Cybersecurity Corner

March 2021 --

Providing clarity on the evolving cybersecurity requirements to the Aerospace & Defense supply chain is fundamental to securing cybersecurity readiness and delivering on critical customer missions. For our industry, cybersecurity requires not only diligence – it also carries a responsibility to extend a helping hand to move suppliers forward.

We remind all suppliers to remain vigilant in addressing the widespread and recently announced software supply chain vulnerabilities regarding SolarWinds, Mimecast and Microsoft Exchange Server.

As part of Lockheed Martin’s cybersecurity readiness supplier webinar series, recent recordings and slides were made available to help you in your cybersecurity journey whether you are in either the crawl, walk, run phase.

Additional webinars will be announced in April.

We also recommend referring to Lockheed Martin’s Supplier FAQs - Preparing for Recent DFARS Interim Rule & CMMC. Below are the most common FAQs we receive from suppliers.

1. How are Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) defined?

Federal Contract Information (FCI) is information, not intended for public release, that is provided by or generated for the government under a contract to develop or deliver a product or service to the government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.  General assumption should be that data is at least FCI unless it is specifically labelled publicly releasable or is spelled out in the contract as publicly releasable. (Source: 48 CFR 52.204-21)

Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. (Source: 32 CFR § 2002.4)

§  A DoD CUI Registry has been published and can be found here in addition to the NARA CUI Registry. Additional DoD CUI information can be found here.

o   Controlled technical information (CTI) means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions. (Source: DFARS 252.204-7012)

2. What is the expected timeline to require suppliers to be Cybersecurity Maturity Model Certification (CMMC) Level 3?

Starting November 30, 2020, DoD began to include CMMC requirements on selected prime contracts. DoD has communicated a plan for a phased rollout of CMMC through government FY2026, at which time all DoD contracts will include CMMC requirements. Contractors in receipt of these contracts (prime and subcontracts) will be required to have a current (i.e., not older than three years) certification for the required level at the time of award. Contracting Officers will not make an award or exercise an option on a contract if the contractor does not have a current certification for the required CMMC level.

3. Is there a minimum score that is required for the DFARS Interim Assessment rules to be considered for DoD contracts until CMMC is fully rolled out?

The DFARS interim assessment rule does not define a minimum score for contract award. The requirement is for the contractor to have a current Assessment (i.e., not older than 3 years) in SPRS based on the NIST SP 800-171 DoD Assessment Methodology, V1.2.1.

Prime Contracts and subcontracts with CMMC requirements that include DoD controlled unclassified information (CUI) will require CMMC Level 3 (minimum). Prime Contracts and subcontracts with CMMC requirements that do not include CUI will require CMMC Level 1 (unless the contract is only for COTS or under the FAR micro-purchase threshold).

Looking for the FAR definition of COTS and the micro-purchase threshold? Below is an extract of the current definitions from FAR 2.101

-Micro-purchase means an acquisition of supplies or services using simplified acquisition procedures, the aggregate amount of which does not exceed the micro-purchase threshold. Micro-purchase threshold means $10,000.

-Commercially available off-the-shelf (COTS) item— (1) Means any item of supply (including construction material) that is– (i) A commercial item (as defined in paragraph (1) of the definition in this section); (ii) Sold in substantial quantities in the commercial marketplace; and (iii) Offered to the Government, under a contract or subcontract at any tier, without modification, in the same form in which it is sold in the commercial marketplace; and 2.1-4 SUBPART 2.1 - DEFINITIONS 2.101 (2) Does not include bulk cargo, as defined in 46 U.S.C. 40102(4), such as agricultural products and petroleum products.