Cybersecurity in the Supply Chain
Government, prime contractors, and suppliers are increasingly being targeted in cybersecurity attacks and our industry must work together to safeguard its critical infrastructure and sensitive information. Awareness of these mounting cyber risks and implementation of effective cybersecurity controls are essential components of keeping information protected. Leidos is committed to employing innovative and compliant cybersecurity processes to protect our networks, information, and systems.
Leidos understands the important role our suppliers play in defending information and networks from cyber threats. We also understand the value that cybersecurity experience plays in creating and maintaining a competitive advantage for our separate organizations. Our mutual success is impacted by our ability to collaborate on identifying and managing cyber risks.
Cybersecurity and NIST SP 800-171 Assessments
Suppliers are required to demonstrate compliance by meeting the 110 security requirements in NIST SP 800-171 and, submitting their self-assessment score to the Supplier Performance Risk System.
Contractors are required (at minimum) to report cyber incidents within 72 hours directly to the DoD's DIB Cybersecurity Program and immediately to Leidos at [email protected].
The Cyber DFARS clauses must be flowed down to all suppliers when performance will involve operationally critical support or Controlled Unclassified Information.
Cybersecurity in the Supply Chain
As cyber threats continue to grow throughout the entire supply chain, it is important that Leidos strengthen our cybersecurity posture to protect against security vulnerabilities. As a trusted supplier, we may share sensitive information with your company, and therefore we are mutually obligated to protect that information from access by non-authorized parties. Gaining insight into your company’s cybersecurity posture and your ability to protect the sensitive information we share with you will provide vital information on where to improve cybersecurity efforts in the supply chain.
Leidos uses OneTrust to document compliance and risk via self-assessment questionnaires. Self-assessments measure compliance with Department of Defense (DoD) cybersecurity standards for defense contractors and their supply chains as outlined in NIST SP 800-171 under DFARS provision 252.204-7012, and provides insight into the past, present, and future strengths and vulnerabilities of our value chains. By taking these steps, together we can help strengthen the industry.
We thank you in advance for your cooperation in helping Leidos enhance cybersecurity within the supply chain. If you are experiencing system related issues, please contact the OneTrust Customer Support Team at 844-847-7154 or Create a Support Case.
Industry Cybersecurity Resources
- National Defense Information Sharing and Analysis Center ™ (NDISAC) CyberAssist
- The Defense Industrial Base (DIB) Sector Coordinating Council (DIB SCC) serves as the primary private sector policy coordination and planning entity for the DIB to discuss cybersecurity, physical security, insider threat and issues that affect the resiliency of the DIB. The DIB SCC CyberAssist website provides trusted resources to assist DIB companies and suppliers of varying sizes with the implementation of cyber protections, and awareness of cyber risk, regulations, and accountability for their supply chains.
- Project Spectrum
- Project Spectrum is a comprehensive, cost-effective platform that provides companies, institutions, and organizations with cybersecurity information, resources, tools, and training. Their mission is to improve cybersecurity readiness, resiliency, and compliance for small/medium-sized businesses and the federal manufacturing supply chain.
Small Business Cybersecurity Resources
- SBA Strengthen your cybersecurity
- The U.S. Small Business Administration provides resources for Small Businesses to better understand cybersecurity and common threats, assess risks, protect their business, and get additional training.
- NIST Small Business Cybersecurity Corner
- NIST offers a large library of cybersecurity resources geared towards Small Businesses. These include planning guides to help create, evaluate, and improve security plans, all purpose guides that cover multiple cybersecurity topics, and training in the form of educational courses, webinars, and videos.
Government Standards & Cybersecurity Resources
The National Institute of Standards and Technology (NIST) was founded in 1901 and is now part of the U.S. Department of Commerce. NIST’s mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.
- NIST Cybersecurity Framework: A Quick Start Guide
- Cybersecurity Supply Chain Risk Management C-SCRM
- NIST: SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations
- SP 800-161 Rev. 1: Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
- NIST SP 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- NIST SP 800-171A: Assessing Security Requirements for Controlled Unclassified Information
- NISTIR 8276: Key Practices in Cyber Supply Chain Risk Management: Observations from Industry
CISA has compiled a list of free cybersecurity tools and services to help organizations further advance their security capabilities. This repository includes cybersecurity services provided by CISA, widely used opensource tools, and free tools and services offered by private and public sector organizations across the cybersecurity community.