PIM 2.7 Release Notes – July 2019
Please select from the links below to access step-by-step instructions on the new PIM 2.7 UAT functionality:
Contracts Form Completion: This link provides updated instructions on completing your Contracts Form in PIM.
Contracts Form - CUI Categories Report: This link provides instructions on running reports based off CUI Categories, which is specific to Agency Organizations.
CSCRMQ Completion: This link provides instructions on completing the new Cyber Supply Chain Risk Management Questionnaire.
Form Assignments: This link provides instructions on managing form assignments.
Form Renewal: This link provides instructions on updating and renewing your PIM forms.
Form Renewal FAQs: This link provides FAQs specific to the Form Renewal process.
Supplier Profile: This link provides instructions on viewing and updating your Organization's Supplier Profile.
For additional supplemental training materials, please see below:
MDA Pilot Infograhic
Please select the image to enlarge:
Form Completion Video
The release of Partner Information Manager (PIM) 2.7 has several enhancements related to:
- The Missile Defense Agency (MDA) pilot program for N-tier (or multi-tier) supply-chain functionality
- Core PIM functionality that applies to all PIM buyers and suppliers.
The following release notes are provided separately for each of the above categories of features.
Features for N-Tier Functionality for the MDA Pilot Program
Brief Background of N-Tier Functionality in PIM
N-tier functionality predominantly exists in PIM in order to allow users in an agency organization (such as the Missile Defense Agency) to have visibility into certain compliance-related information for each individual organization that handles (generates or shares) Controlled Unclassified Information (CUI) within a multi-tier supply chain for a contract. Specifically, these organizations that handle CUI are required to be in compliance with DFARS 252.204-7012, Safeguarding Covered Defense Information (CDI) and Cyber Incident Reporting (OCT 2016).
For collecting this compliance-related information across a contract’s supply chain, organizations (subcontractors) in these contracts are requested to complete contract forms (specifically the “DFARS 252.204-7012 Compliance Assertion” contract form) within PIM. The form request is sent to an organization if the organization is listed (cited) by a buyer (its customer on a contract) as an organization (i.e. a supplier) with whom the buyer shares or generates CUI.
This section of the document specifically covers new functionality (enhancements) made in the release of PIM 2.7 for the N-tier functionality. In addition, some additional enhancements were made that affect the contract forms or the user experience for accessing and completing contract forms. A brief explanation of each new functionality is also provided.
New MDA pilot Related Functionality in PIM 2.7
The following is a summary of all new features or functionality in PIM 2.7 specifically for or related to N-tier. Each of the items listed below is explained in more detail within the following subsections of this section.
- New “CUI Categories” Question in DFARS 252 Contract Form – A new question was added to the DFARS 252 contract form for capturing the category (or categories) of CUI relevant to the organization’s scope in support of the corresponding contract for which the form was requested.
- Modified “POAM” Question in DFARS 252 Contract Form - The question in the DFARS 252 contract form regarding documenting any non-implemented controls in a Plan of Actions and Milestones (POAM) has been re-written in order to make the question clearer to the end-user.
- Modifications to UI/UX for Question on Identifying Suppliers in DFARS 252 Contract Form – For the DFARS 252 contract form question that prompts the end-user to identify suppliers with whom the user’s organization shares or generates CUI, a few modifications have been made to the user interface (UI) or user experience (UX) for either manually inputting or searching for suppliers. This includes a new “Cancel” button in the Supplier Match Found UI, modifications to the UI controls used to indicate if the DFARS clause or MDA pilot contractual requirements have been flowed-down for a supplier, and modified functionality to redirect the user directly back to the contract form after the user has confirmed a supplier’s details on the Selected Supplier UI.
- “Suppliers by CUI Categories” Report – For agency users, a new report called “Suppliers by CUI Categories” now exists for users to see, by contract number, the CUI categories selected (within the submitted contract forms) by the individual supplier organizations within the contract.
- Modification to the Forms’ “Edit” Functionality – The hyperlinked “Edit” icon’s functionality for editing a form has been modified so that, when the link is clicked, it directly opens the form in edit mode provided the end-user has been assigned the form, and that the form is not currently locked for edit by another user.
- Modifications to Forms’ “Jump To” Functionality – The “Jump To” functionality for navigating through the form has been modified to not only allow users to “jump” (navigate) to a specific section in the form, but also to a specific question in the form.
