Cybersecurity and doing business with Leidos
As technology evolves so should our efforts to protect all elements of that technology from internal and external threats. Bad actors are finding new and innovative ways to infiltrate systems and we must be proactive to provide the protections mandated through government regulations, as well as customer requirements.
Leidos supports many customers in varying sectors that have critical infrastructure relying on the technology developed or provided in support of those customers, but our customers and their missions are not the only focus of our cybersecurity protections and requirements. We partner with our suppliers and teammates to ensure adequate protections are in place to protect all data from theft and damages. This includes Leidos, customer, and supplier intellectual property and proprietary data, personally identifiable information, protected health information, and government and industry data and information systems.
Cybersecurity readiness doesn’t happen overnight. Our goal is to guide you through assessing your current state by providing resources through various organizations, agencies, regulations and standards, and tools that will prepare you for the increased regulatory scrutiny and expectations.
Our commitment to our supply chain partners
Leidos will commit to working with you every step of the way, providing guidance and resources to help you navigate these complex requirements. The key to being ready to combat cybersecurity vulnerabilities is to START NOW. Without the protections in place, you could be restricted from providing goods or services in the government marketplace.
There are two different areas of focus to assist you depending on what customers your efforts may be supporting as a vital member of Team Leidos:
- Cybersecurity Model Maturity Certification (CMMC): The Defense Industrial Base (DIB) is the target of more frequent and complex cyberattacks. To protect American ingenuity and national security information, the Department of Defense (DoD) developed the Cybersecurity Maturity Model Certification (CMMC) 2.0 program to reinforce the importance of DIB cybersecurity for safeguarding the information that supports and enables our warfighters.
- Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA): Governed by the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), this Act covers 16 different government agencies, including DoD, providing guidance on reporting of cybersecurity events/incidents and focused heavily on ransomware attacks that could impact the United States infrastructure.
CMMC
CMMC is a Department of Defense initiative that was first introduced as a concept back in 2010 with Executive Order 13556. This executive order defined Controlled Unclassified Information (CUI) and how to determine if a CUI designation was applicable to documents generated either by a government agency or a contractor in performance of a Prime contract for a government agency. CMMC 1.0 was established in November 2020, and we are now moving to CMMC 2.0. Learn more about the history CMMC
Key Dates for CMMC 2.0
The underlying standard for CMMC is the National Institute of Standards and Technology (NIST) 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. The NIST standard was first released in 2016 and as cybersecurity threats have evolved, along with the tools to combat those threats, the standard has been kept current. Rev 3 was published in May 2024.
The CMMC 2.0 implementation plan is divided into four phases. Here are the key elements of each phase:
Phase | Timeline | Assessment Level Expected |
---|---|---|
1 | Begins on effective date of CMMC revision to DFARS 252.204-7021 | Level 1 or 2 Self-assessment as a condition of contract award. |
2 | 6 months from Phase 1 | Adds Level 2 third-party (3PAO) certification, when applicable, as a condition of contract award. |
3 | 12 months from Phase 2 | Adds Level 2 3PAO certification for option periods on existing contracts and adds Level 3 3PAO certification for applicable contracts. |
4 | 12 months from Phase 3 | CMMC requirements in all applicable DoD contracts at award and of option periods for contracts awarded prior to this phase. |
Understanding the Latest Developments
As a trusted partner in our supply chain, we appreciate your commitment to excellence and your critical role in supporting our Department of Defense (DoD) contracts. We are writing to inform you about recent regulatory changes and to encourage your proactive engagement in ensuring compliance.
Proposed Policy Rule Publication
On December 26, 2023, the DoD released the proposed policy rule for CMMC 2.0. This document outlines the framework for assessing and certifying cybersecurity practices across the defense industrial base (DIB). You can find the full content of the rule and review comments submitted on Regulations.gov.
