Supplier Resources
SUPPLIERCode of Conduct
Quality & Engineering
Supplier Cybersecurity Requirements
Cybersecurity is Mission Critical: A Shared Responsibility
At AM General, the security of our enterprise and the protection of sensitive data is mission critical. This requires a defense that extends beyond our walls, encompassing every partner in our supply chain. We believe that robust cybersecurity practices are a shared responsibility—one that is fundamental to preserving national security and the integrity of our operations. This section details the mandatory security standards, policies, and requirements that all suppliers must adhere to for the proper safeguarding of Covered Defense Information (CDI). By partnering with us, you commit to upholding the highest level of security necessary to protect sensitive data, critical systems, and, most importantly, the warfighter we serve.
Ensure full compliance with DFARS 252.204-7012, 252.204-7019, 252.204-7020:
- Assess Your Cybersecurity Posture: conduct a basic self-assessment of your NIST SP 800-171 implementation using the NIST SP 800-171A assessment objectives, in accordance with the NIST SP 800-171 DoD Assessment Methodology, and upload your score to the DoD Supplier Performance Risk System (SPRS).
- Reassess at least every three years and update your SPRS score accordingly.
- Ensure that next-tier subcontractors perform the same assessment and provide attestation via an Annual Representations and Certifications form
- Implement and Document Controls: Fully deploy all NIST SP 800-171 controls on your system. Document the how-to for all 110 controls within your System Security Plan (SSP).
- Verify Subcontractors: Make sure your subcontractors are doing the same. You must get their formal commitment (attestation) using an Annual Representations and Certifications form.
- Report Incidents Fast: If you discover a breach or unauthorized leak of Covered Defense Information (CDI), report it to DIBNet within 72 hours—no exceptions.
- Cloud Rule: If you use cloud services for CUI, the provider must be FedRAMP Moderate approved or have a recognized equivalent standard.
- Prepare a System Security Plan (per NIST 800-171 3.12.4):
- Develop an SSP: Create a System Security Plan that clearly defines system boundaries and documents the full implementation of NIST SP 800-171 requirements, including inter-system connections. This document requires periodic updates.
- Use a POA&M for Gaps: Any unimplemented NIST SP 800-171 requirements must be tracked and scheduled for completion using a Plan of Action and Milestones (POA&M).
- CMMC Time Limit: When seeking CMMC certification, all POA&M items must be resolved within six months.
Prepare for compliance with DFARS 252.204-7021(CMMC):
The DFARS 252.204-7021 clause mandates that all non-COTS suppliers on DoD programs achieve the required CMMC level.
- FCI Only: Requires CMMC Level 1 (Self-Assessment).
- CUI Handled: Requires CMMC Level 2, which demands certification by a C3PAO.
While the CMMC rollout is phased, the Level 2 certification is a pre-award requirement and can be included in new contracts now.
Urgent Notice on Certification: C3PAOs currently face a backlog. To avoid contract ineligibility, suppliers handling CUI must immediately begin engaging a C3PAO after meeting the necessary requirements. Find accredited C3PAOs on the CyberAB's Marketplace(CyberAB > Directory).
Export/Import Compliance Resources
Export Counseling Division of the Office of Exporter Services
EmailECDOEXS@bis.gov
Outreach and Educational Services Division
(located in Washington D.C)
Phone(202)482-4811
Terms & Conditions
AM General’s Terms and Conditions are identified and incorporated, if/as required, on any contract action. Please contact your buyer for copies of any historical Terms and Conditions.
Supplies & Services: AM General Standard Terms and Conditions of Purchase & Commercial and Non-Commercial USG Flow Downs
Supplies & Services: JLTV A2 Program
External Resources & Additional Information