- DFARS Interim Rule for the protection of Dept. of Defense Controlled Unclassified Information (CUI)
- Supplier Security Bulletin (SSB) - 003 - Urgent Request to Patch Window 10 and Windows Server. This urgent request to make sure your systems are patched come from a letter issued by the Chief Information Officer (CIO) from the Undersecretary of Defense for Acquisition. While Monthly patches to your computer operating systems is a basic requirement for electronic processing of any DoD information, this urgent request cites specific vulnerabilities.
- Defense Counterintelligence and Security Agency (DCSA) - Formerly: Defense Security Service
- Office of the Under Secretary of Defense for Acquisition and Sustainment Cybersecurity Maturity Model Certification (CMMC) - The Cybersecurity Maturity Model Certification is enhancing the protection of Controlled Unclassified information (CUI) within the Supply Chain.
- 2020 Defense Supply Chain Cybersecurity Resiliency SeminarsCheck the CMMC web site for other seminars in your area.
- 2019 National Cyber Security Awareness Month
- 2019 Insider Threat Awareness Month Packet (PDF)
- Counterintelligence Awareness (PDF)
- Exploitation of Global Supply Chain (PDF)
- Defense Counterintelligence and Security Agency Handouts
When sending technical data to EB, suppliers should use the SPARS application or GD E-Supply. Email is only acceptable when the technical data is encrypted using a FIPS140.2 Certified product. This requirement for encrypted data transfers is found in NIST SP 800-171 as invoked by DFARS 252.204-7012. As an additional clarification, the decryption password must be sent separately.
Technical data sent unencrypted over the internet is a violation of Electric Boat policies, and one or more of the following data protection standards;
- International Traffic in Arms Regulations (ITAR), 22 CFR 120.10
- DoDM 5200.01 V4; DoD Information Security Program: Controlled Unclassified Information
- OPNAVINSTR N9210.3; Safeguarding of Naval Nuclear Propulsion Information
Technical data covered under these requirements includes all Controlled Unclassified Information (CUI) marked For Official Use Only (FOUO), Export Controlled, NOFORN (for U-NNPI data) or UCNI (for Unclassified Controlled Nuclear Information). Classified information must never be emailed to an @gdeb.com email address.
As a reminder, please make sure all documentation is accurately and appropriately marked with a data sensitivity level, DoD distribution statements, export control warning or any proprietary data markings before providing to Electric Boat by any means.
Supplier Security Bulletins (SSB) will be a new series of publication on emergent security items the supply base should be aware of. SSB’s will be mailed direct to affected suppliers and public releasable versions will also be posted here for reference.
JCP has rolled out a new required training module. Completion of training by the company representative signing the certification form 2345 and return of the signed training acknowledgment is a new JCO requirement. If your business does not have other specific ITAR training for your employees handling Tech data the JCO presentation is a good starting point to build your training element on.
- DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (PDF)
- Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013-D018) Frequently Asked Questions (FAQs) (PDF) - An additional resource for DoDs FAQ
If your company also uses other Defense Logistics Agency data and you get Tech data directly from DLA you will also be required to complete and additional form on your network compliance to DFARS. Note: this element is only required if you use other DLA services and down load data directly from the DLA.
JCP Certification process change
EB has been advised by the Joint Certification Office that in order to heighten data security awareness, the JCO has instituted a new training requirement. Any JCP certification change request or resubmittal for renewal will require this new training to be completed, acknowledged, and returned promptly to the JCO or your Company's certification may be canceled.