November 2018: New Forms in PIM? Does it matter to me?
This is our November Tip of the Month. We are planning to make a new release of PIM (version 2.4) in mid-December and we think it is important for us to explain some of the new features that you might see next time you use it.
This release has three new forms:
The form is termed “concise” in order to differentiate it from the NIST 800-171 form which requires an organization to assert implementation of the 110 specific controls. This new form only has a maximum of eight questions to be answered. The objective of this form is to determine if your organization is processing Controlled Unclassified Information (CUI) as defined in DFARS 252.204-7012. And, if so, there are questions that deal with the associated obligations of safe guarding the CUI and reporting any cyber incidents that may be associated with the CUI. The Concise DFARS form does not replace the current NIST 800-171 form because it is used by some buyer organizations for a different compliance reason. Depending upon your buyer, your organization may be asked to complete either one or both (!) forms.
This is a new version of the Conflict Minerals form. The core of the form which is a standard spreadsheet from the Responsible Minerals Initiative has not changed. The only change is the additional summary questions concerning your answers in the spreadsheet. There are a few more questions but not a substantial change.
This is a new type of form, Contracts, in PIM and you will see another tab in your dashboard that deals just with these types of forms. If you are not involved in any of these contracts, there is no need for you use that tab. The current forms in PIM (Cybersecurity Questionnaire, NIST 800-171, Conflict Minerals, and soon, Concise DFARS) will be on a tab entitled “Forms”.
The contract forms are associated with a new pilot program that a Department of Defense agency has initiated through four prime contractors using the PIM platform. The agency wants to be able to know which organizations are using CUI on a particular contract and the compliance of each of them. The agency is requiring, through contractual methods, primes and all their subcontractors/vendors/suppliers for specific contracts to:
- Indicate their compliance with DFARS regulations dealing with CUI
- Indicate if they are sharing CUI with any of their subcontractors and if so:
- Indicate that they have flowed down the DFARS requirements to their subcontractors
- Identify any subcontractors with whom they have shared CUI.
The PIM system will contact any named subcontractors from (b) above and ask them to  complete the same form as above and  identify any subcontractors that they are sharing CUI with. This process will continue until the system has all the suppliers of the contract that use CUI. This will give only the agency the ability to view a multi-tier supply chain showing where CUI is used and the compliance of each of the suppliers.
This multi-tiered list of suppliers/buyers will only include organizations that are in the possession of CUI – it is not the complete supply chain of organizations that are involved with the contract. Primes and suppliers in the chain will only be able to see the compliance status of their direct suppliers. No prime or supplier will be able to see beyond their own tier of the supply chain, limiting the view of the organization’s supply chain from other buyer/suppliers.
We know this sounds a bit complex, but your organization will only be involved with this type of form if it is part of a specific DoD contract which will include specific contractual language that requires you to provide the required information. The PIM 2.4 release notes on MyExostar will provide additional information.
If you have any questions on the above forms, please feel free to contact Tom McHale (firstname.lastname@example.org).
Your Exostar PIM team