For Suppliers

Cybersecurity Information

Covered Defense Information, Including Controlled Unclassified Information

On October 21, 2016, the Department of Defense (DoD) published the final rule for Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.” This represents DoD’s ongoing efforts to prevent improper access to important unclassified information. As a result, contractors must provide security for “covered contractor information systems,” to include implementing the security controls of National Institute of Standards and Technology (NIST) SP 800-171. A covered contractor information system is an unclassified information system that is owned or operated by or for a contractor and that also processes, stores, or transmits covered defense information (CDI).

APL’s Annual Representations and Certifications includes questions about your company’s ability to handle CDI, such as Controlled Unclassified Information (CUI), in compliance with the cyber DFARS clause 252.204-7012. We recommend that you check with your IT security professionals and legal counsel during the certification process.

It is our policy to only share CDI with suppliers who have assured us that they are capable of handling it. In particular, DFARS 252.204-7019 requires that contractors perform self-assessments that are submitted to the Supplier Performance Risk System (SPRS) before working with CUI. DFARS 252.204-7020 also requires that suppliers be verified.

The applicable flow-down clauses are included in APL’s terms and conditions for its partner suppliers. The DFARS clauses are required to be flowed down in any subcontracts or similar contractual agreements in which subcontract performance will involve CDI, including CUI. This clause must be flowed down without modification. We appreciate your partnership to minimize risk and safeguard our sensitive information.

Cybersecurity Maturity Model Certification

In 2025, the Department of Defense (DoD) plans to finalize its Cybersecurity Maturity Model Certification (CMMC) program. Industry experts estimate it can take 12–18 months to prepare for CMMC certification. CMMC compliance will be a requirement at the time of contract award. The full details of the requirements, to include the phased implementation plan stating when the requirements apply, will be defined in the final CMMC rule. APL recommends that our partners become familiar with CMMC requirements and plan to meet the requirements well in advance.

CMMC is a DoD program that confirms that organizations have implemented existing security requirements to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). When the CMMC rule is final and in effect, all DoD contractors and subcontractors, except companies that are solely providing commercial off-the-shelf (COTS) items, must achieve compliance with CMMC requirements to be eligible for contract award. Suppliers will be responsible for ensuring their organization can meet all of the cybersecurity requirements. When CUI is required as part of the contract, a CMMC certification assessment will require suppliers to source an official CMMC Third-Party Assessment Organization (C3PAO) who will conduct a formal assessment and report the results to DoD. At CMMC Level 3, a DoD assessment is also required.

CMMC Levels

As stated above, it is estimated that it may take 12–18 months to prepare for CMMC certification. We recommend that all suppliers prepare now to ensure readiness to meet CMMC requirements in advance of new contract awards based on the timeline that will be announced in the rule, anticipated to start in 2025.

Learn more about the complete details regarding CMMC and the existing regulations using the following resources.