Supplier Portal
CMMC
Information &
Resources
Supply chain risk management is vital to Peraton’s mission and collaboration with clients and partners requires a focus on data protection, cybersecurity and risk management. Supply chain risk management is paramount to the success of Peraton and our Defense Industrial Base partners, including teaming partners and subcontractors. Peraton’s commitment to a secure supply chain ecosystem is rooted in ongoing compliance with applicable laws and regulations, which includes data and infrastructure within our teaming partners and subcontractors’ boundaries.
As a supplier to the Federal Government and a Defense Industrial Base member, Peraton must adhere to the requirements in the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation (DFAR). Strict adherence to the FAR and DFAR throughout the supply chain is imperative – contractors that do not comply risk impacting existing contracts as well as the potential loss of future awards.
These requirements are flowed down to our subcontractors, and currently include DFARS 252.204-7012 Safeguarding Covered Defense Information and DFARS 252.204-7020 NIST SP 800-171 DoD Assessment Requirements. These DFARS clauses require protections of Federal Contract Information (FCI), Controlled Unclassified Information (CUI), Covered Defense Information (CDI), and Controlled Technical Information (CTI) as defined by the National Archives and Records Administration and the Department of Defense CUI Program.
Future DFARS clauses to be flowed down through the Peraton supply chain include DFARS 252.204-7021 Cybersecurity Maturity Model Certification Requirements. In 2020, the Department of Defense released the Cybersecurity Maturity Model Certification as the next step in secure handling of CDI and CUI.
Supplier Cybersecurity Resources
Below is a list of supplier cybersecurity resources for Peraton’s suppliers, including links to the relevant DFARS clauses:
- CyberAssist – DIB SCC CyberAssist (ndisac.org)
- Department of Defense CUI Program
- NIST MEP Cybersecurity Self-Assessment Handbook
- DFARS 252.204-7012 Safeguarding Covered Defense Information
- DFARS 252.204-7020 NIST SP 800-171 DoD Assessment Requirements
- DFARS 252.204-7021 Cybersecurity Maturity Model Certification Requirements
- Supplier Performance Risk System (SPRS)
- OMB M-22-18
- NIST SP 800-218
- NIST SP 800-171 Rev. 2
- NIST SP 800-171A
- NIST SP 800-171 Rev. 3
- NIST SP 800-171A Rev. 3
- NIST Software Supply Chain Security Guidance
DFARS 252-204-7012
Supplier Requirements & Validations
- Implement the requirements specified in DFARS 252.204-7012, including:
- Documenting compliance with the 110 requirements in NIST SP 800-171 in a system security plan
- Report cyber incidents involving CUI within 72 hours to the DoD’s Defense Industrial Base (DIB) Cybersecurity Portal. After the DIBNET report is made, suppliers must also report the incident to Peraton at CyberSOC@peraton.com
- Utilize only cloud service providers that meet the requirements noted in DFARS 252.204-7012 part b(2)(ii)(D)
- Provide attestation to the requirements found in the DFARS 252.204-7012 clause as part of the flow down process for contracts where Peraton is the prime and the clause is present. The clause and included requirements must also be flowed down to all suppliers and subcontractors in the supply chain who store, process, and/or generate Controlled Unclassified Information or Covered Defense Information as part of contract performance.
- Complete a Basic Assessment within the prior three years according to the methodology found in part C of the DFARS 252.204-7020 clause, and log the summary level score into the Supplier Performance Risk System (SPRS)
- Provide Peraton with an attestation to the type of assessment (Basic, Medium, or High) and the date of assessment.
Cybersecurity Maturity Model Certification
Supplier Requirements & Validations
The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense Controlled Unclassified Information and Federal Contract Information data protection framework designed around the NIST SP 800-171 requirements but incorporates three tiered levels that suppliers must meet dependent on solicitation or Request for Information (RFI) specification, at either a self-certification or independent third-party assessment also specified in the solicitation or RFI.
As of Summer 2024, CMMC 2.0 is in the rulemaking process, with up-to-date information provided by the DoD CIO’s CMMC website. Peraton strongly encourages all suppliers that currently handle, process, store, or transmit CUI in performance or support of a contract to:
- Remain aware of updates posted in the Federal Register,
- Monitor the DoD CIO’s website for CMMC updates
- Review their DFARS 252.204-7012/7020 assessments and close out all open Plans of Actions and Milestones (POA&Ms)
Similarly to the flow down requirements of DFARS 252.204-7012, CMMC will be required throughout the supply chain and solicitations bearing the CMMC clause will specify the suppliers to which the clause and CMMC level will flow. Suppliers will be required to upload their CMMC self-assessments into SPRS, and CMMC assessments conducted by CMMC Third-Party Assessment Organizations (C3PAOs) will be uploaded by that C3PAO, similar to the requirements for Basic Assessments of NIST SP 800-171 and Medium/High Assurance assessments by DCMA as required by DFARS 252.204-7020, Peraton will require suppliers to attest to their CMMC level, type of assessment, and date of assessment where the new CMMC clause and levels are present.
