Sierra Nevada Corporation | SNC | Logo Min Sierra Nevada Corporation SNC Logo Small search search icon arrow right arrow right icon press press release icon event event icon award award icon horn announcement icon facebook facebook icon google google plus icon linkedin linkedin icon youtube youtube icon instagram instagram icon flickr flickr icon icon pdf pdf download icon icon phone telephone number icon icon email email address icon

Sierra Nevada Corporation | SNC Sierra Nevada Corporation | SNC

What You Need to Know About Exostar

Why is Exostar reaching out to me?
Starting this March 2020, Sierra Nevada Corporation (SNC) will begin our campaign in conjunction with Exostar to address Cybersecurity Compliance in our supply base. During this time you will receive communications from both SNC and Exostar instructing on the next steps to be taken for this.

We are requiring all suppliers with systems that collect, develop, receive, transmit or store covered defense information (CDI) to complete the NIST SP 800-171 self-assessment in Exostar.

Why does my company need to complete this questionnaire?
If you are a contractor who receives Covered Defense Information from SNC in support of DoD project, NIST SP 800-171 does impact you.

Complying with DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, requires that DoD contractors implement NIST SP 800-171 as soon as practicable, but no later than December 31, 2017 for information technology systems that collect, develop, receive, transmit or store covered defense information.

What is covered under defense information?
As defined by DFARS Clause 252.204-7012:

“Covered defense information” means unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, and is—

(1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or

(2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.”

For the most current definition, please visit:
https://www.acq.osd.mil/dpap/dars/DFARS/html/current/252204.htm#252.204-7012

Who should complete the NIST SP 800-171 self-assessment for my company?
The person to complete the NIST SP 800-171 is typically the person responsible for reporting on your company’s Cybersecurity controls. That person is usually responsible for cybersecurity and/or information security related matters.

What do I need to know to set up my Exostar account?
Following our email, you should receive an invitation to PIM from Exostar if you do not already have an account. Emails will follow with instructions from Exostar on how to set up your account. It is important to note that you will need to:

  1. Complete your first time login for help go to:
    http://myexostar.com/Managed-Access-Gateway/User-Training/
  2. Accept the Exostar service agreement

For help with:

  1. Purchasing or activating your one-time password (OTP) token, visit: http://www.myexostar.com/uploadedFiles/Pages/10_Find_Information_by_APPLICATION/A10_One_Time_Password_(OTP)/_Content/OTP%20User%20Guide(2).pdf

    Issues related to setting up your Exostar account, please contact EXOSTAR’s Support Team at 703-793-7800 (US) or 0203 3007093 (UK).

Will I need to purchase anything to access EXOSTAR?
You only need to purchase a token if your company has not already (i.e. if you have not already done this for another customer). We have elected to require the authentication credential because it mitigates security risks by providing a stronger assurance level and better identity protections than conventional username/password technologies vulnerable to theft. Otherwise you can use an existing token.

In order to access the Exostar application, Partner Information Manager (PIM), where the NIST SP 800-171 questionnaire is hosted, you will be required to access it with at least a phone-based “OTP token” for security purposes. The associated pricing will be available on the Exostar platform.

For more info please visit: http://www.myexostar.com/iam-resources/

What if my company has already completed this in EXOSTAR?
The Exostar administrator at your company can easily share the already completed NIST SP 800-171 form by hitting the “Share” button in Exostar following our request. If your company never received a share request from SNC, then please email Suppliers@elbitsystems-us.com, identifying the Exostar ID that completed the NIST questionnaire.

For more details on sharing and navigating Exostar, visit Page 14 of the PIM instructions at:
http://www.myexostar.com/WorkArea/DownloadAsset.aspx?id=6517

I need help in answering the questionnaire, can SNC help?
As this is a self-assessment of your company’s security controls, SNC can provide no assistance in how you answer or interpret the controls. However, there are numerous resources at your disposal to better understand NIST SP 800-171. Some resources available are:

https://EXOSTAR.atlassian.net/wiki/spaces/EN8/pages/73597166/NIST+800-171+Controls+Information

https://ics-cert.us-cert.gov/Assessments (Scroll to CSET tool)

EXOSTAR does offer professional services outside this to assist suppliers with their cyber programs. See here: https://www.EXOSTAR.com/file/2017/06/Cybersecurity_Gap_Analysis_Assessment_17July2017.pdf

What if I have a certification from a 3rd party that confirmed my information systems are NIST SP 800-171 compliant?
An EXOSTAR NIST SP 800-171 Questionnaire must be completed, regardless of 3rd party certification that your information systems are NIST SP 800-171 compliant, prior to the release of CDI.

Is an ISO 27001 certification sufficient for being NIST SP 800-171 compliant?
No. ISO 27001 certification is NOT a sufficient substitute for demonstrating NIST SP 800-171 compliance. NIST SP 800-171 has additional technical security controls not required by ISO 27001.

DFARS Clause 252.204-7012 also included additional requirements beyond the scope of NIST SP 800-171 such as mandatory cyber incident reporting, malicious software and media preservation and subcontractor/supplier flow-downs in all contractors/purchase orders that require the protection of CDI.

