AEC DOD Suppliers Cybersecurity/CMMC Guidance
Cybersecurity attacks continue to increase in frequency and sophistication across the Defense industry. Adversaries are targeting those who possess sensitive information, including the government, prime contractors, and suppliers. It is imperative that our suppliers understand what’s at stake and recognize our shared role in protecting sensitive information and intellectual property. A single mistake or breach could cause significant consequences for our customers, our business, the Aerospace and Defense Industry, and national security.
In order to ensure that sensitive, yet unclassified, data (as defined in FAR/DFARS) passed between Government Agencies, Primes and Subcontractors is safeguarded from these potential assaults, as described above, the OUSD (Office Under Secretary of Defense) has provided guidance (see below), which led to implementation of the following FAR/DFARS regulations to protect covered contractor information systems. All defense contractors should be aware of the applicable clauses and are expected to comply with these regulations as flowed down in terms and conditions.
252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting.
KEY DEFINITIONS / OUSD GUIDANCE
Controlled Unclassified Information (CUI)
Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.
Executive Order 13556 "Controlled Unclassified Information" (the Order), establishes a program for managing CUI across the Executive branch and designates the National Archives and Records Administration (NARA) as Executive Agent to implement the Order and oversee agency actions to ensure compliance. The Archivist of the United States delegated these responsibilities to the Information Security Oversight Office (ISOO).
32 CFR Part 2002 "Controlled Unclassified Information" was issued by ISOO to establish policy for agencies on designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI, self-inspection and oversight requirements, and other facets of the Program. The rule affects Federal executive branch agencies that handle CUI and all organizations (sources) that handle, possess, use, share, or receive CUI—or which operate, use, or have access to Federal information and information systems on behalf of an agency.
CMMC Requirement for Defense Contractors (DOD) with CUI
The Cybersecurity Maturity Model Certification (CMMC) is a unified standard for implementing cybersecurity across the defense industrial base (DIB), which includes over 300,000 companies in the supply chain. The CMMC is the DoD's response to significant compromises of sensitive defense information located on contractors' information systems.
three certification levels that reflect the maturity and reliability of a company's cybersecurity infrastructure to safeguard sensitive government information on contractors' information systems. The five levels are tiered and build upon each other's technical requirements. Each level requires compliance with the lower-level requirements and institutionalization of additional processes to implement specific cybersecurity-based practices.
Who must comply with the CMMC?
All DoD contractors will eventually be required to obtain a CMMC certification. This includes all suppliers at all tiers along the supply chain, small businesses, commercial item contractors and foreign suppliers. The CMMC Accreditation Body (CMMC-AB) will coordinate directly with DoD to develop procedures to certify independent Third-Party Assessment Organizations (CP3AOs) and assessors that will evaluate companies' CMMC levels.
National Archives - Controlled Unclassified Information (CUI)
OUSD for A&S