For Suppliers
Cybersecurity Information
Covered Defense Information, Including Controlled Unclassified Information
On October 21, 2016, the Department of Defense (DoD) published the final rule for Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.” This represents DoD’s ongoing efforts to prevent improper access to important unclassified information. As a result, contractors must provide security for “covered contractor information systems,” to include implementing the security controls of National Institute of Standards and Technology (NIST) SP 800-171. A covered contractor information system is an unclassified information system that is owned or operated by or for a contractor and that also processes, stores, or transmits covered defense information (CDI).
APL’s Annual Representations and Certifications includes questions about your company’s ability to handle CDI, such as Controlled Unclassified Information (CUI), in compliance with the cyber DFARS clause 252.204-7012. We recommend that you check with your IT security professionals and legal counsel during the certification process.
It is our policy to only share CDI with suppliers who have assured us that they are capable of handling it. In particular, DFARS 252.204-7019 requires that contractors perform self-assessments that are submitted to the Supplier Performance Risk System (SPRS) before working with CUI. DFARS 252.204-7020 also requires that suppliers be verified.
The applicable flow-down clauses are included in APL’s terms and conditions for its partner suppliers. The DFARS clauses are required to be flowed down in any subcontracts or similar contractual agreements in which subcontract performance will involve CDI, including CUI. This clause must be flowed down without modification. We appreciate your partnership to minimize risk and safeguard our sensitive information.
Cybersecurity Maturity Model Certification
In 2025, the Department of Defense (DoD) plans to finalize its Cybersecurity Maturity Model Certification (CMMC) program. Industry experts estimate it can take 12–18 months to prepare for CMMC certification. CMMC compliance will be a requirement at the time of contract award. The full details of the requirements, to include the phased implementation plan stating when the requirements apply, will be defined in the final CMMC rule. APL recommends that our partners become familiar with CMMC requirements and plan to meet the requirements well in advance.
CMMC is a DoD program that confirms that organizations have implemented existing security requirements to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). When the CMMC rule is final and in effect, all DoD contractors and subcontractors, except companies that are solely providing commercial off-the-shelf (COTS) items, must achieve compliance with CMMC requirements to be eligible for contract award. Suppliers will be responsible for ensuring their organization can meet all of the cybersecurity requirements. When CUI is required as part of the contract, a CMMC certification assessment will require suppliers to source an official CMMC Third-Party Assessment Organization (C3PAO) who will conduct a formal assessment and report the results to DoD. At CMMC Level 3, a DoD assessment is also required.
We understand preparing for CMMC may result in questions. If questions arise, please contact us to speak with a member of our cybersecurity compliance team. One of our experienced staff members will reach out within two business days, during normal business hours (Monday to Friday, 8 a.m. to 5 p.m. ET, excluding federal holidays).
To reach a cybersecurity expert, contact smb-cyber@jhuapl.edu. Please include the following information:
- Company name, industry, and website address
- Business size (e.g., small business) and socioeconomic classification
- Whether you are a current or previous supplier for APL
- Contact information
- Specific question or resource information you are looking for
If you have a question regarding working with APL that is not cybersecurity focused, please contact PartnerandSupplierResources@jhuapl.edu.
CMMC Levels
CMMC Level 1
Required for contractors and subcontractors who will store, process, or transmit FCI. CMMC Level 1 requires a self-assessment against cybersecurity requirements currently required under FAR 52.204-21.
CMMC Level 2
Required for contractors and subcontractors who will store, process, or transmit CUI on their network or in the cloud. CMMC Level 2 requirements are the same as the requirements in DFARS clause 252.204-7012: NIST SP 800-171 Rev. 2 for network systems and FedRAMP Moderate or equivalent for cloud services.
CMMC Level 3
Similar to CMMC Level 2, CMMC Level 3 will require a certification assessment. However, because of the highly sensitive nature of the CUI involved, a government assessment is also conducted.
As stated above, it is estimated that it may take 12–18 months to prepare for CMMC certification. We recommend that all suppliers prepare now to ensure readiness to meet CMMC requirements in advance of new contract awards based on the timeline that will be announced in the rule, anticipated to start in 2025.
Learn more about the complete details regarding CMMC and the existing regulations using the following resources.
- CMMC is a DoD PROPOSED rule that is anticipated to be effective in calendar year 2025.
- It is a three-tiered model (CMMC Levels 1–3) of increasing requirements to protect different data types.
- Note: Some changes may occur before CMMC is finalized by the government.
- CMMC Levels 1 and 2 will validate 100% compliance with existing regulations.
- CMMC will be a condition of contract award when the rule is in effect.
- CMMC will apply to all contracts, subcontracts, and other contractual instruments.
- This includes subcontracts for the acquisition of commercial products or commercial services
- This excludes COTS items
- Regulations
- CMMC regulations
- 32 CFR
- DFARS clause 252.204-7021 (pending revision)
- CMMC resources
- CMMC oversight: Cybersecurity Maturity Model Certification Program (Chief Information Officer, U.S. Department of Defense)
- Cyber AB website (formerly CMMC Accreditation Body)
- CMMC FAQs
- CMMC proposed rule (monitor for final rule release)
- Cyber incident reporting website (required by DFARS 252.204-7012)
- Cybersecurity requirements and assessment guides
- CMMC Level 2:
- Requirements: NIST SP 800-171 Rev. 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations*
- NIST Assessment Guide: NIST SP 800-171 Rev. 2: Assessing Security Requirements for Controlled Unclassified Information*
- CMMC Assessment and Scoping Guides (supplemental to NIST’s)
- Note: This document will be updated and published after the CMMC rule is finalized.
- CMMC Level 3:
- Requirements: defined in the CMMC rule (see the CMMC proposed rule under CMMC resources; when the CMMC rule is final, verify the requirements under the final rule)
- CMMC Assessment and Scoping Guides (supplemental to NIST’s)
- Note: This document will be updated and published after the CMMC rule is finalized.
- CMMC Level 2:
*National Institute of Standards and Technology (NIST) special publications for Rev. 2 have been “withdrawn” by NIST but, in accordance with Defense Pricing and Contracts Class Deviation, and until further notice, the NIST 800-171 Rev. 2 requirements will still be used by DoD for the purpose of CMMC until such time as the rule is revised to require NIST SP 800-171 Rev. 3.