Cybersecurity for Suppliers
THE NEED FOR CYBERSECURITY THROUGHOUT OUR SUPPLY CHAIN
The threats facing industry’s ability to adequately safeguard its critical infrastructure are escalating dramatically. Hacking tools that require little or no skill to execute are increasingly available online, lowering the barrier of entry for bad actors and increasing their capabilities. Cybersecurity attacks are complex and often go undetected.
Additionally, DoD policy states that “cybersecurity be fully considered and implemented in all aspects of acquisition programs across the life cycle and responsibility for cybersecurity extends to all members of the acquisition workforce.”
General Dynamics Ordnance and Tactical Systems is committed to a proactive and compliant cybersecurity approach to safeguarding our networks, information, and systems. Below are resources for our suppliers on federal regulations and how to report cybersecurity incidents.
Federal Acquisition Regulation (FAR):
This clause is applicable to all solicitations and contracts when a contractor or subcontractor at any tier may have federal contract information residing in or transiting through its information systems, including commercial items other than commercially available off-the-shelf items (COTS).
- Requires basic safeguarding requirements and procedures to protect covered contractor information systems
- Imposes 15 categories of security controls focused on safeguarding contractor systems that process, store or transmit Federal contract information
- Although not specifically stated, contractors in compliance with the more expansive NIST SP 800-171 security controls will presumably be in compliance with the FAR requirements
- Applicable to all solicitations and contracts when a contractor or subcontract at any tier may have federal contract information residing in or transiting through its information systems. Does not apply to contracts or subcontracts for COTS.
Defense Federal Acquisition Regulation Supplement (DFARS):
|252.204-7008 Compliance with Safeguarding Covered Defense Information||All solicitations, including solicitations using FAR part 12 procedures for the acquisition of commercial items, except for solicitations solely for the acquisition of commercially available off-the-shelf (COTS) items|
|252.204-7009 Limitation on the Use or Disclosure of Third Party Contractor Reported Cyber Incident Information||All solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items, for services that include support for the Government’s activities related to safeguarding covered defense information and cyber incident reporting|
|252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting||All solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items, except for solicitations and contracts solely for the acquisition of COTS items|
|252.239-7009 Representation of Use of Cloud Computing||All solicitations, including solicitations using FAR part 12 procedures for the acquisition of commercial item, for information technology services|
|252.239-7010 Cloud Computing Services||All solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial item, for information technology services|
FLOW-DOWN CLAUSES TO GENERAL DYNAMICS SUPPLIERS
The applicable flow-down clauses are included in General Dynamics Ordnance and Tactical Systems terms and conditions for its suppliers. The standard terms and conditions are available at the following link: https://www.gd-ots.com/suppliers/supply-chain-legacy/
REPORTING A CYBERSECURITY INCIDENT
In accordance with DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, subcontractors, including vendors and consultants, are required to rapidly report cyber incidents within 72 hours of discovery to the General Dynamics – Ordnance and Tactical Systems Buyer point of contact and directly to Department of Defense (DoD) at https://dibnet.dod.mil/portal/intranet/. This includes providing the incident report number, automatically assigned by DoD to General Dynamics Ordnance and Tactical Systems as soon as practical.
ACHIEVING CYBERSECURITY COMPLIANCE – OTHER HELPFUL CYBERSECURITY REFERENCES:
Department of Defense (DoD):
- DoD: Small Business Cybersecurity
- DoD Procurement Toolbox
- Network Penetration Reporting and Contracting for Cloud Services (2013-D018)
Cybersecurity Maturity Model Certification (CMMC):
Department of Homeland Security (DHS):
- DHS: Cybersecurity
- US-Cert: Resources for Small and Midsize Businesses (SMB)
- DHS: Stop.Think.Connect. Campaign
- Cyber Resilience Review (CRR)
Defense Information Systems Agency (DISA):
Federal Bureau of Investigation (FBI):
Federal Communications Commission (FCC):
Federal Trade Commission (FTC):
General Services Administration (GSA):
National Archives Information Security Oversight Office
National Institute of Standards and Technology:
- NIST: Cybersecurity Framework
- NIST: Commission on Enhancing National Cybersecurity
- NIST: Computer Security Resource Center
- NIST: CUI Plan of Action Template
- NIST: CUI SSP Template
- NIST 800-171 Rev. 2
Small Business Administration:
Your Mission is Our Mission.
General Dynamics Ordnance and Tactical Systems is a global aerospace and defense company. We are a committed to providing the U.S. military and its allies with an extensive range of overarching products that provide a cutting-edge advantage to our war fighters. A General Dynamics Company.
GD 143,36 +0,54 +0,38%