cyber security controls outlined in the DFARS Clause 252.204-7012 dated December 2015, then the supplier must notify the DoD
CIOs office within 30 days of contract award with LMC of the areas of non-compliance. The supplier must copy Lockheed Martin through the authorized procurement representative identified in the subcontract or purchase order on the DoD notification.
What are the incident reporting requirements for suppliers?
- A supplier must report an incident within 72 hours of discovery to both 1) Lockheed Martin (e.g. Lockheed Martin Subcontract Program Manager (SPM), Buyer, or Subcontract Administrator (SCA)) and in parallel to 2) the DoD at the following DFAR directed site: DOD Dibnet. LM SPMs, buyers and/or SCAs must immediately notify the LM CIRT of supplier cyber incident reports. Please note: the cyber incident reporting requirements associated with
this DFARS Clause do not negate any additional reporting requirements found in the contract between Lockheed Martin and the supplier.
How is the cybersecurity questionnaire used by Lockheed Martin different than the actions required by DFARS Clause 252.204-7012?
- The cybersecurity questionnaire in Exostar is used as a tool to obtain a high-level understanding of a supplier’s ability to protect sensitive information and manage cyber security risk. To be clear, performing all activities outlined in the questionnaire does not satisfy the requirements associated with DFARS Clause 252.204-7012. Suppliers which store/process CDI are responsible for assessing their systems for compliance with the requirements outlined in DFARS Clause 252.204-7012.
Covered Defense Information means unclassified information that is:
A. Provided to the contractor by or on behalf of DoD in connection with the performance of the contract; or
B. Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract
Covered Defense Information falls in any of the following categories:
A. Controlled technical information*
B. Critical information (operations security). Specific facts identified through the Operations Security process about friendly intentions, capabilities, and activities vitally needed by adversaries for them to plan and act effectively so as to guarantee failure or unacceptable
consequences for friendly mission accomplishment (part of Operations Security process).
C. Export control. Unclassified information concerning certain items, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives. To include dual use items; items identified in export administration regulations, international traffic in arms regulations and munitions list; license applications; and sensitive nuclear
D. Any other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government wide policies (e.g., privacy, proprietary business information).
*Controlled Technical Information
Controlled technical information means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information is to be marked with one of the distribution statements B through F, in accordance with DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not
include information that is lawfully publicly available without restrictions.