Redirecting...

Cybersecurity Resources for Vendors

This page provides DoD cybersecurity requirements, information on various cybersecurity programs, and helpful resources that Vendors can utilize when working with DLA and DoD.

The links on this page lead to resources outside of DLA's Office of Small Business Programs. The content is informational only and should not be interpreted as being definitive, all-inclusive or an endorsement, sanction, approval, or authorization by DLA.

Navigate

Cybersecurity infographic

Why is Cybersecurity Important at DLA?

Strengthening cybersecurity measures is crucial for handling and protecting information as cyber-threats continue to grow. To enhance DLA's cybersecurity and better protect DoD information, the Cybersecurity Maturity Model Certification (CMMC) Program  was created to empower Vendors to align with DoD cybersecurity requirements in order to work with the Government.

Cybersecurity Maturity Model Certification (CMMC)

The CMMC Program is structured to align with the DoD’s current information security requirements for the Defense Industrial Base (DIB). It's purpose is to ensure the safeguarding of sensitive unclassified information shared by the DoD with contractors and subcontractors. By implementing this program, the DoD ensures that Vendors are adhering to cybersecurity standards when using nonfederal systems handling Federal Contract Information (FCI)   and Controlled Unclassified Information (CUI)  .

Currently Suppliers are expected to comply with the following if they are storing, transmitting, and processing CUI:

DFARS 252.204-7012 requires Suppliers to implement 110 cybersecurity requirements, specified in the NIST Special Publication (SP) 800-171 , Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, for most Defense contracts.

Suppliers are also required to develop a System Security Plan (SSP) detailing the policies and procedures they have in place to comply with NIST SP 800-171.

DFARS 252.204–7019 requires Suppliers to conduct a NIST SP 800–171A, Rev. 3  self-assessment.

A Supplier can take a self-assessment with NIST SP 800-171A, Rev. 3 

However, there is an exception for Commercial Off the Shelf (COTS) items that the Government categorizes as COTS.

Self-assessment scores must be reported in the Supplier Performance Risk System (SPRS). In order to upload into SPRS, a Supplier must first register in the Procurement Integrated Enterprise Environment (PIEE) .

Self-assessments must be submitted by the time of award and must not be more than 3 years old.

DFARS 252.204–7020 notifies contractors that DoD reserves the right to conduct a higher-level assessment and that contractors must give assessors full access to their facilities, systems, and personnel.

It requires contractors to confirm their subcontractors have assessment scores posted in SPRS.

DFARS 252.204-7021 requires Suppliers and their subcontractors (if applicable) to have a certain CMMC level before being awarded a contract.

This is optional until the CMMC 2.0 is fully implemented. However, it is recommended that Suppliers begin the process of CMMC certification now.

Overview of Assessments

The CMMC Program has three levels of assessments comprised of self, CMMC Third Party Assessment Organization (C3PAO), and the Defense Industrial Base Cyber Assessment Center (DIBCAC) assessments.  Each assessment incorporates security requirements from existing requirements and publications. Once the CMMC Program is implemented, a DoD solicitation will specify the minimum CMMC Status required to be eligible for award. Below is an overview of the assessment requirements found on the Chief Information Officer- About CMMC   webpage.

Collapse All Expand All
Expand List item 5956Collapse List item 5956  Level 1: Basic Safeguarding of FCI

Requirements:

  • Annual self-assessment and annual affirmation  of compliance with the 15 security requirements in FAR clause 52.204-21 
    • Annual affirmation requires all CMMC-certified contractors (any level) to affirm their compliance annually and upload the results to SPRS. Contracting officers will use SPRS to verify an offeror or contractor’s CMMC level.
Expand List item 5957Collapse List item 5957  Level 2: Broad Protection of CUI

Requirements:

  • Either a self-assessment or a C3PAO assessment every three years, as specified in the solicitation
    • Decided by the type of information processed, transmitted, or stored on the contractor or subcontractor information systems
    • Annual affirmation, verify compliance with the 110 security requirements in NIST SP 800-171 Revision 2 

See also the CMMC Level 2 Self-Assessment Quick Entry Guide from SPRS .

Expand List item 5958Collapse List item 5958  Level 3: Higher-Level Protection of CUI Against Advanced Persistent Threats

Requirements:

  • Achieve CMMC Status of Level 2
  • Undergo an assessment every three years by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)
  • Provide an annual affirmation verifying compliance with the 24 identified requirements from NIST SP 800-172 

Project Spectrum

Project Spectrum infographic

Designed to help Vendors understand CMMC, Project Spectrum  is an initiative supported by the DoD OSBP that is free for Suppliers. Project Spectrum provides information, training, and risk assessments to help Vendors improve cyber readiness and comply with DoD requirements. Register with this learning platform to begin preparing for the CMMC. 

Register for Project Spectrum 

 CMMC Level 1 and 2 self-assessments can be found in the Supplier Performance Risk System (SPRS)  .

Project Spectrum provides Cyber Readiness Training videos that cover all CMMC Level 1 and CMMC Level 2 controls to prepare Vendors for their self assessments. Begin the CMMC Level 1 online course by selecting the button below.

Begin CMMC Level 1 Online Course 

View Project Spectrum's YouTube channel  to learn more about Project Spectrum through several video resources.

When a Vendor is ready to begin the Level 1 self-assessment, they will need to visit the SPRS website  and access the reference material to start the self-assessment.

