Skip to main content youtube35 compass cog benefits world goToLastPage next previous goToFirstPage blog govtech press video copy print external twitterTheme rss facebookTheme gplusTheme linkedinTheme loading facebook linkedin share twitter download2 list grid warning search linkedin2 cell mail resources news calendar generic about training tradeshow text smallbusiness recruitment play more message download contact closeout circleUp circleRight circleLeft circleDown circleArrowRight arrowRight arrowLeft angleUp angleRight angleLeft angleDown
Small business partnerships - shaking hands

Cybersecurity for our Suppliers

Cybersecurity for our Suppliers

* “Suppliers” or “Supply Chain” may include contractors, subcontractors, consultants, vendors and OEMs.

The threats facing industry’s ability to adequately safeguard its critical infrastructure are escalating dramatically. Hacking tools that require little or no skill to execute are increasingly available online, lowering the barrier of entry for bad actors and increasing their capabilities. Cybersecurity attacks are complex and often go undetected.

Additionally, Department of Defense (DoD) policy states that “cybersecurity be fully considered and implemented in all aspects of acquisition programs across the life cycle and responsibility for cybersecurity extends to all members of the acquisition workforce.”

General Dynamics Information Technology is committed to a proactive and compliant cybersecurity approach to safeguarding our networks, information, and systems. Below are resources for our Suppliers on federal regulations and how to report cybersecurity incidents.

Regulatory References

Federal Acquisition Regulation (FAR):

This above reference FAR clause is applicable to all solicitations and contracts when a Supplier at any tier may have federal contract information residing in or transiting through its information systems, including commercial items other than commercially available off-the-shelf items (COTS).

Synopsis of FAR 52.204-21:

  • Requires basic safeguarding requirements and procedures to protect covered contractor information systems
  • Imposes 15 categories of security controls focused on safeguarding contractor systems that process, store or transmit Federal contract information
  • Although not specifically stated, contractors in compliance with the more expansive NIST SP 800-171 security controls will presumably be in compliance with the FAR requirements
  • Applicable to all solicitations and contracts when a contractor or subcontractor at any tier may have federal contract information residing in or transiting through its information systems. Does not apply to contracts or subcontracts for COTS products.

Additional Defense Federal Acquisition Regulation Supplement (DFARS) provisions:


DFARS

252.204-7008 Compliance with Safeguarding Covered Defense Information (Oct 2016)

Prescription

All solicitations, including solicitations using FAR part 12 procedures for the acquisition of commercial items, except for solicitations solely for the acquisition of commercially available off-the-shelf (COTS) items


 DFARS

252.204-7009 Limitation on the Use or Disclosure of Third Party Contractor Reported Cyber Incident Information (Oct 2016)

Prescription

All solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items, for services that include support for the Government’s activities related to safeguarding covered defense information and cyber incident reporting


DFARS

252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting (Oct 2016)

Prescription

All solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items, except for solicitations and contracts solely for the acquisition of COTS items


DFARS

252.239-7009 Representation of Use of Cloud Computing (Oct 2016)

Prescription

All solicitations, including solicitations using FAR part 12 procedures for the acquisition of commercial item, for information technology services


DFARS

252.239-7010 Cloud Computing Services (Oct 2016)

Prescription

All solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial item, for information technology services


NIST SP 800-171 defines the security requirements for protecting Controlled Unclassified Information (CUI) in non-federal information systems and organizations. Generally, Department of Defense contractors, except COTS suppliers, are required to implement these security requirements by no later than December 31, 2017. Please refer to DFARS 252.204-7008, DFARS 252.204-7012 and NIST SP 800-171 for more details.

Flow-down Clauses to General Dynamics Suppliers

The applicable flow-down clauses are included in General Dynamics Information Technology terms and conditions for its Suppliers.

Reporting a Cybersecurity Incident

In accordance with DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, Suppliers are required to rapidly report cyber incidents within 72 hours of discovery to the Buyer point of contact and directly to Department of Defense (DoD) at https://dibnet.dod.mil/portal/intranet/. This includes providing the incident report number, automatically assigned by DoD, to General Dynamics Information Technology as soon as practical.

Achieving Cybersecurity Compliance – Other Helpful Cybersecurity References:

Department of Defense (DoD):

Department of Homeland Security (DHS):

Defense Information Systems Agency (DISA):

Federal Bureau of Investigation (FBI):

Federal Communications Commission (FCC):

General Services Administration (GSA):

National Archives Information Security Oversight Office

National Institute of Standards and Technology (NIST):

Small Business Administration (SBA):