Supplier Cybersecurity

Meeting U.S. Government Contract Cybersecurity Regulations

Compliance with the following Defense Federal Acquisition Regulation Supplement (DFARS) clauses – which address the safeguarding of information for secure dissemination between the Department of Defense (DoD), prime contractors and their suppliers – has been required as of Dec. 31, 2017:

, Limitations on the Use or Disclosure of Third-Party Contractor Reported Cyber Incident Information
, Cloud Computing Services
, Safeguarding Covered Defense Information and Cyber Incident Reporting

The DoD also added additional requirements to prime contractors and their suppliers in November 2020:

, Notice of NIST SP 800-171 DoD Assessment Requirements
, NIST SP 800-171 DoD Assessment Requirements

For any contracts ɫ��ֱ�� has or receives that contain these clauses, the clauses also flow down to all sub-tiers of the prime contract. This means they must have in place the higher level of network security, as applicable, and the rapid reporting chain of command as defined in DFARS 252.227-7013.

At a minimum, organizations that have Covered Defense Information (CDI) must comply with all National Institute of Standards and Technology (NIST) Special Publication 800-171 security controls, as addressed in the clauses above.

Exostar Partner Information Manager

In order to execute our government contracts, ɫ��ֱ�� must have insight into our suppliers’ cybersecurity positions and their ability to protect sensitive information. ɫ��ֱ�� is one of many prime contractors that use Exostar’s Partner Information Manager (PIM) tool to manage supplier compliance with DoD cybersecurity requirements. The Exostar security questionnaire () enables your company to attest to its compliance with each NIST SP 800-171 security control.

The Exostar PIM system also benefits ɫ��ֱ�� suppliers as it enables your company to complete the questionnaire once and later share the results with any other participating prime contractors who request it. This reduces the time you will spend completing multiple questionnaires and provides a standard and consistent set of minimum cybersecurity expectations.

Reporting an Incident

Any cyber incident must be reported within 72 hours of discovery, or as specified in the ɫ��ֱ�� contract. In addition to reporting the incident directly to the DoD, ɫ��ֱ�� requires that you notify us of the incident via the link below.

Report an Incident

Partnering to Thwart Cyber Crimes

Beyond contractual requirements, adherence to DFARS clauses enables ɫ��ֱ�� and its suppliers to maintain the high level of trust we have earned from our customers. We work closely with our suppliers to ensure they have the government-required safeguards in place for any work they perform on defense contracts. If you need more information, please reference the online resources noted above to assist you with questions about DFARS cybersecurity controls and how to implement them. You may reach out to the ɫ��ֱ�� Cybersecurity team.

Contact Us

Additional Resources

CTPAT Supplier Service Provider SOP