Aerojet Rocketdyne (AR) takes the protection of information seriously. Some contracts are subject to information security obligations to the Department of Defense and NASA.
This page provides important resources for our suppliers to be able to comply with cybersecurity requirements of the Agreements and Purchase Orders (PO) they receive. AR incorporates cybersecurity requirements in the following forms:
- SCM-AS302-1, General Provisions
- SCM-AS302-2, Supplemental Government Terms and Conditions
- SCM-F-7.11.01.09.003, Annual Business Certification (ABC)
Implemented October 2016:
- DFARS 252.204-7008, Compliance with Safeguarding Covered Defense Information Controls
- DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting
Implemented November 30, 2020:
NIST SP 800-171 ASSESSMENT UNDER DFARS 252.204-7019 and 252.204-7020
- 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements
- 252.204-7020, NIST SP 800-171 DoD Assessment Requirements
Cybersecurity Maturity Model Certification (CMMC) under DFARS 252.204-7021
- 252.204-7021, Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement (Clause will not be in any contracts until CMMC 2.0 is in effect, estimated Spring 2023)
NOTE: For DFARS Case and full text of clauses see: AR Letter dated: 11-19-2020, Supply Chain Cybersecurity Compliance – DFARS Interim Rule
NIST SP 800-171 Information: https://www.acq.osd.mil/asda/dpc/cp/cyber/safeguarding.html#nistSP800171
All DoD suppliers must take the following actions, unless they provide only "Commercial-Off-The-Shelf" (COTS) items as defined in FAR 2.101, Definitions:
- The supplier must flow down DFARS 252.204-7020, including paragraph (g) titled "Subcontracts," in all solicitations and contracts, with certain exceptions (such as those solicitations or contracts solely for the acquisition of COTS items).
- Complete a NIST SP 800-171 basic self-assessment. A template can be found on Tab 2 titled "Questionnaire" located at: Comprehensive NIST SP 800-171 Self-Assessment Worksheet with Automated FAR and Above and SPRS Scoring
- Register in Procurement Integrated Enterprise Environment (PIEE) which concurrently allows access in SPRS. Must have same Contract Administrator as in SAM.gov. Must have Commercial and Government Entity (CAGE) code. If help is needed with PIEE or SPRS registration, see their support phone numbers listed below.
- In SPRS, enter CAGE code, assessment score, and other required information as shown on the SPRS site.
- Enter self-assessment summary score in SPRS Supplier Performance Risk System (disa.mil). Or, the information can be sent via encrypted email to firstname.lastname@example.org
- Note: Subsequent self-assessments performed as progress towards compliance improves should be updated in the SPRS site.
- Send screenshot of SPRS entry and any subsequent updated entries to AR at ARSC@rocket.com
- Continue to work on Plans of Actions and Milestones (POAMs) for NIST SP 800-171 controls not yet compliant.
- Note that AR PO s which contain DFARS 252.204-7020 cannot be awarded until AR has confirmed the supplier has complied.
Letters to Suppliers/Supplier Communications
FOR SPRS and/or PIEE HELP CALL:
SPRS Support Phone: (207) 438-1690
PIEE Support Phone: (866) 618-5988
- What is CMMC? CMMC is the DoD's Cybersecurity Maturity Model Certification program to incorporate cybersecurity requirements into DoD acquisition programs, including increased assurance that contractors and subcontractors are meeting those requirements. The DoD will begin to require CMMC certification in some contracts once rulemaking is complete, as early as May 2023 (original CMMC structure 1.0 is suspended). CMMC version 2.0 will focus on NIST SP 800-171 basic self-assessments for most suppliers handling Federal Contract Information (Level 1). Suppliers handling Controlled Unclassified Information at Level 2 will require an assessment by independent third-party auditors trained and accredited by the DoD. DoD-certified auditors will assess suppliers seeking Level 3. The DoD plans to phase in requiring CMMC for all contracts over ensuing years.
- DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.
- For a given CMMC level, the associated controls and processes, when implemented, will reduce risk against a specific set of cyber threats. The third-party cybersecurity assessments should result in supplier certifications ranging from 1 (lower – basic cyber hygiene) to 2 (for suppliers that access Controlled Unclassified Information (CUI)) or 3 (highest – most advanced compliance).
- What is the Impact to Suppliers? Government solicitations will specify the CMMC level required for prime contractors and subcontractors at all tiers of the supply chain. As the CMMC program continues to mature over the next few years, eventually all suppliers to Aerojet Rocketdyne under DoD programs will require CMMC to the appropriate level to participate on DoD programs.
Please learn about the CMMC program and be cybersecurity compliant to meet AR's expectations for its suppliers.
Additional Supplier Resources
- CMMC Home Page
- Department of Defense - Defense Industrial Base (DIB) Website
- Department of Defense Memorandum June 16, 2022
- DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting
- NIST SP 800-171 Rev. 2, Protecting CUI in Nonfederal Systems and Organizations | CSRC (nist.gov)
- DoD Procurement Toolbox - Cybersecurity
- CMMC Accreditation Body
- NASA NIST SP 800-53 Rev 5
- NASA FAR Supplement (NFS) 1852.204-76 Security Requirements for Unclassified Information Technology Resources Part 1852 - Solicitation Provisions and Contract Clauses | Acquisition.GOV
Small- to Medium-Size Business - Cybersecurity Training and Resources
Note from CMMC Information Institute regarding NIST SP 800-171 Basic self-assessment tool:
"We hope the tool is useful to you and welcome feedback on how to improve it. As noted in the tool, it is released under the Creative Commons CC-BY-SA license. You are welcome to use and share the tool, including for commercial purposes, but you must include a reference back to the CMMC Information Institute. Please see the CC-BY-SA license for more details, and please see the tool for additional disclaimers. While you are free to redistribute the tool, we do update it from time to time, and strongly suggest that visitors return here for the latest version."