Weekend Closures & Maintenance Updates - General Dynamics NASSCO

Reporting a Cybersecurity Incident

In accordance with DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, subcontractors, including vendors and consultants, are required to rapidly report cyber incidents within 72 hours of discovery to the General Dynamics NASSCO Buyer point of contact, the General Dynamics NASSCO Security Operations Center hotline at cyber_report@nassco.com, and directly to Department of Defense (DoD) at https://dibnet.dod.mil/portal/intranet/. This includes providing the incident report number, automatically assigned by DoD to General Dynamics NASSCO as soon as practical.

Flow-down Clauses to General Dynamics Suppliers

The applicable flow-down clauses are included in General Dynamics NASSCO terms and conditions for its suppliers. Our terms and conditions are available at the following link: https://nassco.com/suppliers/doing-business-with-us/terms-conditions/

Defense Federal Acquisition Regulation Supplement (DFARS)

DFARS	Prescription
252.204-7008 Compliance with Safeguarding Covered Defense Information (Oct 2016)	All solicitations, including solicitations using FAR part 12 procedures for the acquisition of commercial items, except for solicitations solely for the acquisition of commercially available off-the-shelf (COTS) items
252.204-7009 Limitation on the Use or Disclosure of Third Party Contractor Reported Cyber Incident Information (Oct 2016)	All solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items, for services that include support for the Government’s activities related to safeguarding covered defense information and cyber incident reporting
252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting (Oct 2016)	All solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items, except for solicitations and contracts solely for the acquisition of COTS items
252.239-7009 Representation of Use of Cloud Computing (Sept 2015)	All solicitations, including solicitations using FAR part 12 procedures for the acquisition of commercial item, for information technology services
252.239-7010 Cloud Computing Services (Oct 2016)	All solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial item, for information technology services

NIST SP 800-171 defines the security requirements for protecting Controlled Unclassified Information (CUI) in non-federal information systems and organizations. Generally, Department of Defense contractors, except COTS suppliers, are required to implement these security requirements by no later than December 31, 2017. Please refer to DFARS 252.204-7008, DFARS 252.204-7012 and NIST SP 800-171 for more details.

Federal Acquisition Regulation (FAR)

FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems

This clause is applicable to all solicitations and contracts when a contractor or subcontractor at any tier may have federal contract information residing in or transiting through its information systems, including commercial items other than commercially available off-the-shelf items (COTS).

Synopsis:

Requires basic safeguarding requirements and procedures to protect covered contractor information systems
Imposes 15 categories of security controls focused on safeguarding contractor systems that process, store or transmit Federal contract information
Although not specifically stated, contractors in compliance with the more expansive NIST SP 800-171 security controls will presumably be in compliance with the FAR requirements
Applicable to all solicitations and contracts when a contractor or subcontract at any tier may have federal contract information residing in or transiting through its information systems. Does not apply to contracts or subcontracts for COTS.