Executive Order 14028
“Improving the Nation’s Cybersecurity”
Protecting the supply chain is of utmost importance regardless of specific client requirements, which has led to executive orders directing explicit data security protections for Federal agencies and the industries that support the government. Released in May 2021, Executive Order14028 “Improving the Nation’s Cybersecurity” includes mandates for agency cybersecurity and suppliers, including the sharing of cyber incident and threat information where that information could impact government networks and baseline security standards for development of software sold to the government. The Office of Management and Budget (OMB) and the National Institute of Standards and Technology (NIST) released guidance regarding requirements for software suppliers, OMB M-22-18 and NIST Special Publication 800-218 Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities. In support of EO14028 and OMB M-22-18, NIST has created the Software Supply Chain Security Guidance.
When requirements for safeguarding CUI and CDI are applicable to a Peraton program, Peraton buyers and subcontractor administrators distribute cybersecurity questionnaires to suppliers in order to verify compliance with supply chain cybersecurity requirements. The questionnaire assesses supplier compliance with DFARS 252.204-7012, DFARS 252.204-7019, and DFARS 252.204-2020.
FAQs
-
What is Covered Defense Information?
According to the DFARS 252.204-7012 clause, “Covered Defense Information (CDI) means unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, and is—
- (1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
- (2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.”
-
What requirements do suppliers need to implement to protect CDI?
The DFARS 252.204-7012 clause requires all suppliers that receive this clause in solicitations and contracts to implement all 110 requirements found in NIST Special Publication 800-171 “Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations”.
-
What version of NIST SP 800-171 is currently in effect?
In May 2024, NIST issued revision 3 of the current SP 800-171, however, the Department of Defense issued a Class Deviation Memorandum to codify NIST SP 800-171 revision 2 as the standing revision in contracts until retracted.
-
What if a supplier has limited systems handling, processing, storing, or transmitting CUI?
All suppliers must identify the boundary of their systems, including assets that:
- Directly handle, process, store, or transmit CUI (CUI assets
- Provide security functions or capabilities to CUI assets, regardless of whether those assets handle, process, store, or transmit CUI
- Can, but are not intended to, handle, process, store, or transmit CUI
-
How do suppliers prove they’ve implemented the NIST SP 800-171 requirements?
Suppliers are required by the DFARS 252.204-7019 and 7020 clauses to perform a self-assessment of their NIST SP 800-171 compliance, using the NIST SP 800-171 DoD Assessment Methodology.
-
Is there an assessment guide for NIST SP 800-171?
Yes. The NIST SP 800-171A, ”Assessing Security Requirements for Controlled Unclassified Information” is the assessment guide for the NIST SP 800-171 requirements.
-
Are there other levels of assessment beyond Basic as defined in DFARS 252.204-7019?
There are 3 levels of assessment – Basic, Medium, and High. These assessment levels are defined in the DFARS 252.204-7020 clause and are as follows:
- “Basic Assessment” means a contractor’s self-assessment of the contractor’s implementation of NIST SP 800-171 that
- (1) Is based on the Contractor’s review of their system security plan(s) associated with covered contractor information system(s);
- (2) Is conducted in accordance with the NIST SP 800-171 DoD Assessment Methodology; and
- (3) Results in a confidence level of “Low” in the resulting score, because it is a self-generated score.
- “Medium Assessment” means an assessment conducted by the Government that—
- (1) Consists of—
- (i) A review of a contractor’s Basic Assessment;
- (ii) A thorough document review; and
- (iii) Discussions with the contractor to obtain additional information or clarification, as needed; and
- (2) Results in a confidence level of “Medium” in the resulting score.
- (1) Consists of—
- “High Assessment” means an assessment that is conducted by Government personnel using NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information that—
- (1) Consists of—
- (i) A review of a contractor’s Basic Assessment;
- (ii) A thorough document review;
- (iii) Verification, examination, and demonstration of a Contractor’s system security plan to validate that NIST SP 800-171 security requirements have been implemented as described in the contractor’s system security plan; and
- (iv) Discussions with the contractor to obtain additional information or clarification, as needed; and
- (2) Results in a confidence level of “High” in the resulting score.
- (1) Consists of—
- “Basic Assessment” means a contractor’s self-assessment of the contractor’s implementation of NIST SP 800-171 that
-
If a subcontract has DFARS 252.204-7012 or 252.204-7021 included, does that require compliance to the components of the clauses?
Yes. Review all contracts and subcontracts carefully for these clauses, as by virtue of signing them, a supplier is representing they are already compliant in the case of DFARS 252.204-7012, or will become compliant depending on the timing of the solicitation during the CMMC 2.0/DFARS 252.204-7021 rollout.