- Modifications to the Form Progress Value (the “Progress Bar”) – The form progress calculation method has been modified in order to indicate the number of questions that the user has thus far completed in a form out of the total number of ones that the user is prompted to answer on the form. In addition, the progress calculation (i.e. the progress bar) now only appears in the initial draft versions of the forms in edit mode, before the initial submission of the form to create version 1.0.
- Alert Notification for Unsaved Contract Forms – When a user attempts to leave the DFARS 252 contract form in edit mode without saving the form before exiting, PIM now shows a message alerting the user that he/she has not saved the form.
- Modifications to “Get Started” Pages – The “Get Started” pages, which are also referred to as the “Welcome” pages that appear when initially accessing the PIM application for the first time, have been edited to reflect the latest changes in functionality for this PIM 2.7 release, as covered in these release notes.
New “CUI Categories” Question in DFARS 252 Contract Form
In the DFARS 252 contract form, the following question has been added to the contract form in order to obtain information about the organization’s relevant CUI categories for the contract:
In the table below, please select all the categories of CUI relevant to your organization's scope (inclusive of any and all CUI subcontractors) in support of the reference contract. (Note: more information concerning the CUI categories is available at https://www.archives.gov/cui/registry/category-list [archives.gov].)
As the new question above states, a form control for the question allows the end-user to select existing CUI category values in order to respond to the question. The user may add as many applicable CUI categories as he/she needs.
The CUI categories from which a user may choose from have been initially provided by the Missile Defense Agency (MDA) and prime contractors involved in the MDA (N-Tier) pilot. However, since new categories can be added as well as existing ones deleted (per the request of MDA) in the future, the Exostar Administrator user in PIM can add and delete these categories through a new “CUI Categories” user interface (UI). This UI, or page, is accessible to System Administrators via the “CUI Categories” left menu option or via a link on the administrator’s PIM homepage.
This “CUI Categories” question requires a valid response by the end-user before leaving the question on the contract form, or submitting the form. A valid response means that the user must have at least one currently existing CUI category selected (as maintained by PIM system administrators) as a response to this question. If the user has no value selected or currently has a value(s) selected that have since been deleted (i.e. is no longer valid), PIM forces the user to select at least one currently valid (existing) category before leaving the question or submitting the form.
Note that, when editing the form, the user can also see if any previous category that was added has since been deleted as a valid value (via an asterisk near the category to denote this). The user will be prompted by PIM to add a valid CUI category for the question if one does not already exist.
In the PDF report (download or print-out) for the form, the new “CUI Categories” question now also exists. In addition, a “List of Selected CUI Categories” section on the PDF shows all categories that have been currently selected and saved by the end-user completing the form.
Modified “POAM” Question in DFARS 252 Contract Form
In the DFARS 252 contract form, the question regarding documenting any non-implemented controls in a Plan of Actions and Milestones (POAM) has been re-written to make the actual question clearer. The question now reads the following:
Have all NIST SP 800-171 controls been implemented, or for any controls not yet implemented have you documented a Plan of Actions and Milestones (POAM) to satisfy the control? You may be required to provide validation as part of an RFP response, during the damage assessment process after a breach, or a compliance audit.
In addition the following informational guidance, or tooltip, has been added to the question:
To be considered compliant under the DFARS Clause, you must either have implemented all NIST 800-171 R1 controls or have a documented Plan of Action and Milestones (POAM) for the controls that are deficient / not implemented.
Modifications to UI/UX for Question on Identifying Suppliers in DFARS 252 Contract Form
Within the DFARS 252 contract form question that prompts the end-user to identify suppliers with whom the user’s organization shares or generates CUI, a few modifications have been made to the user interface (UI) or user experience (UX) for either manually inputting or searching for suppliers.
A new “Cancel” button now exists in the Supplier Match Found UI. The Supplier Match Found UI displays when the system has found possible matches for the input search criteria when adding suppliers via the “Search & Add” method. The “Cancel” button on this UI allows the user to exit the UI, and return back to the previous UI (the New Supplier UI) in order to edit the input on the New Supplier UI if the user wishes.