I need help in answering the questionnaire, can SNC help?
As this is a self-assessment of your company’s security controls, SNC can provide no assistance in how you answer or interpret the controls. However, there are numerous resources at your disposal to better understand NIST SP 800-171. Some resources available are:

https://EXOSTAR.atlassian.net/wiki/spaces/EN8/pages/73597166/NIST+800-171+Controls+Information

https://ics-cert.us-cert.gov/Assessments (Scroll to CSET tool)

EXOSTAR does offer professional services outside this to assist suppliers with their cyber programs. See here: https://www.EXOSTAR.com/file/2017/06/Cybersecurity_Gap_Analysis_Assessment_17July2017.pdf

My company has an EXOSTAR account, and I am the Admin. Why was a user added to my account? Who authorized this?
Based on the primary contact we have listed for your company, that person was identified at your company as the person who should complete the NIST SP 800-171 form. If this is incorrect, then forward our request to the correct person(s). Typically the person to complete this for is someone responsible for Cybersecurity or related matters.

Although your company is still responsible for completing the requested form, the Administrator can delete the user(s) via the Administration tab in your Managed Access Gateway. This help document can provide further assistance for user management activities: http://www.myEXOSTAR.com/WorkArea/DownloadAsset.aspx?id=334

What is the SNC Contact Form and where can I access it?
The SNC contact form is where you identify the person at you company who is responsible for reporting on your company’s compliance with the new Department of Defense (DoD) cybersecurity standards.

It is hosted by Exostar and can be accessed by the link in your email from EXOSTAR or you can access here:
https://forms.na2.netsuite.com/app/site/crm/externalcustrecordpage.nl/compid.861427/.fformid=84&h=AACffht_hlzXdHMCffpMeHA2EEUNvD0B3Zw&entity=ElbitCustomer&formid=84&h=AACffht_hlzXdHMCffpMeHA2EEUNvD0B3Zw&entity=Elbit Customer

How is my data being used?
NIST Compliance Questionnaire: The information you provide will be used to help us understand your company’s NIST compliance. It is only shared with customers that you choose to share your answers with.

Can someone provide assistance/guidance on answering the questions on the form(s)?
No. EXOSTAR and SNC’s support to the suppliers does NOT include assistance in the understanding or advice in answering the questions to the forms. EXOSTAR’s support is limited to the use of the form not the content of the questions. However, EXOSTAR does offer professional services to assist suppliers with their cyber programs. See here:
https://www.EXOSTAR.com/file/2017/06/Cybersecurity_Gap_Analysis_Assessment_17July2017.pdf

This is a separate service from EXOSTAR’s Partner Information Manager but can be tied to your form responses.

How do I register my token?
Please contact EXOSTAR’s Support Team at 703-793-7800 (US) or 0203 3007093 (UK).

Where can I learn more about the DFARS Clause 252.204-7012 requirement?
For more information, please visit:
https://www.acq.osd.mil/dpap/dars/DFARS/html/current/252204.htm

What if I have a certification from a 3rd party that confirmed my information systems are NIST SP 800-171 compliant?
An EXOSTAR NIST SP 800-171 Questionnaire must be completed, regardless of 3rd party certification that your information systems are NIST SP 800-171 compliant, prior to the release of CDI.

Is an ISO 27001 certification sufficient for being NIST SP 800-171 compliant?
No. ISO 27001 certification is NOT a sufficient substitute for demonstrating NIST SP 800-171 compliance. NIST SP 800-171 has additional technical security controls not required by ISO 27001.

DFARS Clause 252.204-7012 also included additional requirements beyond the scope of NIST SP 800-171 such as mandatory cyber incident reporting, malicious software and media preservation and subcontractor/supplier flow-downs in all contractors/purchase orders that require the protection of CDI.

Is 3rd Party assessment of Compliance Required?
3rd party assessments or certifications are not required, authorized, or recognized by DoD. By signing the contract, the contractor agrees to comply with the terms of the contract.

In order to safeguard covered defense information, companies with limited cybersecurity expertise may choose to seek outside assistance in determining how best to meet and implement the NIST SP 800-171 requirements in their company. But, once the company has implemented the requirements, there is no need to have a separate entity assess or certify that the company is compliant with NIST SP 800-171.

My company has an EXOSTAR account already. How can I subscribe to PIM and complete the form?
If you have not received instructions from EXOSTAR, please wait until you receive that communication before taking any action. If you have already received a notice from EXOSTAR and still require assistance, please contact EXOSTAR’s Support Team at 703-793-7800 (US) or 0203 3007093 (UK).

My organization has already demonstrated compliance with NIST SP 800-53. Can you accept this as proof that we are also NIST SP 800-171 compliant?

  1. NIST 800-53 has controls, but the mechanisms vary by the risk level that you have associated with the info system that needs to be protected.
  2. NIST 800-171 is derived from 800-53 and specifies the risk level as Moderate (the three risk levels are: High, Moderate and Low)
  3. If a supplier believes they are compliant with NIST 800-53 Moderate or above, they most probably can show compliance, but it is not guaranteed
  4. 800-171 is derived, but they have identified specific requirements, such as 2FA for network access for normal users (I do not believe 800-53 goes to that level of prescription)

    Our advice to the supplier is they should complete the NIST 800-1717 Compliance Questionnaire. If they are compliant with NIST 800-53, then it should be easy to show compliance with NIST 800-171. Also compliance with 800-171 means the following:
  5. You answer ‘Yes’ to every security control in the 800-171 questionnaire OR If you answer ‘No’ to some controls, you also have a SSP (System Security Plan) and a POAM (Plan of Action and Milestones) in place for those controls, where you answered ‘No’.

When do I need to complete this by?
Please complete the requested forms within 30 days of receiving your invitation/instructions from EXOSTAR.

Any other application, login, registration related questions...

Please contact EXOSTAR’s Support Team at 703-793-7800 (US) or 0203 3007093 (UK).