National Institute of Standards and Technology (NIST) Supplier Cybersecurity Compliance

Cyber Security

Cyber attacks targeting systems and data throughout the world is constantly increasing in both volume and sophistication. It is critical that our suppliers understand the risks associated with these attacks and implements appropriate security actions to successfully manage the Confidentiality, Integrity, and Availability of On-Point Defense Technologies, LLC sensitive data as well as DoD’s Controlled Unclassified Information (CUI) as defined by DFARS Clause 252-204-7012.

Per DoD clause 252-204-7012, DoD contractors and subcontractors are required to implement and comply with security requirements to protect CUI data that is stored, processed, transmitted or used to generate data related to CUI as part of contract performance. These same requirements also apply to any On-Point Defense Technologies, LLC sensitive data provided to suppliers as part of DOD contract performance.

Cyber Security Requirements

DFARS Clause 252-204-7012 defines the cybersecurity requirements to be complied with to manage Controlled Unclassified Information (CUI) as a DoD Contractor or Subcontractor. Some of the elements of this requirement include:

The use of NIST 800-171 as the security framework for the protection of CUI. Contractors and Subcontractors need to be in compliance with the requirements in the DFAR clause as well as the NIST security framework by the end of December 2017.

Areas of non-compliance will need to be reported to DoD within 30 days after contract award or within 30 days of any DoD related subcontract award from On-Point Defense Technologies, LLC.

These requirements need to be flowed down to any subcontractors used in the performance of any DoD contract.

Any cyber incident (as defined by 252.204-7012) related to CUI data is to be reported to DoD via a reporting website within 72 hours of the incident discovery.

On-Point Defense Technologies, LLC suppliers are responsible to meet the requirements in DFAR 252-204-7012 and NIST 800-171 and to communicate directly to DoD as required. On-Point Defense Technologies, LLC will need to be kept informed of any compliance or incident issues as follows:

• Provide a copy of any DoD NIST compliance reports as well as any deficiency communications to the On-Point Defense Technologies, LLC Procurement representative identified on any associated purchase order or contract.
• For any incidents (as defined by 252.204-7012)of CUI or On-Point Defense Technologies, LLC sensitive data, notify the Procurement representative identified on any associated purchase order or contract for which the incident occurred with 72 hours of discovery.

Additional Cyber Security Resources

There are many IT security related resources to provide awareness and to help improve your security program. There are also many security organizations that provide guidance on cyber threats as well as methods to assess and mitigate cyber risks On-Point Defense Technologies, LLC does not endorse any specific resource or organization and provides this information as a courtesy to suppliers that may not be aware of some of the resources available.

• Center for Internet Security (CIS)
• International Organization for Standardization (ISO)
• National Institute of Standards and Technology (NIST)
• SANS Institute
• United States Computer Emergency Readiness Team (US-Cert)