We are steadfast in our commitment to working with our suppliers to keep sensitive information safe, secure and out of the hands of those who would use it to endanger global security.
Cybersecurity Maturity Model Certification (CMMC)
Independent 3rd Part Certification Requirements:
CMMC Level certification requirements for parts and services
Beginning in 2020, CMMC requirements will be required in select contracts. Full implementation will begin in 2021 with expectations to be required in all contracts by 2026. When required in contracts issued by DoD, Sellers of each part/service throughout the supply chain must be CMMC certified at or above the required CMMC level.
Utilized to flow CMMC requirements to our suppliers
“Notional Example of Possible Contractual Requirements that Raytheon may utilize flow CMMC requirements to suppliers. These are subject to change pending release of CMMC requirements into contracts and Raytheon’s review of those requirements.”
In 2020, the Department of Defense (DoD) will mandate cyber certification (known as CMMC) for all suppliers who support DoD contracts. This certification will eliminate self-attestation and require an independent 3rd party certification based on five levels. The CMMC levels will be used as a “go” or “no go” criteria to bid on or receive contracts. All Defense Industrial Base (DIB) companies must comply with CMMC, not just companies handling Controlled Unclassified Information (CUI). We along with our industry peers are working closely with the government throughout the development of the CMMC program.
Suppliers can start to prepare for CMMC by ensuring their compliance to DFARS 252.204-7012 and NIST SP 800-171 and by ensuring that your suppliers are aware of the CMMC effort and encourage them to become educated on it.
In order to stay current with the updates on this program, suppliers are encouraged to frequently check the Office of the Under Secretary of Defense for Acquisition and Sustainment CMMC website.
To assist suppliers in preparing for the upcoming CMMC requirements the Defense Industrial Base (DIB) Sector Coordinating Council (SCC) launched a new CyberAssist Website to provide trusted resources for short and long term cyber resiliency within the supply chain. Resources include guides, standards, sample policies and procedures, videos, example tools, lessons learned, and other helpful information. Users can simply click on a security control family and be directed to a list of resources to help with successful implementation and assessment. This website will also serve as a platform to share awareness, threats, best practices, tools and other resources from industry peers, government groups and initiatives.
Supplier Annual Certification CR-003
Our annual supplier certification (CR-003) includes a question about your company’s ability to handle Covered Defense Information (CDI) in compliance with the cyber DFARS clause 252.204-7012. For an accurate response, we recommend checking with your IT Security professionals and legal counsel. It is our policy to only share CDI with suppliers who have assured us that they are capable of handling it. Going forward, we will also be asking your company to confirm that you have System Security Plans (SSPs). For more information on SSPs and requirements of the cyber DFARS clause, please consult the various links and articles on this website.
Together with our suppliers, we play a shared role in securing our global supply chain.
On October 21, 2016, the DOD published the Final Rule for DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. It represents DoD’s efforts to prevent improper access to important unclassified information in the supply base. The DFARs clause contains the following main requirements:
Contractors must provide adequate security for “covered contractor information systems,” to include implementing the security controls of National Institute of Standards and Technology (NIST) SP 800-171 as required. A "covered contractor information system" is an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information.
Cyber Incident Reporting
Contractors must report cyber incidents to the DoD at https://dibnet.dod.mil within 72 hours of discovery, and subcontractors must provide the incident report number, automatically assigned by DoD, to the prime Contractor (or next higher-tier subcontractor) as soon as practicable. Contractors must also conduct a review for evidence of compromise, isolate and submit malicious software in accordance with instructions provided by the Contracting Officer, preserve and protect images of all known affected information systems and relevant monitoring/packet capture data for at least 90 days for potential DoD review, and provide DoD with access to additional information or equipment that is necessary to conduct a forensic analysis.
This DFARS clause must be flowed down in any subcontracts or similar contractual instruments in which subcontract performance will involve covered defense information or operationally critical support. The clause must be flowed down without alteration, except to identify the parties. The full DFARS clause can be found in its entirety under Related Links. Together, the threats we face necessitate that we work together to minimize risk, protect our sensitive information, and safeguard our global security. If you have any questions or would like additional information, please contact email@example.com.
Frequently Asked Questions
A: Covered Defense Information is unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies, and is:
- Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
- Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
A: A covered contractor information system is an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information.
A: National Institute of Standards and Technology (NIST) released special Publication 800-171 Revision 1, Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations, in December 2016. This document can be found under Related Links. Some of the changes include generalizing "information systems" to "systems" and formalizing the requirement of a System Security Plan ("SSP").
A SSP, as defined by the NIST 800-171 Revision 1, is a document that describes how an organization meets the security requirements for a system or how an organization plans to meet the requirements. In particular, the system security plan describes the system boundary; the environment in which the system operates; how the security requirements are implemented; and the relationships with or connections to other systems. In addition, the NIST notes that nonfederal organizations should develop plans of action that describe how any unimplemented security requirements will be met and how any planned mitigations will be implemented. Organizations can document the system security plan and plan of action as separate or combined documents and in any chosen format.
A resource for developing SSPs and Plans of Actions can be found at Cyber Security Evaluation Tool (scroll down to C/SET).
We have developed step by step instructions to assist our suppliers (under Related Links). We provided this for informational purposes only and makes no express or implied warranties as to its content.
A: There are various resources available to assist suppliers with Cyber Security. We provided the following for information purposes only.