ICYMI: New Instructions from the Department of Defenses (DOD)’s Undersecretary for Acquisition and Sustainment
The Office of the Under Secretary of Defense for Acquisition and Sustainment has released a formal instruction on cybersecurity for acquisition authorities and program managers that was effective on December 31, 2020. This document is referred to as DoD Instruction 5000.90 and can be found here. DoDI 5000.90 supersedes portions of the July 2020 issued DoD Instruction 500.83.
Much of DoDI 5000.90 deals with policies, responsibilities, and procedures within the DoD for the management of cybersecurity risk acquisitions. Companies within the Defense Industrial Base (DIB) should familiarize themselves with all the instructions. However, the concluding section 3.4 titled, “Cybersecurity in the Supply Chain”, is of particular relevance to direct (prime) and indirect (subcontractors) DoD suppliers.
Section 3.4 needs to be reviewed in depth to get an understanding of the DoD’s expectations for suppliers, but in summary, it sets out several important requirements. The first is minimal Supply Chain Risk Management (SCRM) reviews including cyber-related SCRM reviews of vendors to address such issues as,
(2) Any history of cybersecurity compromises
(3) The existence of a CMMC certification indicating basic cyber hygiene, defined as Access, Identity and Password management, and timely software updates and patches.
DoD Program Managers (PMs) are also required under section 3.4 of DODI 5000.90 to seek alternatives to foreign sourcing of program components (hardware, software, or firmware) from commercial companies owned or under the influence of adversarial foreign governments. These instructions to DoD PMs should be understood by the DIB as defining acceptable, unacceptable, and risky suppliers of hardware and software involved in DoD contracting throughout the supply chain.
At RegDOX, we welcome the opportunity to discuss not only these requirements, but any changes, past, present, or future. Our job is to help you harden your cybersecurity infrastructure to ensure that these increasingly strict requirements do not threaten your DoD-related business.
About RegDOX Solutions Inc.
RegDOX Solution’s first-to-market ITAR and NIST 800-171 (DFARS) compliant online storage and collaboration product has redefined how export-controlled and CUI documents and electronic files can be handled within regulatory requirements. This was recognized by the formal opinion of compliance provided by the US State Department’s Directorate of Defense Trade Control (DDTC). RegDOX’s unique capabilities were confirmed on August 20, 2019 when the US Patent and Trademark Office issued a patent covering RegDOX’s system to store and manage export-controlled documents in the cloud. (Patent No. 10,389,716). The RegDOX® ITAR/EAR solution provides ground-breaking and unsurpassed technology enabling the efficiency and flexibility of a cloud solution to allow multiple users located at numerous locations to collaborate using controlled data while remaining fully in compliance with the strict regulatory and licensing requirements of the ITAR and DFARS.