Both the New Supplier and Selected Supplier UI, which look and function similarly, have had the “flow-down” related buttons modified slightly for PIM 2.7. Rather than check a checkbox to indicate that the DFARS 252 clause or the MDA pilot contractual requirements have been flowed-down, the user must now select either a “Yes” or “No” option to answer these two required fields. This modification was made to ensure the user performs some action to actually answer this required field. If either of these questions do not have a “Yes” or “No” value, a validation triggers for the respective question that is unanswered (i.e. does not have a “Yes” or “No” response selected).
Finally, functionality now exists to redirect the user directly back to the contract form after he/she has confirmed the supplier information on the Selected Supplier UI. The Selected Supplier UI appears after the user has selected a supplier from search results returned after performing a search via the “Search & Add” option. This new functionality exists so that the user may see the newly-added supplier on the contract form as soon as he/she has confirmed the information for the particular supplier on the Selected Supplier UI.
“Suppliers by CUI Categories” Report
For agency users in PIM 2.7 (i.e. those users who belong to an agency organization), a new report, the Suppliers by CUI Categories report, exists. This report, for a specific contract, provides information regarding the CUI categories selected by each organization for the question in the DFARS 252 contract form that asks for all CUI categories relevant to the organization's scope for the contract. This allows an agency, such as the Missile Defense Agency (MDA), to see all the CUI categories selected by the individual suppliers across any given contract that belongs to the agency.
The Suppliers by CUI Categories report is accessible via the Reports homepage which can be accessed via the Reports link in the left navigation menu for agency users. Within the report page, the agency end-user must select a contract number for which to run the report. In addition, the user may select one or more CUI categories as well for input criteria for the report.
Once the report is run, if any results exist, the report will return a row for each supplier organization, its Exostar ID and the corresponding CUI category it selected that met the report’s input criteria. Note that if a supplier had multiple CUI categories that met the report’s input criteria for CUI categories (i.e. multiple CUI categories were selected for the input criteria), multiple rows would be returned for the same supplier in the report results. If needed though, the report results can be filtered for a specific supplier in order to just see all CUI categories (that met the filter criteria) selected by that particular supplier. In addition, the CUI categories column may also be filtered upon in the report results.
Modification to the Forms’ “Edit” Functionality
The hyperlinked “Edit” icon’s functionality for editing a form, as exists in the Supplier view of PIM, has been modified with this release. Now, when the link is clicked, it will directly open the form in edit mode provided the end-user has been assigned the form, and that the form is not currently locked for edit by another user.
Note that this functionality has been modified for all forms listed in the Forms or Contract Forms tab of the “Forms Summary” section of the Supplier view of PIM. The Form Details UI, to which this “Edit” link navigated to in previous releases, is still accessible via clicking the name of the form in the “Forms” or “Contract Forms” tab.
Modifications to Forms’ “Jump To” Functionality
For forms in PIM, including the DFARS 252 contract form, the “Jump To” functionality now allows users to directly “jump to” a specific section or question in a contract form. This functionality is accessible via the “arrow” hyperlinked icon that appears on the top, right-hand corner of form pages when editing a form.
Once in the “Jump To” window, sections and questions in the form are listed in the order that they appear in the form. Clicking a link to a form section or question takes the user directly to the corresponding section or question. This functionality allows the user to have a “snapshot” view of sections and questions in the form, and allows the user to navigate directly to a particular location or question in the form.
Modifications to the Form Progress Value (the “Progress Bar”)
Across all of PIM, including all forms in PIM, the calculation of the value for form progress (i.e. the “progress bar”) that indicates the progress of the user toward completion of the form has been modified. Note that this applies to the progress calculation not just for the DFARS 252 contract form, but all forms in PIM including the NIST and Cybersecurity forms.
In PIM 2.7, the progress value is now calculated by dividing the number of questions currently completed by the end-user on the form by the total number of questions in the form the user is prompted to answer, multiplied by 100 to get a percentage value.
Note that, depending on the particular form, the questions that are prompted for (i.e. displayed in the form) to the user are sometimes determined by the user’s responses to previous questions in the form. For example, if a user responds that their organization does not generate or share CUI in the DFARS contract form, certain other questions on the latter part of the form will not display for the user since these particular follow-up questions regarding CUI are irrelevant to the user’s organization. This affects the total number of questions used in the form progress calculation.
