Section O Attach 1 Revised: July 15, 2011 Page 1 of 3 Section O Attach 1: Revised: CUI Supplier Acknowledgement Letter July 15, 2011 Supplier Name Supplier Address Dear Mr. Supplier: Some technology, technical data, and parts to which Supplier Inc. (Supplier) will have access to while working with Oshkosh Corporation (Oshkosh) constitutes Controlled Unclassified Information (CUI) subject to protection under the Information Assurance (IA) provisions in certain DoD contracts, DoD regulations and federal laws. DoD requires Oshkosh to obtain the agreement of its suppliers to comply with the same IA requirements that Oshkosh must observe for protecting CUI. Accordingly, Oshkosh will share CUI with its supplier subject to the following conditions: INFORMATION ASSURANCE-CONTROLLED UNCLASSIFIED INFORMATION NOTE: THIS IS GENERALLY NOT APPLICABLE TO SUPPLIERS SUPPLYING PRODUCTS, PARTS AND SERVICES FOR NONDOD CONTRACTS 1. Controlled Unclassified Information (CUI) 1.1. Oshkosh and its suppliers, working on certain military contracts are required to ensure that controlled unclassified information (CUI) relating to those contracts is handled in a secure manner. 1.2. CUI is unclassified information about military platforms, systems, and parts subject to access or distribution limitations according to United States policies, laws and regulations. Examples of CUI under a military contract include: 1.2.1. CATIA (CAD) Level 1-3 technical drawings and descriptions in hard copy or electronic form 1.2.2. CAD 3D solid files in STEP 214 format; CAD 2D files in .pdf format; both in native CATIA format 1.2.3. ShopTech screens, documents, reports & information 1.2.4. SmartTeam (PLM) storage output & metadata from Oracle DB in STEP AP239 & .csv format 1.2.5. Text/graphic descriptions of developing, proposed or approved part/system/kit design modification 1.2.6. Documents marked For Official Use Only (FOUO), Sensitive But Unclassified (SBU) Critical Program Information (CPI) or other CUI classification by DoD or Oshkosh ANY PRINTED COPIES OF THIS DOCUMENT ARE UNCONTROLLED COPIES AND MAY BE OUTDATED. IT IS THE RESPONSIBILITY OF THE OSHKOSH CORPORATION SUPPLIER TO VERIFY THAT THEY ARE IN COMPLIANCE WITH THE LASTEST REVISION OF THIS DOCUMENT AS POSTED ON THE OSHKOSH PROCUREMENT WEBSITE OSN.OSHKOSHCORP.COM Section O Attach 1 Revised: July 15, 2011 Page 2 of 3 1.2.7. Documents subject to ITAR/EAR labeling/shipping requirements 1.2.8. Documents containing Personally Identifiable Information (PII) (e.g., name plus DOB/SSN) 1.2.9. Internal memoranda with design or competition sensitive information unique to a DoD contract awarded to Oshkosh 1.2.10. Engineering reports (test incident reports (TIR’s), incident, failure, material analysis, qualityNonpublished photographs & screenshots (vehicles, parts, kits, failures) 1.2.11. System performance capabilities, special features, specifications, limitations, & technical information about parts with ballistic or other special strength, durability or functional properties 1.2.12. 1.2.13. Other government forms & reports (e.g., DD-250 Inspection / Acceptance Reports) Other documents describing competition sensitive information unique to a DoD contract awarded to Oshkosh Contact your Oshkosh Sponsor if you don’t know if information pertaining to a particular contract constitutes CUI. 1.3. Supplier agrees to store, handle, and transfer CUI in accordance with applicable IA requirements, including: 1.3.1. Granting access to CUI only to those employees with a need to know the contents of the CUI for purposes of complying with RFQs or subcontracts with or purchase orders from Oshkosh or its suppliers. 1.3.2. Prohibiting CUI from being transmitted unencrypted over the Internet. Acceptable means of transmitting CUI include: 1.3.2.1. 128-bit encrypted secure FTP service via Federal Information Processing Standard (FIPS) 140-2 validated cryptographic software and/or hardware 1.3.2.2. 128-bit encrypted email via FIPS 140-2 validated cryptographic software and/or hardware 1.3.2.3. Facsimile or telephone (secure when practicable) 1.3.2.4. Common courier 1.3.3. Encrypting CUI data-at-rest (DAR) according to risk. Examples of risk-based DAR include, without limitation: Whole disk encryption of all laptops used in the field or removed from the business and transported in vehicles or used at home where the laptop contains sensitive information and the risk of theft is high Limited DAR inside physically and logically secure data centers where compensating physical security and access controls are in place to protect against unauthorized access to sensitive data No DAR to desktop computers not containing sensitive information 1.3.4. Implementing and enforcing formally documented policies, procedures, rules and regulations for handling and protecting CUI at your company which comply with DoD Instruction 8500.2 or NIST Special Publication 800-53. 1.4. Supplier agrees to incorporate the requirements in Attachment 1 of Section O of the Oshkosh Corporation Supplier Standards Guide into all its subcontracts or purchase orders for goods or services furnished in support of all DoD contracts with Oshkosh that have CUI secure communication requirements. 1.5. All CUI communications described in this section are subject to audit by Oshkosh or DoD ANY PRINTED COPIES OF THIS DOCUMENT ARE UNCONTROLLED COPIES AND MAY BE OUTDATED. IT IS THE RESPONSIBILITY OF THE OSHKOSH CORPORATION SUPPLIER TO VERIFY THAT THEY ARE IN COMPLIANCE WITH THE LASTEST REVISION OF THIS DOCUMENT AS POSTED ON THE OSHKOSH PROCUREMENT WEBSITE OSN.OSHKOSHCORP.COM Section O Attach 1 Revised: July 15, 2011 Page 3 of 3 We request that an authorized official execute this agreement on behalf of supplier and return it. Thank you. Sincerely, ACKNOWLEDGED AND AGREED TO: Supplier, Inc. Oshkosh Em ployee Nam e, Title By: Printed Name: Title: Date: ANY PRINTED COPIES OF THIS DOCUMENT ARE UNCONTROLLED COPIES AND MAY BE OUTDATED. IT IS THE RESPONSIBILITY OF THE OSHKOSH CORPORATION SUPPLIER TO VERIFY THAT THEY ARE IN COMPLIANCE WITH THE LASTEST REVISION OF THIS DOCUMENT AS POSTED ON THE OSHKOSH PROCUREMENT WEBSITE OSN.OSHKOSHCORP.COM