Section O Attach 1
Revised: July 15, 2011
Page 1 of 3
Section O Attach 1:
Revised:
CUI Supplier Acknowledgement Letter
July 15, 2011
Supplier Name
Supplier Address
Dear Mr. Supplier:
Some technology, technical data, and parts to which Supplier Inc. (Supplier) will have
access to while working with Oshkosh Corporation (Oshkosh) constitutes Controlled
Unclassified Information (CUI) subject to protection under the Information Assurance
(IA) provisions in certain DoD contracts, DoD regulations and federal laws. DoD
requires Oshkosh to obtain the agreement of its suppliers to comply with the same IA
requirements that Oshkosh must observe for protecting CUI. Accordingly, Oshkosh will
share CUI with its supplier subject to the following conditions:
INFORMATION ASSURANCE-CONTROLLED UNCLASSIFIED INFORMATION
NOTE: THIS IS GENERALLY NOT APPLICABLE TO SUPPLIERS SUPPLYING PRODUCTS, PARTS AND SERVICES FOR NONDOD CONTRACTS
1.
Controlled Unclassified Information (CUI)
1.1.
Oshkosh and its suppliers, working on certain military contracts are required to ensure that controlled unclassified
information (CUI) relating to those contracts is handled in a secure manner.
1.2.
CUI is unclassified information about military platforms, systems, and parts subject to access or distribution limitations
according to United States policies, laws and regulations. Examples of CUI under a military contract include:
1.2.1.
CATIA (CAD) Level 1-3 technical drawings and descriptions in hard copy or electronic form
1.2.2.
CAD 3D solid files in STEP 214 format; CAD 2D files in .pdf format; both in native CATIA format
1.2.3.
ShopTech screens, documents, reports & information
1.2.4.
SmartTeam (PLM) storage output & metadata from Oracle DB in STEP AP239 & .csv format
1.2.5.
Text/graphic descriptions of developing, proposed or approved part/system/kit design modification
1.2.6.
Documents marked For Official Use Only (FOUO), Sensitive But Unclassified (SBU) Critical Program
Information (CPI) or other CUI classification by DoD or Oshkosh
ANY PRINTED COPIES OF THIS DOCUMENT ARE UNCONTROLLED COPIES AND MAY BE OUTDATED. IT IS THE
RESPONSIBILITY OF THE OSHKOSH CORPORATION SUPPLIER TO VERIFY THAT THEY ARE IN COMPLIANCE WITH THE
LASTEST REVISION OF THIS DOCUMENT AS POSTED ON THE OSHKOSH PROCUREMENT WEBSITE
OSN.OSHKOSHCORP.COM
Section O Attach 1
Revised: July 15, 2011
Page 2 of 3
1.2.7.
Documents subject to ITAR/EAR labeling/shipping requirements
1.2.8.
Documents containing Personally Identifiable Information (PII) (e.g., name plus DOB/SSN)
1.2.9.
Internal memoranda with design or competition sensitive information unique to a DoD contract
awarded to Oshkosh
1.2.10.
Engineering reports (test incident reports (TIR’s), incident, failure, material analysis, qualityNonpublished photographs & screenshots (vehicles, parts, kits, failures)
1.2.11.
System performance capabilities, special features, specifications, limitations, & technical information
about parts with ballistic or other special strength, durability or functional properties
1.2.12.
1.2.13.
Other government forms & reports (e.g., DD-250 Inspection / Acceptance Reports)
Other documents describing competition sensitive information unique to a DoD contract awarded
to Oshkosh
Contact your Oshkosh Sponsor if you don’t know if information pertaining to a particular contract constitutes CUI.
1.3.
Supplier agrees to store, handle, and transfer CUI in accordance with applicable IA requirements, including:
1.3.1.
Granting access to CUI only to those employees with a need to know the contents of the CUI for
purposes of complying with RFQs or subcontracts with or purchase orders from Oshkosh or its suppliers.
1.3.2.
Prohibiting CUI from being transmitted unencrypted over the Internet. Acceptable means of transmitting
CUI include:
1.3.2.1. 128-bit encrypted secure FTP service via Federal Information Processing Standard (FIPS)
140-2 validated cryptographic software and/or hardware
1.3.2.2. 128-bit encrypted email via FIPS 140-2 validated cryptographic software and/or hardware
1.3.2.3. Facsimile or telephone (secure when practicable)
1.3.2.4. Common courier
1.3.3.
Encrypting CUI data-at-rest (DAR) according to risk. Examples of risk-based DAR include, without limitation:
Whole disk encryption of all laptops used in the field or removed from the business and transported in
vehicles or used at home where the laptop contains sensitive information and the risk of theft is high
Limited DAR inside physically and logically secure data centers where compensating physical security
and access controls are in place to protect against unauthorized access to sensitive data
No DAR to desktop computers not containing sensitive information
1.3.4.
Implementing and enforcing formally documented policies, procedures, rules and regulations for
handling and protecting CUI at your company which comply with DoD Instruction 8500.2 or NIST
Special Publication 800-53.
1.4.
Supplier agrees to incorporate the requirements in Attachment 1 of Section O of the Oshkosh Corporation
Supplier Standards Guide into all its subcontracts or purchase orders for goods or services furnished in support of
all DoD contracts with Oshkosh that have CUI secure communication requirements.
1.5.
All CUI communications described in this section are subject to audit by Oshkosh or DoD
ANY PRINTED COPIES OF THIS DOCUMENT ARE UNCONTROLLED COPIES AND MAY BE OUTDATED. IT IS THE
RESPONSIBILITY OF THE OSHKOSH CORPORATION SUPPLIER TO VERIFY THAT THEY ARE IN COMPLIANCE WITH THE
LASTEST REVISION OF THIS DOCUMENT AS POSTED ON THE OSHKOSH PROCUREMENT WEBSITE
OSN.OSHKOSHCORP.COM
Section O Attach 1
Revised: July 15, 2011
Page 3 of 3
We request that an authorized official execute this agreement on behalf of supplier and
return it. Thank you.
Sincerely,
ACKNOWLEDGED AND AGREED TO:
Supplier, Inc.
Oshkosh Em ployee Nam e, Title
By:
Printed Name:
Title:
Date:
ANY PRINTED COPIES OF THIS DOCUMENT ARE UNCONTROLLED COPIES AND MAY BE OUTDATED. IT IS THE
RESPONSIBILITY OF THE OSHKOSH CORPORATION SUPPLIER TO VERIFY THAT THEY ARE IN COMPLIANCE WITH THE
LASTEST REVISION OF THIS DOCUMENT AS POSTED ON THE OSHKOSH PROCUREMENT WEBSITE
OSN.OSHKOSHCORP.COM