Cybersecurity and doing business with Leidos

As technology evolves so should our efforts to protect all elements of that technology from internal and external threats. Bad actors are finding new and innovative ways to infiltrate systems and we must be proactive to provide the protections mandated through government regulations, as well as customer requirements.

Leidos supports many customers in varying sectors that have critical infrastructure relying on the technology developed or provided in support of those customers, but our customers and their missions are not the only focus of our cybersecurity protections and requirements. We partner with our suppliers and teammates to ensure adequate protections are in place to protect all data from theft and damages. This includes Leidos, customer, and supplier intellectual property and proprietary data, personally identifiable information, protected health information, and government and industry data and information systems.

Cybersecurity readiness doesn’t happen overnight. Our goal is to guide you through assessing your current state by providing resources through various organizations, agencies, regulations and standards, and tools that will prepare you for the increased regulatory scrutiny and expectations.

Our commitment to our supply chain partners

Leidos will commit to working with you every step of the way, providing guidance and resources to help you navigate these complex requirements. The key to being ready to combat cybersecurity vulnerabilities is to START NOW. Without the protections in place, you could be restricted from providing goods or services in the government marketplace.

There are two different areas of focus to assist you depending on what customers your efforts may be supporting as a vital member of Team Leidos:

Cybersecurity Model Maturity Certification (CMMC): The Defense Industrial Base (DIB) is the target of more frequent and complex cyberattacks. To protect American ingenuity and national security information, the Department of Defense (DoD) developed the Cybersecurity Maturity Model Certification (CMMC) 2.0 program to reinforce the importance of DIB cybersecurity for safeguarding the information that supports and enables our warfighters.
Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA): Governed by the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), this Act covers 16 different government agencies, including DoD, providing guidance on reporting of cybersecurity events/incidents and focused heavily on ransomware attacks that could impact the United States infrastructure.

CMMC

CMMC is a Department of Defense initiative that was first introduced as a concept back in 2010 with Executive Order 13556. This executive order defined Controlled Unclassified Information (CUI) and how to determine if a CUI designation was applicable to documents generated either by a government agency or a contractor in performance of a Prime contract for a government agency. CMMC 1.0 was established in November 2020, and we are now moving to CMMC 2.0.

Learn more about the history of CMMC

Key Dates for CMMC 2.0

The underlying standard for CMMC is the National Institute of Standards and Technology (NIST) 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. The NIST standard was first released in 2016 and as cybersecurity threats have evolved, along with the tools to combat those threats, the standard has been kept current. Rev 3 was published in May 2024.

The CMMC 2.0 implementation plan is divided into four phases. Here are the key elements of each phase:

Phase	Timeline	Assessment Level Expected
1	Begins on effective date of 48 CFR Rule	Level 1 or 2 Self-assessment as a condition of contract award.
2	12 months from Phase 1	Adds Level 2 third-party (C3PAO) certification, when applicable, as a condition of contract award.
3	12 months from Phase 2	Adds Level 2 C3PAO certification for option periods on existing contracts and adds Level 3 C3PAO certification for applicable contracts.
4	12 months from Phase 3	CMMC requirements in all applicable DoD contracts at award and of option periods for contracts awarded prior to this phase.

Dive into the fundamentals of the Cybersecurity Maturity Model Certification (CMMC) and understand its importance for securing the Defense Industrial Base.

Read the CMMC 101 Guide

Understanding the Latest Developments

As a trusted partner in our supply chain, we appreciate your commitment to excellence and your critical role in supporting our Department of Defense (DoD) contracts. We are writing to inform you about recent regulatory changes and to encourage your proactive engagement in ensuring compliance.

Proposed Policy Rule Publication

On December 16, 2024, the 32 CFR final rule became effective, introducing the CMMC 2.0 Program. This document outlines the framework for assessing and certifying cybersecurity practices across the defense industrial base (DIB). You can find the full content of the rule on Regulations.gov.

Ongoing Federal Rulemaking

Federal rulemaking is a dynamic process, and members of the DIB anticipate further developments. Keep an eye out for regulatory updates related to implementing contractual requirements. Specifically, watch for proposed changes and final rules associated with the following Defense Federal Acquisition Regulation Supplement (DFARS) clauses:

DFARS 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting
DFARS 252.204-7019: Emphasizes NIST SP 800-171 self-assessments. Contractors must report their self-assessment scores via the Supplier Performance Risk System (SPRS)
DFARS 252.204-7020: Outlines the requirements for assessing and validating the implementation of the NIST Special Publication 800-171 controls within the defense supply chain
DFARS 252.204-7021: Cybersecurity Maturity Model Certification Requirements
DFARS 252.204-7YYY: Notice of Cybersecurity Maturity Model Certification Level Requirements, notifying offerors of the specific CMMC level required by the solicitation

Preparing for CMMC Assessments and Certifications

It’s prudent for all DIB companies handling Controlled Unclassified Information (CUI) to proactively address the underlying NIST 800-171 requirements. By doing so, you’ll be well-prepared for potential contractual CMMC obligations. Consider engaging with the CyberAB (official accreditation body of the CMMC) to facilitate a third-party assessment and certification process.

