Frontgrade delivers some of the most advanced technology products and services, which makes us – and our suppliers – targets for cyberattacks. In an everchanging global world, we have the responsibility to understand these threats and secure all levels of our supply chain.

U.S. Government customers frequently include contract clauses that require contractors and subcontractors (at all tiers) to provide “adequate security” to safeguard certain types of government information on their internal systems, including the following FAR and DFARS contract clauses:

• FAR 52.204-21 – Requires supplier’s compliance at time of award with a select subset of NIST SP 800-171 “basic safeguarding” cybersecurity controls for internal systems with “federal contract information.” 

• DFARS 252.204-7012 – Requires supplier’s implementation of NIST SP 800-171, prior to award, which includes cybersecurity controls for internal systems with “covered defense information” (CDI). To have implemented NIST SP 800-171 for purposes of this DFARS clause, companies must have performed a self-assessment of their covered systems, completed a System Security Plan (SSP), and a Plan of Actions and Milestones (POAM) as applicable. Companies must also have obtained the DIBNET incident reporting medium level of assurance hardware certificate.

• DFARS 252.204-7019 and DFARS 252.204-7020 – Require implementation of NIST SP 800-171 in accordance with DFARS 252.204-7020. Prior to award, suppliers must conduct a basic self-assessment of the 110 NIST 800-171 controls for each information system that will handle Covered Defense Information (CDI) and submit resulting scores and documentation to the Department of Defense (DoD) website “Supplier Performance Rating System (SPRS).

Adequate Security

Suppliers shall provide adequate security on all covered information systems. Adequate security is defined as protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of, information.

Cyber Incident Reporting Requirement

When a cyber incident is discovered, suppliers must conduct a review for evidence compromised of covered defense information and report it to the Department of Defense at http://dibnet.dod.mil and Frontgrade Technologies within 72 hours. A “cyber incident” is defined as actions taken using computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.

Subcontract Flow Downs

Contract clauses are required to be flowed down to subcontractors (at all tiers) to provide “adequate security” to safeguard certain types of government information on their internal systems, including the FAR and DFARS contract clauses.