As a valued supplier of Collins Aerospace, you play a critical role in protecting defense and space-related information from malicious cyber-attacks. Companies are increasingly being targeted for their sensitive intellectual capital, many of which contain Controlled Unclassified Information (CUI), Covered Defense Information (CDI), or both. Outdated security systems render companies vulnerable to data breaches and information compromises that could have detrimental effects throughout the supply chain, for our customers, the Aerospace and Defense Industry, and national security. Even a relatively minor breach could have severe consequences for a business’ reputation and finances. With supply chain networks particularly at risk, at Collins Aerospace we aim to establish a protected supply chain ecosystem with infrastructure that supports secure collaboration across our supply base.
In addition, our customers, including the U.S. Government, are increasingly imposing mandatory cybersecurity measures and controls on their prime contractors and supply chain. On October 21, 2016, the Department of Defense (DoD) published the Final Rule for Defense Acquisition Regulation Supplement (DFARS) 252.204-7012, “Safeguarding Covered Defense Information and Cyber Reporting.” It represents the DoD’s efforts to protect the security of and prevent unauthorized access to important unclassified information (specifically covered defense information) residing in information systems within the supply base. DFARS is indicative of the increasing standardization of cybersecurity best practices, particularly with respect to cyber incident reporting and baseline cyber standards for the protection of sensitive data. The Final Rule is the product of significant back-and-forth between the U.S. government and the defense contractor community.
The DFARS clause contains the following key requirements:
Contractors (including primes and their suppliers at all tiers) must provide adequate security on all covered contractor information systems. This includes, at a minimum, implementing the security controls of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, as soon as practical but no later than Dec 31, 2017. NIST SP 800-171 consists of 14 key control families, amounting to 110 security controls, all of which must be met by anyone who processes, stores or transmits sensitive information (CUI / CDI) for the DoD, GSA or NASA and other federal or state agencies. A “covered contractor information system” is defined as an unclassified system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information.
CYBER INCIDENT REPORTING
When a contractor discovers a cyber-incident that affects a covered contractor information system or the covered defense information residing therein, or that affects the contractor’s ability to perform the requirements of the contract that are designated as operationally critical support and identified in the contract, the contractor must:
- Promptly report cyber incidents to the DoD at https://dibnet.dod.mil within 72 hours of discovery, and subcontractors must provide the incident report number (automatically assigned by DoD) to the prime contractor (or next higher-tier subcontractor) as soon as practicable
- Contractors must also conduct a review for evidence of compromise, isolate and submit malicious software in accordance with instructions provided by the Contracting Officer
- Preserve and protect images of all known affected information systems and relevant monitoring/packet capture data for at least 90 days for potential DoD review
- Provide DoD with access to additional information or equipment that is necessary to conduct a forensic analysis
DFARS clause 252.204-7012 must be flowed down in any subcontracts or similar contractual instruments in which subcontract performance will involve covered defense information, including, but not limited to, the processing, transmitting, storing, or creation of CDI. The clause must be flowed down without alteration, except to identify the parties, to all subtiers handling covered defense information. If a subcontractor does not agree to comply with the terms of 252.204-7012, then covered defense information shall not be on that subcontractor’s information system.
In order to minimize risk and ensure cyber resilience against today’s threats, it requires a shared effort to eliminate important system vulnerabilities. As we collectively shift focus to a risk-based approach and improve our information security postures, we can foster a supply chain network that is cyber-aware and conscious in safeguarding our national security.
If you have any questions or would like additional information on supplier cybersecurity compliance, please contact GPUTASCompliance@utc.com.
FREQUENTLY ASKED QUESTIONS
A: Covered Defense Information is unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies, and is:
- Marked or otherwise identified in an agreement and provided to the contractor by or on behalf of the DoD to support performance of the DoD contract OR
- Collected, developed, received, transmitted, used or stored by (or on behalf of) a contractor to support performance of the DoD contract
A: A covered contractor information system is an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information.
A: NIST 800-171 refers to the National Institute of Standards and Technology Special Publication 800-171, which governs Controlled Unclassified Information (CUI) in Non-Federal Information Systems and Organizations. NIST SP 800-171 security requirements are derived from security controls in NIST SP 800-53 Revision 4, which contains 14 key areas you will need to comply with. You can find a listing of these here. These new standards must be met by anyone who processes, stores or transmits this type of potentially sensitive information (CUI) for the DoD, GSA or NASA and other federal or state agencies.
A: A SSP, as defined by the NIST 800-171 Revision 1, is a document that describes how an organization meets the security requirements for a system or how an organization plans to meet the requirements. In particular, the system security plan describes the system boundary; the environment in which the system operates; how the security requirements are implemented; and the relationships with or connections to other systems. In addition, the NIST notes that nonfederal organizations should develop plans of action that describe how any unimplemented security requirements will be met and how any planned mitigations will be implemented. Organizations can document the system security plan and plan of action as separate or combined documents and in any chosen format. There is no prescribed format or specified level of detail for system security plans. However, organizations ensure that the required information in [SP 800-171 Requirement] 3.12.4 is conveyed in those plans.
The NIST Computer Security Resource Center (CSRC) provides helpful resources such as SSP and POA templates. You can download those here.
Supplier Cybersecurity Resources
DoD: DFARS 252.204-7012
DoD: FAQ for DFARS 252.204-7012
DoD: Central DFARS Cybersecurity Repository
DoD: Safeguarding Covered Defense Information – The Basics
NIST: Special Publication 800-171 Revision 1
NIST: Guide for Applying the Risk Management Framework to Federal Information Systems
NIST: Cybersecurity Self-Assessment Handbook
UTC Purchase Terms & Conditions
Small Business Resources
Department of Homeland Security: Small Business Resources
DoD: Office of Small Business Programs
SBA: Cybersecurity for Small Businesses, Self-Paced Training Course
US-CERT: Resources for Small and Midsize Businesses (SMB)