Cybersecurity Resources for Suppliers

Digital Lock

As government, prime contractors, and suppliers are increasingly targeted by cyber attacks, companies and their suppliers must work together to protect sensitive information and intellectual property. Awareness of cyber risks and implementation of effective cybersecurity controls and defenses is vital.

Northrop Grumman understands the important role our suppliers play in protecting our and our customers’ information and networks from cyber threats.  We also understand the value that cybersecurity maturity plays in achieving and maintaining a competitive advantage for our company and our suppliers.  Our mutual success is impacted by our ability to both identify and effectively manage cyber risks.  Building a cybersecurity posture capable of mitigating risk is essential.  Northrop Grumman recognizes that our suppliers must also develop and maintain their own cybersecurity postures.

In addition, our customers, including the U.S. Government, are increasingly imposing mandatory cybersecurity measures and controls on their prime contractors and supply chain.  Department of Defense (DoD) contracts awarded since August 2015 include the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012, which requires prime contractors and their suppliers at all tiers to provide "adequate security".  At a minimum, businesses must implement the National Institute of Standards and Technology (NIST) SP 800-171 on any internal information systems that include “covered defense information” (CDI) by December 31, 2017.  To have implemented NIST 800-171, a company must have conducted a self-assessment against all 110 controls, and developed a system security plan (SSP) describing how the security requirements are met, and plans of action and milestones (POA&M) on how those controls (not implemented) will  be met.  DoD may consider how many controls are implemented in making award decisions and otherwise may require companies to implement all NIST SP 800-171 controls.

In addition, effective June 15, 2016, all contracts awarded by any U.S. federal agency, including DoD, must include Federal Acquisition Regulation (FAR) Clause 52.204-21, which requires immediate implementation of 15 controls, which equate to 17  NIST SP 800-171 controls for basic safeguarding of any internal systems with non-public “federal contract information” or FCI.

To assist suppliers in achieving compliance with the NIST 800-171 security controls, Northrop Grumman is identifying and posting links to helpful publicly available resources for each NIST SP 800-171 Controls.  We will continue this effort over the coming months.   We initiated the effort by posting resources on some of NIST key security controls which companies must often seek guidance.  We will continue to update and expand through the end of the year.

If you have any comments or questions regarding the provided supplier resources, please click here.