Vectrus is committed to safeguarding Federal Contract Information (FCI) and Covered Defense Information (CDI) as required by the FAR and DFARS.
Vectrus Subcontractors and Teammates who may handle Controlled Unclassified Information (process, store, or transit through an information system that is owned, or operated by or for, the Subcontractor / Teammate, or when performance of the contract involves operationally critical support) are required to comply with DFARS Clauses 252.204-7008, Compliance with safeguarding covered defense information controls and 252.204-7012, Safeguarding covered defense information and cyber incident reporting.
Vectrus requires Subcontractor / Teammate assurance of compliance to these DFARS Clauses as indicated in the respective supplier agreement(s). Subcontractors and Teammates who are unable to provide adequate assurance of required compliance may be eliminated from consideration.
Note: Cybersecurity Maturity Model Certification (CMMC) will be required for any contractor (prime or sub) to do business with the US Department of Defense. The required Maturity Level (1-5) will be specified in the respective prime contract (with flow-down to Subcontractors and Teammates) and relates to the criticality of work to be performed and/or data to be handled.
FAR 52.204-21: https://www.federalregister.gov/documents/2016/05/16/2016-11001/federal-acquisition-regulation-basic-safeguarding-of-contractor-information-systems
DFARS 252.204-7008: https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7008
DFARS 252.204-7012: https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012
NIST SP 800-171: https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final