Aerojet Rocketdyne (AR) takes the protection of information seriously. Some contracts are subject to information security obligations to the Department of Defense and NASA.
This page provides important resources for our suppliers to be able to comply with cybersecurity requirements of the Agreements and Purchase Orders (PO) they receive. AR incorporates cybersecurity requirements in its General Provisions, Supplemental Government Terms and Conditions, and the Annual Business Certification (ABC). Links to resources are provided below.
NIST SP 800-171 ASSESSMENT UNDER DFARS 52.204 7019 AND 252.204-7020
- DFARS Interim Rule: DFARS Case 2019-D041 - Defense Federal Acquisition Regulation Supplement (DFARS) - Assessing Contractor Implementation of Cybersecurity Requirements). Effective November 30, 2020; implements 3 new DFARS clauses:
CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC) under DFARS 252.204-7021
- 252.204-7021 (Clause will not be in any contracts until CMMC 2.0 is in effect, date TBD.), Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement
NOTE: For link to the DFARS Case and full text of clauses see 11-19-20 letter to suppliers in "Resources" below.
- ACTIONS REQUIRED:
All DoD suppliers, except providers of solely "Commercial-Off-The-Shelf" (COTs) items as those are defined in FAR 2.101, Definitions, must take the following actions: The supplier must flow down DFARS 252.204-7020, including paragraph (g) titled "subcontracts", in all solicitations and contracts, with certain exceptions (such as those solicitations or contracts solely for the acquisition of COTS items).
- Complete (at least) a Basic self-assessment of compliance to the NIST SP 800-171 controls using the DoD Assessment Methodology cited above, AND
- IMPORTANT: Submit summary level scores of the assessment and other information required by DFARS 252.204-7020 into the Government's Supplier Performance Risk System (SPRS) or send the information via encrypted emailed to firstname.lastname@example.org (MAIL TO: email@example.com) NOTE: Scores should be updated as NIST compliance progresses. Suppliers shall confirm to AR that they have uploaded their summary self-assessment score to SPRS (a screenshot of the SPRS entry is requested) and update AR accordingly. AR POs which contain DFARS 252.204-7020 cannot be awarded until AR has confirmed that the supplier has complied; OR
- The Government performed a Medium or High Assessment within the last 3 years on supplier's covered contractor information systems applicable to the work performed under DoD contracts (that are not part of an information technology system that the supplier operates on behalf of the Government) and the results of the Government assessment were entered into SPRS.
NOTE: SPRS Support Contact Phone: (207) 438-1690
SPRS Access: https://www.sprs.csd.disa.mil/access-nongov.htm
- What is CMMC? CMMC is the DoD process expected to be reactivated with a new structure in the first part of 2022 (original structure in version 1.0 is suspended). CMMC 2.0 will focus on NIST SP 800-171 basic self-assessments for most suppliers. Some suppliers handling highly sensitive information will require assessment by independent third-party auditors trained and accredited by the DoD. DoD-certified auditors will assess some suppliers' compliance to DFARS 252.204-7012 and NIST SP 800-171.
- DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.
- How does CMMC work? DoD suppliers will be required to conduct Basic Self-Assessments to NIST SP 800-171. Some suppliers who handle the most sensitive information may require review by DoD-certified CMMC auditors.
For a given CMMC level, the associated controls and processes, when implemented, will reduce risk against a specific set of cyber threats. The third-party cybersecurity assessments should result in supplier certifications ranging from 1 (lower – basic cyber hygiene) to 2 (for suppliers that access Controlled Unclassified Information (CUI)) or 3 (highest – most advanced compliance).
- What is the Impact to Suppliers? Government solicitations will specify the CMMC level required for prime contractors and subcontractors at all tiers of the supply chain. As the CMMC program continues to mature over the next few years, eventually all suppliers to Aerojet Rocketdyne under DoD programs will require CMMC to the appropriate level to participate on DoD programs.
Please learn about the CMMC program and be cybersecurity compliant to meet AR's expectations for its suppliers. AR believes the resources provided below will be helpful.
- AR Letter dated: 11-19-2020, Supply Chain Cybersecurity Compliance – DFARS Interim Rule
- Office of the Under Secretary of Defense of Acquisition and Sustainment CMMC
- Department of Defense - Defense Industrial Base (DIB) Website
- DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting
- DoD NIST SP 800-171 Rev 1
- DoD Procurement Toolbox - Cybersecurity
- CMMC Accreditation Board
- NASA NIST SP 800-53 Rev 4
- NASA FAR Supplement (NFS) 1852.204-76 Security Requirements for Unclassified Information Technology Resources
- AR General Provisions (GPs), Form SCM-AS302-1
- AR Supplemental Government Terms and Conditions, Form SCM-AS302-2
- AR Annual Business Certification (ABC), Form SCM-F-7.11.01.09.003