CMMC Maturity Levels

The CMMC Framework requires a systematic approach to certification mapped to three organizational maturity levels: Foundational, Advanced, and Expert.

Level 1: Self-assessment; Protect Federal Contract Information (FCI)
- 15 cybersecurity controls in FAR 52.204-21 clause
- Controls must be met 100%, no Plan of Action & Milestones (POAM) permitted
Level 2: Self-assessment progressing to third-party certification; Protect Controlled Unclassified Information (CUI)
- 110 cybersecurity controls (320 assessment objectives) in NIST SP 800-171 r2, as already required for contracts with DFARS 252.204-7012 clause
- Limited POAMs, only for certain controls and must be reassessed as 100% met within 180 days
Level 3: Third-party and Government certification; Protect CUI and withstand advanced persistent threats
- Level 2, plus 24 enhanced security requirements selected from NIST 800 SP 800-172
- Limited POAMs, only for certain controls and must be reassessed as 100% met within 180 days

Prime contract award will identify CMMC level required. Leidos must flow this down to subcontractors or suppliers. Level 1 is applicable if subcontractor will only process, store, or transmit FCI (not CUI); otherwise, the same Level 2 assessment as the prime is required by the subcontractor/supplier, or Level 2 (C3PAO) when the prime has a Level 3 requirement.

Engaging with Third-Party Assessors

When the organization is ready, engage with certified Third-Party Assessment Organizations (C3PAOs) to undergo an official CMMC assessment. The C3PAO will evaluate the organization's cybersecurity practices and determine if it meets the requirements for the desired CMMC level.

Enhancing Awareness and Preparedness

While rulemaking is in progress, prepare for a CMMC 2.0 assessment. Stay informed about updates and guidelines. To deepen your understanding of CMMC and fortify your cybersecurity posture, we recommend accessing the various resources provided here and through the ND-ISAC and others as noted in the Resources section of this page.

Take a moment to review a presentation from the Leidos Supply Chain Risk and Performance Team, covering CMMC 2.0 topics and frequently asked questions ahead of the final publication of the 48 CFR rule.

NARA FAR CUI Program

DoD, GSA, and NASA are proposing to amend the FAR to introduce several important updates related to CUI requirements. These updates aim to standardize the identification, handling, and safeguarding of CUI in federal contracts. Proposed additions include but are not limited to three new FAR clauses to create uniformity for CUI management, and a new Standard Form XXX to create a standard method for the Government identification, protection, and management of CUI during contract performance.

CIRCIA

In March 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Enactment of CIRCIA marked an important milestone in improving America’s cybersecurity by, among other things, requiring the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments to CISA. The proposed regulations are currently in the rule making stage, but CISA has many resources available to help your business protect itself and the customers you support.

Critical Infrastructure Defined

The CIRCIA and proposed rule, along with a White House National Security Memorandum on Critical Infrastructure issued on April 30, 2024 established 16 agencies that are responsible for securing critical infrastructure sectors. When subcontracting with Leidos, the customer or end-user should be identified in the subcontract documentation which can help you determine if you are a part of the critical infrastructure supply chain.

Reporting Incidents

Until rule making is complete for CIRCIA and a final rule is published, reporting of cybersecurity incidents is voluntary, but highly encouraged. Reporting allows CISA and the relevant agencies to put mitigation strategies and solutions in place. Once the final rule is published, you can expect updates to your subcontract terms and conditions as the Prime contracts are updated with additional guidance on required reporting timeframes.

Resources

CMMC

Defense Department CMMC Resources & Documentation
32 CFR Final Rule
National Defense Information Sharing Analysis Center (ND-ISAC)
- Join this collaborative platform to stay informed about emerging threats, best practices, and industry insights.
ND-ISAC DIB Sector Coordinating Council (SCC) Cyber Assist
- Regularly monitor updates from the SCC Cyber Assist team. They provide valuable guidance on NIST 800-171 requirements and upcoming CMMC practices.
National Archives CUI Registry
DoD Memo: Implementing the CMMC Program
Leidos Chat: CMMC for Suppliers and Subcontractors
NSA-Developed Open Source Software
- The National Security Agency’s official open source software platform offers a range of tools and resources developed to enhance cybersecurity practices, which can help strengthen cybersecurity posture, paving the way toward CMMC certification.

CIRCIA

Small and Medium Size Business Support

NARA FAR CUI Program

Proposed Rule