Covered Defense Information, including Controlled Unclassified Information
On October 21, 2016, the Department of Defense (DoD) published the final rule for Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.” This represents DoD’s ongoing efforts to prevent improper access to important unclassified information. As a result, contractors must provide security for “covered contractor information systems,” to include implementing the security controls of National Institute of Standards and Technology (NIST) SP 800-171. A “covered contractor information system” is an unclassified information system that is owned or operated by or for a contractor, and that also processes, stores, or transmits covered defense information (CDI).
APL’s Annual Representations and Certifications includes questions about your company’s ability to handle CDI, such as Controlled Unclassified Information (CUI), in compliance with the cyber DFARS clause 252.204-7012. We recommend that you check with your IT security professionals and legal counsel during the certification process.
It is our policy to only share CDI with suppliers who have assured us that they are capable of handling it. In particular, DFARS 252.204-7019 requires that contractors perform self-assessments that are submitted to the Supplier Performance Risk System (SPRS) before working with CUI. DFARS 252.204-7020 also requires that suppliers be verified.
The applicable flow-down clauses are included in APL’s terms and conditions for its partner suppliers. The DFARS clauses are required to be flowed down in any subcontracts or similar contractual agreements in which subcontract performance will involve CDI, including CUI. This clause must be flowed down without modification. We appreciate your partnership to minimize risk and safeguard our sensitive information.
In 2023, we anticipate that the DoD Cybersecurity Maturity Model Certification (CMMC) will go into effect. APL recommends that our partners become familiar with CMMC requirements and plan for implementation well in advance.
CMMC is a certification process that reviews a company’s ability to protect federal contract information (FCI) and CUI. CMMC combines cybersecurity standards and best practices with an assessed maturity level, from basic cyber hygiene to advanced protocols. All DoD contractors and subcontractors, except companies that are solely providing commercial off-the-shelf items, must be audited and scored by a neutral third party before handling covered information. Verified third-party cybersecurity certifiers will conduct audits to confirm an organization’s cybersecurity maturity level.
Solicitations may restrict the use of suppliers below a specified CMMC level. For a supplier to process, store, or transmit CUI, the organization will need to have been certified as meeting the required level before award. CMMC scores will be tracked by the DoD.
Suppliers will be responsible for ensuring their organization can meet the requirements, source the third-party certifier, conduct the assessment, and report their CMMC audits and scores from the accredited third-party entity. The CMMC Accreditation Body is currently developing the process for receiving certifications.
We recommend that you check with your IT security professionals to prepare for CMMC compliance. Learn more about CMMC using the resources below.