On a related note, the form progress calculation, or the progress bar, will now only appear to users when editing the initial draft version of the form before submitting it for the first time. That is, prior to submitting version 1.0 of the form, is the only time the progress bar appears on the form. When editing any versions of the form after version 1.0, the progress bar or calculation will no longer display.
Alert Notification for Unsaved Contract Forms
If, at any time, a user attempts to leave the DFARS 252 contract form without saving the form, the system now warns the user via a pop-up message. Via the message window, the user may choose to either leave the form without saving it or remain on the current form page. This functionality exists to ensure users do not accidentally leave the form without saving their edits if they would like to save them.
Modifications to “Get Started” Pages
The “Get Started” pages, which is also referred to as the “Welcome” pages that appear when initially accessing the PIM application for the first time, have been edited. The answers to the Frequently Asked Questions (FAQs) present within these pages or tabs have been updated to align with the latest changes in functionality or the user interfaces for this PIM 2.7 release, as covered in these release notes. Note that the “Get Started” pages can be accessed at any time still via the “Get Started” link that is on collapsible right panel of the homepage under the “Resources” section.
Features for PIM Core (non-MDA)
In addition to the above MDA Pilot program related features, the v2.7 release has a number of core PIM enhancements:
- A new Cyber Supply Chain Risk Management (C-SCRM) Form
- Revised Form Renewal Notice Update
- Form Assignment to all Users
Cyber Supply Chain Risk Management (C-SCRM) Form
The Cyber Supply Chain Risk Management (C-SCRM) form is a new form available in the PIM application for buyers to subscribe and assign supplier organizations for completion.
The C-SCRM form consists of 16 questions associated with the NIST 800-161 (Note: not the 800-171) standard “Supply Chain Risk Management Practices for Federal Information Systems and Organizations”.
The addition of the C-SCRM form brings additional value to the PIM application as the form can be offered to other organizations for the use of collecting Supply Chain Risk information from their suppliers.
Form Renewal Notice Updates
Prior to the 2.7 release of PIM Exostar’s Tier 1 and Tier 2 support groups have received feedback from suppliers regarding the PIM form renewals. This feedback involved multiple issues such as that the form renewal emails which did not provide enough detail or instructions about the renewal process. Some suppliers were unable to find information about how to renew or update expiring forms, and they did not understand the reason why they were required to renew their PIM forms.
In an attempt to address these challenges the PIM team has implemented the following changes included in this release:
- Implementation of a new Form Expiration email – the form expiry email is sent out prior to the expiration of a PIM form to inform suppliers that their form will be expiring and the needs to be renewed using the PIM application. A new email with additional text and information about why and how to renew a form has been implemented.
- New FAQ Help Page on MyExostar – FAQ documentation is available on a Form Renewals FAQ help page on the MyExostar site. This FAQ page includes information for suppliers regarding why PIM forms should be renewed, how to renew forms, etc.
- Information icon added to the PIM Form Details page – a new information icon has been added next to the form expiration date on the PIM form details page. By clicking on this icon, suppliers are able to be directed to the PIM Form Renewal FAQs page on MyExostar to quickly locate information regarding how and why to update their PIM forms.
Form Assignment to All Users
Prior to the PIM 2.7 release, a PIM form was required to be assigned to a PIM user in order for the user to be able to view, edit or complete and submit the form. This policy was set as a form of security to ensure that unauthorized users are not editing forms that they should not have permission to update. However, suppliers have faced challenges with this implementation because many times Application Administrators are not aware that they need to assign forms to the required users - even to themselves. Currently, users are required to wait for the Application Administrator to assign the form to them in order to be able to edit and submit the form, and users are not able to view forms if they have not been assigned to it.
In order to address these challenges, the PIM team has changed the PIM form assignment implementation such that any time a form is assigned to a supplier organization by a buyer, all PIM subscribed users of the supplier are assigned to the form by default with the ability to view, edit and submit the form.
To address any security issues, the Application Administrator of the supplier organization is still able to remove users from the form assignment as well as reassign a removed user as necessary.
This change will reduce the confusion around the need of assigning forms to users to allow the users to view and edit them.
Aside from the above new features, Exostar is updating the PIM documentation in MyExostar.com to reflect the above changes.
The PIM team hopes you will benefit from the new features. If you have any product feedback, you are welcome to contact our support line or send us an email at firstname.lastname@example.org.