What is CUI vs. CDI?
All Department of Defense (DoD) contractors that process, store or transmit Controlled Unclassified Information (CUI) must meet the Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards by December 31, 2017 or risk losing their DoD contracts.
Covered Defense Information (CDI) is an umbrella term encompassing all CUI and Controlled Technical Information (CTI). These three markings are given to unclassified content that must be protected in a very specific manner, both within and outside a government information system. Therefore if CUI is received or shared with others, CDI is also received or shared.
I assumed our organization was to be included in the pilot. What if I never received an email invitation?
If your organization was not listed as a Supplier who is receiving/creating CUI by any other contractor for a specific contract, you will not receive an email. You should check if you are a contractor for the specific contract.
What is the security around the information provided?
This program requires all Suppliers and Buyers be registered with Exostar to access PIM with a Phone One Time Password (OTP) without proofing credential. If you provided a supplier list, you can come back and review their progress to complete forms and their compliance state. You will not be able to see their list of suppliers (if they have any), or their compliance status. You can only see the compliance status of your direct suppliers.
What is this process about and why am I being asked to complete this form – and how do I?
Please see the Get Started - MDA Pilot Program page for instructions on completing this process.
Why am I receiving communications from Exostar?
This request for your organization is involved with a Missile Defense Agency (MDA) pilot initiative, tied to specific contracts that include your organization, with the objective to determine the scope of Controlled Unclassified Information (CUI) in the supply chain, and the understanding of the supply chain of the requisite DFARS 252.204-7012 requirements to protect it and to share (flow down) those requirements to your subcontractors and suppliers. The MDA is using Exostar's Partner Information Manager (PIM) to have you complete the DFARS 252 Form.
What is Partner Information Manager (PIM)?
Exostar’s Partner Information Manager (PIM) is a risk management tool that leverages information from trusted sources to provide a partner (buyer) with a supplier’s current and potential risk and impact. PIM allows a company to complete a questionnaire (Cybersecurity Questionnaire or NIST SP 800-171) once for the partner organization, and then later share, with the company’s approval, the same results with other contractors using the company’s products and services. This complete once and share many model reduces the burden of completing multiple questionnaires.
What is Managed Access Gateway (MAG)?
Exostar's Managed Access Gateway (MAG) is a secure identity and access management cloud service for the Aerospace Defense industries. With MAG, organizations enjoy benefits like account management, web-based single sign-on user access and a single place to connect to buyer partner to applications of which they do business.
What are the credential requirements?
To access the DFARS 252 Contract Compliance Form within PIM, you are required to obtain a Phone One Time Password (OTP) without proofing. This credential is sponsored by your prime contractor, therefore charges are not incurred by you. For more information on the credential requirements, please see the Credential Registration section on the Register - MDA Pilot Program page.
What is the DFARS 252 Contract Compliance Form?
This form is designed to provide compliance-related visibility for an agency across its suppliers down its supply chain. Through processes integrated into PIM, each supplier organization listed on a submitted Compliance Assertion Form by its contractor (buyer) as an organization that creates or manages Controlled Unclassified Information (CUI), within the respective contract, would eventually be assigned a Compliance Assertion Form.
You are required to submit the following information for other Suppliers you share CUI with:
- Supplier Name
- Postal Code
- Telephone Number
- Contact Name
- Contact Email
Where can I access a blank copy of the form?
Am I required to complete the form?
Yes, you are required to complete the form through contractual terms of the stated agency contract.
How do I view the status of Suppliers I share CUI with once they complete the form?
Once you successfully complete the form, and provide a list of Suppliers you share CUI with, you can modify the view to the Buyer Dashboard, which allows you to see your Suppliers in this contract. To modify and view your Supplier's status:
- Navigate to the Home screen.
- In the top header section, select Modify next to Supplier.
- Under the Application section on the User Profile page, change the Default View from Supplier to Buyer.
- Select the Save Changes button located at the bottom of the screen. You are redirected to the Home screen with the updated view.
- Navigate to the Organization Profile page via the My Organization widget.
- Select the Contracts tab to view your Suppliers and their form completion status.
If I need more help, what should I do?