Ongoing Federal Rulemaking
Federal rulemaking is a dynamic process, and members of the DIB anticipate further developments throughout 2024. Keep an eye out for regulatory updates related to implementing contractual requirements. Specifically, watch for proposed changes and final rules associated with the following Defense Federal Acquisition Regulation Supplement (DFARS) clauses:
- DFARS 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting
- DFARS 252.204-7019: Emphasizes NIST SP 800-171 self-assessments. Contractors must report their self-assessment scores via the Supplier Performance Risk System (SPRS)
- DFARS 252.204-7020: Outlines the requirements for assessing and validating the implementation of the NIST Special Publication 800-171 controls within the defense supply chain
- DFARS 252.204-7021: Cybersecurity Maturity Model Certification Requirements
Preparing for CMMC Assessments and Certifications
It’s prudent for all DIB companies handling Controlled Unclassified Information (CUI) to proactively address the underlying NIST 800-171 requirements. By doing so, you’ll be well-prepared for potential contractual CMMC obligations. Consider engaging with the CyberAB (official accreditation body of the CMMC) to facilitate a third-party assessment and certification process.
CMMC Maturity Levels
The CMMC Framework requires a systematic approach to certification mapped to three organizational maturity levels: Foundational, Advanced, and Expert.
-
Level 1: Self-assessment; Protect Federal Contract Information (FCI)
-
15 cybersecurity controls in FAR 52.204-21 clause.
-
Controls must be met 100%, no Plan of Action & Milestones (POAM) permitted
-
-
Level 2: Self-assessment progressing to third-party certification; Protect Controlled Unclassified Information (CUI)
-
110 cybersecurity controls (320 assessment objectives) in NIST SP 800-171 r2, as already required for contracts with DFARS 252.204-7012 clause.
-
Limited POAMs, only for certain controls and must be reassessed as 100% met within 180 days.
-
-
Level 3: Third-party and Government certification; Protect CUI and withstand advanced persistent threat.
-
Level 2, plus 24 enhanced security requirements selected from NIST 800 SP 800-172.
-
Limited POAMs, only for certain controls and must be reassessed as 100% met within 180 days.
-
Prime contract award will identify CMMC level required. Leidos must flow this down to subcontractors or suppliers. Level 1 is applicable if subcontractor will only process, store, or transmit FCI (not CUI); otherwise, same assessment level required by the prime is required by the subcontractor/supplier.
Engaging with Third-Party Assessors
When the organization is ready, engage with certified Third-Party Assessment Organizations (C3PAOs) to undergo an official CMMC assessment. The C3PAO will evaluate the organization's cybersecurity practices and determine if it meets the requirements for the desired CMMC level.
Enhancing Awareness and Preparedness
While rulemaking is in progress, prepare for a CMMC 2.0 assessment. Stay informed about updates and guidelines. To deepen your understanding of CMMC and fortify your cybersecurity posture, we recommend accessing the various resources provided here and through the ND-ISAC and others as noted in the Resources section of this page.
CIRCIA
In March 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Enactment of CIRCIA marked an important milestone in improving America’s cybersecurity by, among other things, requiring the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments to CISA. The proposed regulations are currently in the rule making stage, but CISA has many resources available to help your business protect itself and the customers you support.
Critical Infrastructure Defined
The CIRCIA and proposed rule, along with a White House National Security Memorandum on Critical Infrastructure issued on April 30, 2024 established 16 agencies that are responsible for securing critical infrastructure sectors. When subcontracting with Leidos, the customer or end-user should be identified in the subcontract documentation which can help you determine if you are a part of the critical infrastructure supply chain.
Reporting Incidents
Until rule making is complete for CIRCIA and a final rule is published, reporting of cybersecurity incidents is voluntary, but highly encouraged. Reporting allows CISA and the relevant agencies to put mitigation strategies and solutions in place. Once the final rule is published, you can expect updates to your subcontract terms and conditions as the Prime contracts are updated with additional guidance on required reporting timeframes.