Notice regarding the importance of cybersecurity protections for sensitive information

It is an unfortunate fact of the modern world that theft of information from computer and information systems occurs on a regular basis. We are all aware of numerous cyber-theft incidents.

All Suppliers to GKN Aerospace have committed to keep our sensitive information confidential. The cybersecurity of your computer and information systems is essential for you to meet your confidentiality obligations.

See additional information under Additional Resources below.

NOTICE REGARDING MANDATORY CYBERSECURITY PROTECTIONS UNDER DOD SUBCONTRACTS

The US Department of Defense has adopted Defense Federal Acquisition Regulation Supplement 252.204-7012, http://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm, which incorporates the NIST 800-171 requirements. If you supply under a contract which includes or flows down from a contract which includes DFARS 252.204-7012, you will be required to comply with it:

WHEN DFARS CLAUSE 252.240-7012 APPLIES, IT IMPOSES 4 KEY REQUIREMENTS:

Contractors will have until December 31, 2017 to be in full compliance with the requirements outlined in the clause, and The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” http://dx.doi.org/10.6028/NIST.SP.800-171. This 77-page publication from the US Department of Commerce (June 2015) sets forth 110 specific requirements in 14 categories.

Areas of non-compliance need to be reported to the DoD CIOs office within 30 days after contract award.

Contractors have 72 hours to report cyber incidents to the DoD CIO. In order to do so, the contractor or subcontractor shall acquire a DoD-approved medium assurance certificate to report cyber incidents; see http://iase.disa.mil/pki/eca/Pages/index.aspx.

The cyber DFARS clause needs to be flowed down to all suppliers/subcontractors storing, processing and/or generating Covered Defense Information (as defined in DFAR 252.204-7012) as part of contract performance.

Rob Soen, Senior VP Supply Chain Management

ADDITIONAL RESOURCES. Several government and industry organizations provide information and guidance on cybersecurity threats, controls, and risk management techniques. While we do not endorse any specific organization or set of controls, below are a few that may help:

Center for Internet Security
National Institute of Standards and Technology – Computer Security Division
International Organization for Standardization - search ISO 27001 and 27002
SANS (SysAdmin, Audit, Network, Security) Institute
Open Web Application Security Project (OWASP)
The Comprehensive National Cybersecurity Initiative