Aerojet Rocketdyne (AR) takes the protection of information seriously. Some contracts are subject to information security obligations to the Department of Defense and NASA.
This page provides important resources for our suppliers to be able to comply with cybersecurity requirements of the Agreements and Purchase Orders they receive. AR incorporates cybersecurity requirements in its General Provisions, Supplemental Government Terms and Conditions, and the Annual Business Certification (ABC). Links to resources are provided below.
Cybersecurity Maturity Model Certification (CMMC)
- DFARS Interim Rule: DFARS Case 2019-D041 - Defense Federal Acquisition Regulation Supplement (DFARS) - Assessing Contractor Implementation of Cybersecurity Requirements). Effective November 30, 2020; implements 3 new DFARS clauses:
- 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements
- 252.204-7020, NIST SP 800-171 DoD Assessment Requirements
- 252.204-7021, Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement
NOTE: For link to the DFARS Case and full text of clauses see 11-19-20 letter to suppliers in "Resources" below.
- ACTIONS REQUIRED:
All DoD suppliers, except providers of solely "Commercial-Off-The-Shelf" (COTs) items as those are defined in FAR 2.101, Definitions, must take the following actions: The supplier must flow down DFARS 252.204-7020, including paragraph (g) titled "subcontracts", in all solicitations and contracts, with certain exceptions (such as those solicitations or contracts solely for the acquisition of COTS items).
- Complete (at least) a Basic self-assessment of compliance to the NIST SP 800-171 controls using the DoD Assessment Methodology cited above, AND
- Submit summary level scores of the assessment and other information required by DFARS 252.204-7020 into the Government's Supplier Performance Risk System (SPRS) or send the information via encrypted emailed to firstname.lastname@example.org; OR
- The Government performed a Medium or High Assessment within the last 3 years on supplier's covered contractor information systems applicable to the work performed under DoD contracts (that are not part of an information technology system that the supplier operates on behalf of the Government) and the results of the Government assessment were entered into SPRS.
NOTE: SPRS Support Contact Phone: (207) 438-1690
SPRS Access: https://www.sprs.csd.disa.mil/access-nongov.htm
- What is CMMC? CMMC is the DoD process beginning in late 2021 in which independent third-party auditors trained and accredited by the DoD will assess its suppliers' compliance to DoD Federal Acquisition Registration (FAR) Supplement (DFARS) 252.204-7012 and NIST SP 800-171.
- DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting
- How does CMMC work? Accredited CMMC auditors will review all DoD suppliers and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels. For a given CMMC level, the associated controls and processes, when implemented, will reduce risk against a specific set of cyber threats. The third-party cybersecurity assessments should result in supplier certifications ranging from 1 (lower – basic cyber hygiene) to 3 (for suppliers that access Controlled Unclassified Information (CUI)), or 5 (highest – most advanced compliance).
- What is the Impact to Suppliers? Government solicitations will specify the CMMC level required for prime contractors and subcontractors at all tiers of the supply chain. As the CMMC program continues to mature over the next few years, eventually all suppliers to Aerojet Rocketdyne under DoD programs will require CMMC to the appropriate level to participate on DoD programs.
Please learn about the CMMC program and be cybersecurity compliant to meet AR's expectations for its suppliers. AR believes the resources provided below will be helpful.
- AR Letter dated: 11-19-2020, Supply Chain Cybersecurity Compliance – DFARS Interim Rule
- Office of the Under Secretary of Defense of Acquisition and Sustainment CMMC
- Department of Defense - Defense Industrial Base (DIB) Website
- DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting
- DoD NIST SP 800-171 Rev 1
- DoD Procurement Toolbox - Cybersecurity
- CMMC Accreditation Board
- NASA NIST SP 800-53 Rev 4
- NASA FAR Supplement (NFS) 1852.204-76 Security Requirements for Unclassified Information Technology Resources
- AR General Provisions (GPs), Form SCM-AS302-1
- AR Supplemental Government Terms and Conditions, Form SCM-AS302-2
- AR Annual Business Certification (ABC), Form SCM-F-7.11.01.09.003