Begin Level 1 Assessment 

Back to Top

 

Key Features of CMMC 2.0

The newest proposed features of CMMC 2.0 that are still under review until approved, include:

  • Hierarchical Model: Companies entrusted with sensitive unclassified DoD information are required to implement cybersecurity standards at progressively advanced levels, based on the type and sensitivity of the information. The program also requires subcontractors to follow the process of protecting information.
  • Assessment Requirement: The DoD verifies DIB implementation of existing cybersecurity standards by utilizing the CMMC assessments. Vendors must affirm their continuous compliance with the security requirements annually or when security changes occur.
  • Enforced by Contract Requirements: Contract awards require DoD contractors and subcontractors handling sensitive unclassified DoD information to achieve a specific CMMC level.

Phased Implementation of CMMC Requirements

DoD is implementing a phased rollout of CMMC requirements over a three-year period. The phase-in will begin once the Title 48 CMMC rule is final.  During the phase-in period, inclusion of CMMC requirements in solicitations will be determined by the DoD program office or requiring activity in alignment with CMMC requirements. Once there is a requirement for a specific CMMC level in a solicitation, the CMMC requirement will be identified with stated policy from DFARS. 

 In some procurements, DoD may implement CMMC requirements in advance of the planned phase.

Collapse All Expand All
Expand List item 5959Collapse List item 5959  Initial Implementation
  • Begins at 48 CFR Rule Effective Date
  • Where applicable, solicitations will require Level 1 or 2 Self-Assessment
Expand List item 5960Collapse List item 5960  Phase 2
  • Begins 12 months after Phase 1 start
  • Where applicable, solicitations will require Level 2 Certification
Expand List item 5961Collapse List item 5961  Phase 3
  • Begins 24 months after Phase 1 start
  • Where applicable solicitations will require Level 3 Certification
Expand List item 5962Collapse List item 5962  Phase 4 - Full Implementation
  • Begins 36 months after Phase 1 start
  • All solicitations and contracts will include applicable CMMC Level requirements as a condition of contract award

The video provides an overview of the Department’s plans for implementation of the DoD CIO Cybersecurity Maturity Model Certification (CMMC) Program.

Learn more about the DoD CIO Cybersecurity Maturity Model Certification (CMMC) Program .

Back to Top

Cybersecurity Resources

The below resources are available for Vendors to stay informed and compliant with the DoD's security requirements. 

​​DoD's Small Business Programs Cybersecurity webpageCybersecurity awareness month

​​DoD's Small Business Programs Cybersecurity   webpage  is designed to assist small businesses in enhancing their cybersecurity measures.  Vendors can find a variety of resources to help businesses secure their systems and data to comply with federal requirements.  For questions and concerns, contact DoD OSBP by phone at  571-372-6191.

DoD Procurement Toolbox

​DoD Procurement Toolbox   is a comprehensive collection of tools, training materials, and services designed to assist organizations in managing, enabling, and sharing procurement information across the DoD.

DoD's Controlled Unclassified Information (CUI) Program  

DoD's Controlled Unclassified Information (CUI) Program  is the central resource for the DoD's CUI Program providing policy, training, desktop aids, CUI registry, and latest news information.  

DoD Chief Information Officer (CIO)

DoD Chief Information Officer (CIO)  provides informational guides and supplemental documentation designed to support companies in defining the scope of a CMMC assessment and in preparing for, or conducting, a CMMC assessment.

DoD Cyber Crime Center (DC3)

DoD Cyber Crime Center (DC3)  provides cyber threat information and free cybersecurity services that cover a wide range of cyber threats and support DIB companies on their CMMC journey. 

National Security Agency (NSA) Cybersecurity Collaboration Center

NSA Cybersecurity Collaboration Center  provides no-cost cybersecurity solutions for qualifying Defense Industrial Base (DIB) companies such as Protective Domain Name System (DNS), attack surface management, and access to NSA non-public DIB-specific threat intelligence.  

Other Security Resources

Other Cyber Security Resources can be found on the Information Operations Contractor Cyber Security Resources page.

Back to Top

 

Cybersecurity Trainings

When it comes to strengthening cybersecurity and acquisition knowledge, several training options are available to support businesses and individuals working with Government contracts.

APEX Accelerators

The APEX Accelerators program  , formerly known as Procurement Technical Assistance Program (PTAP), under management of the Department of Defense (DoD) Office of Small Business Programs (OSBP), plays a critical role in the Department’s efforts to identify and helps a wide range of businesses enter and participate in the defense supply-chain. The program provides the education and training to ensure that all businesses become capable of participating in federal, state, and local government contracts.

Get Started by Finding Your APEX Location 

Defense Acquisition University

Defense Acquisition University (DAU) hosts the DAU Cyber Solutions program  which has weekly small business cybersecurity acquisition webinars on topics such as CMMC, Cyber Incident Reporting, and Cybersecurity for Contracts. 

One training in particular that stands out is DAU Cyber Solutions - Basic Cyber Hygiene: A walk-through of the FAR 52-204.21 and CMMC Level 1 .

Department of the Air Force Chief Information Security Officer’s Blue Cyber Education Series

Department of the Air Force (DAF) Chief Information Security Officer’s (CISO) Blue Cyber Education Series  for Small Businesses provides free and open to the public cybersecurity information and support.

Back to Top

 

Terms Glossary

Term Used Meaning/Definition
C3PAO CMMC Third Party Assessment Organization
CISO Chief Information Security Officer
CMMC Cybersecurity Maturity Model Certification
CUI Controlled Unclassified Information
DAF Department of the Air Force
DAU Defense Acquisition University
DC3 DoD Cyber Crime Center
DFARS Defense Federal Acquisition Regulation Supplement
DIB Defense Industrial Base
DNS Domain Name System
DoD Department of Defense
FCI Federal Contract Information
NSA National Security Agency
OSBP Office of Small Business Programs
SPRS Supplier Performance Risk System