Cybersecurity Advice

Government, prime contractors, and suppliers are increasingly being targeted in cybersecurity attacks and our industry must work together to safeguard its critical infrastructure and sensitive information. Awareness of these mounting cyber risks and implementation of effective cybersecurity controls are becoming critical components of keeping information protected. Leidos is committed to employing innovative and compliant cybersecurity processes to protect our networks, information, and systems.

Leidos understands the important role our suppliers play in defending our and our customers’ information and networks from cyber threats. We also understand the value that cybersecurity experience plays in creating and maintaining a competitive advantage for our separate organizations. Our mutual success is impacted by our ability to collaborate on identifying and managing cyber risks.

Cybersecurity and NIST SP 800-171 Assessments

: Suppliers achieve compliance by meeting the 110 security requirements in NIST SP 800-171 and, submitting their self-assessment score to the Supplier Performance Risk System.
: Contractors are required to report cyber incidents within 72 hours directly to the DoD's DIB Cybersecurity Program and to Leidos.
: The Cyber DFARS clauses must be flowed down to all suppliers when performance will involve operationally critical support or Controlled Unclassified Information. Any request to vary from NIST SP 800-171 security requirements shall be notified to Leidos or next higher-tier subcontractor.

Leidos and Exostar, Cybersecurity, and Compliance in Supply Chain

As cyber threats continue to grow throughout the entire supply chain, it is important that Leidos strengthen our cybersecurity posture to protect against security vulnerabilities. As a trusted supplier, we may share sensitive information with your company, and therefore we are mutually obligated to protect that information from access by non-authorized parties. Gaining insight into your company’s cybersecurity posture and your ability to protect the sensitive information we share with you will provide vital information on where to improve cybersecurity efforts in the supply chain.

Leidos has partnered with Exostar to document compliance via their self-assessment questionnaire(s). The value of this self-assessment is two-fold: 1) It will measure compliance with Department of Defense (DoD) cybersecurity standards for defense contractors and their supply chains, as outlined in NIST SP 800-171 under DFARS provision 252.204-7012, and 2) It will provide deep and timely insight into the past, present, and future strengths and vulnerabilities of our value chains. By taking these steps, together we can help strengthen the industry. These questionnaires will be completed via Exostar’s self-assessment tool. The Cybersecurity Questionnaire contains questions about your overall cybersecurity posture. The Compliance Questionnaire measures your compliance against cybersecurity standards outlined in NIST SP 800-171 as mandated by DFARS provision 252.204-7012.

Leidos has also introduced the Exostar tool, ForumPass Defense. ForumPass Defense is a secure, cloud-based collaboration platform designed to share Controlled Unclassified Information (CUI) and Covered Defense information (CDI) with both our internal and external partners. This Microsoft SharePoint tool uses multifactor authentication. We incorporated an additional layer of security called Digital Rights Management (DRM). DRM adds security at the document level, which protects document content from unauthorized access or distribution.

We thank you in advance for your cooperation in helping Leidos enhance cybersecurity within the supply chain. If you have any other questions, please reach out to us directly at the following email address: [email protected]. If you are experiencing system related issues, please contact the Exostar Customer Support Team at 703-793-7800 or visit their Customer Support website https://my.exostar.com/display/TE/Support.

Additional Resources

Partner Information Manager (PIM)

ForumPass

References and Resources

To assist suppliers in achieving compliance with the NIST SP 800-171 security controls, Leidos has provided links to helpful publicly available resources for each NIST SP 800-171 Controls.

Department of Defense Resources

NIST SP 800-171 DoD Assessment Methodology
DOD Procurement Toolbox
- DOD regulations and FAQ regarding cybersecurity

Industry Resources

National Defense Information Sharing and Analysis Center ™ (NDISAC) CyberAssist
- Leidos has collaborated with other Defense Industry Base (DIB) companies to establish a website with publicly available resources to help suppliers increase their cyber security posture and comply with regulatory requirements
Project Spectrum
- Project Spectrum is an initiative/free to businesses supported by the Department of Defense Office of Small Business Programs

Small Business Resources

NIST Small Business Help Guide

National Institute of Standards and Technology

Cybersecurity Compliance FAQ

DoD FAQs for Cybersecurity
- Department of Defense Frequently asked Questions covering:
  - Assessing Contractor Implementation of NIST SP 800-171 Security Requirements
  - Basic Safeguarding of Contractor Information Systems (FAR clause 52.204.21)
  - NIST SP 800-171
  - Safeguarding Covered Defense Information and Cyber Incident Reporting (DFARS 252.204-7008 and 252.204-7012)
  - Cloud Computing
  - Limitations on the use or disclosure of third-party contractor reported cyber incident information (DFARS clause 252.204-7009)