Cybersecurity

The Need for Cybersecurity Throughout Our Supply Chain

The threats facing industry’s ability to adequately safeguard its critical infrastructure are escalating dramatically. DoD policy states that “cybersecurity be fully considered and implemented in all aspects of acquisition programs across the life cycle and responsibility for cybersecurity extends to all members of the acquisition workforce.”

At General Dynamics Bath Iron Works, we are committed to a proactive cybersecurity approach to safeguard our networks, information and systems. Review our resources for our suppliers on federal regulations and how to report cybersecurity incidents.

Reporting a Cybersecurity Incident

In accordance with DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, subcontractors, including vendors and consultants, are required to rapidly report cyber incidents within 72 hours of discovery to the BIW Buyer point of contact, the General Dynamics Bath Iron Works Security Operations Center hotline at 207-442-3672 and directly to Department of Defense (DoD). This includes providing the incident report number, automatically assigned by the DoD, to General Dynamics Bath Iron Works as soon as possible.

Federal regulations

Regulatory References

In this section, you can find information on federal regulations and additional references for suppliers.

Federal Acquisition

Federal Acquisition Regulation

This clause is applicable to all solicitations and contracts when a contractor or subcontractor at any tier may have federal contract information residing in or transiting through its information systems, including commercial items other than commercially available off-the-shelf items (COTS).

To learn more, go to: https://www.acquisition.gov/far/52.204-21

Defense Federal Acquisition Regulation Supplement (DFARS)

DFARS	Prescription
252.204-7008 Compliance with Safeguarding Covered Defense Information (Oct 2016)	All solicitations, including solicitations using FAR part 12 procedures for the acquisition of commercial items, except for solicitations solely for the acquisition of commercially available off-the-shelf (COTS) items
252.204-7009 Limitation on the Use or Disclosure of Third Party Contractor Reported Cyber Incident Information (Oct 2016)	All solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items, for services that include support for the Government’s activities related to safeguarding covered defense information and cyber incident reporting
252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting (Oct 2016)	All solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items, except for solicitations and contracts solely for the acquisition of COTS items
252.239-7009 Representation of Use of Cloud Computing (Sept 2015)	All solicitations, including solicitations using FAR part 12 procedures for the acquisition of commercial item, for information technology services
252.239-7010 Cloud Computing Services (Oct 2016)	All solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial item, for information technology services

GEneral Dynamics Suppliers

Flow-Down Clauses

The applicable flow-down clauses are included in General Dynamics Bath Iron Works terms and conditions for its suppliers.

View Terms & Conditions

Cybersecurity Maturity Model Certification

Certification of cybersecurity compliance is led by the Office of Under Secretary of Defense for Acquisition and Sustainment, and CMMC assessment results will be tracked by the DoD. All companies will require a CMMC assessment and rating to one of the CMMC levels from 1 to 3 (except COTS suppliers), and DoD solicitations may restrict the use of suppliers below a specified CMMC level.

General protection of CUI will require either a self-assessment or a certification assessment by a CMMC Third-Party Assessment Organization (C3PAO) at Level 2. A higher level of protection from advanced persistent threats will be required for some CUI and require an assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) at CMMC Level 3. If BIW’s contract requires a CMMC Level 2 certification assessment by a C3PAO, BIW’s suppliers receiving, creating, processing, storing, or transmitting CUI will also be required to have a CMMC Level 2 certification assessment by a C3PAO. All CMMC levels require initial and annual affirmations of compliance by the contractor’s or supplier’s senior level representative responsible for ensuring the contractor’s compliance with the CMMC Program requirements.

DoD anticipates a phased implementation of the CMMC Program beginning in early to mid-2025. To prepare for implementation of the CMMC Program, all USG contractors, including suppliers, must be working towards full compliance with FAR 52.204-21 and DFARS 252.204-7012 security requirements. As an example, if a supplier currently has a Plan of Action and Milestones (POAM) to address CMMC requirements that it has not fully implemented, the supplier should quickly complete and close the open requirements. Under the CMMC Program to be implemented, POAMs will be allowed on a very limited basis and must be closed within 180 days of the assessment. Moreover, suppliers receiving, creating, processing, storing, or transmitting FCI or CUI must have a minimum assessment score of 88. There is no process for contractors to request waivers of the CMMC Program requirements.

For additional information please refer to the DoD CIO website