Security/Vendor Certifications Tab

Use this tab to specify security requirements that apply to the subcontract, and add certifications associated with the vendor linked to the subcontract.

Note: For Costpoint Cloud, this tab is available only if you choose to opt in to Feature 2144951 for the Costpoint 2025.2 release. The ability to opt in is temporary and will be removed when the feature becomes automatically enabled for all users as part of a future Costpoint release. See the Manage Opt-In Features topic for more information.

Security Requirements

Use this group box to indicate the security requirements that apply to the subcontract.

Field	Description
US Citizen	Select this checkbox if the subcontract requires all vendors and employees to be US citizens.
CMMC Level	This field displays the Cybersecurity Maturity Model Certification (CMMC) level associated with the vendor. Valid values are: None 1: Performed processes, basic cyber hygiene practices 2: Documented processes, intermediate cyber hygiene practices 3: Managed processes, good cyber hygiene practices 4: Reviewed processes, proactive cyber hygiene practices 5: Optimizing processes, advanced/progressive cyber hygiene practices Note: This field is disabled and is for reference purposes only, as the rating system has been revised from a scale of 1-5 to a flexible structure that can be defined by clients. Because there are no mappings between CMMC 1.0 and CMMC 2.0, existing data cannot be transferred to the new 2.0 ratings. You can, however, add your CMMC level to the Manage Vendor Certifications screen, which provides you with more options in defining your CMMC information. Then, you can associate this certification with the vendor on the Vendor Certifications subtask of Manage Subcontracts. The CMMC Level field will be removed in a future release. Attention: For more information on CMMC, visit https://dodcio.defense.gov/CMMC/.
ITAR Status	Select the option to indicate the International Traffic in Arms Regulations (ITAR) requirements of the subcontract. Valid options are: US Person Authorized for ITAR: Select this option if the subcontract requires employees who are US citizens and authorized to do ITAR transactions. Foreign Person with U.S. Dept of State Authorization/Special Exemption: Select this option if the subcontract requires employees who are authorized by the U.S. Department of State for ITAR transactions or have special exemption. Not Authorized: Select this option if the subcontract allows employees who are not authorized to do ITAR transactions. Not Applicable: Select this option if the ITAR status is not applicable to the employees associated with the subcontract.

Field

Description

US Citizen

Select this checkbox if the subcontract requires all vendors and employees to be US citizens.

CMMC Level

This field displays the Cybersecurity Maturity Model Certification (CMMC) level associated with the vendor. Valid values are:

None
1: Performed processes, basic cyber hygiene practices
2: Documented processes, intermediate cyber hygiene practices
3: Managed processes, good cyber hygiene practices
4: Reviewed processes, proactive cyber hygiene practices
5: Optimizing processes, advanced/progressive cyber hygiene practices

Note: This field is disabled and is for reference purposes only, as the rating system has been revised from a scale of 1-5 to a flexible structure that can be defined by clients. Because there are no mappings between CMMC 1.0 and CMMC 2.0, existing data cannot be transferred to the new 2.0 ratings.

You can, however, add your CMMC level to the Manage Vendor Certifications screen, which provides you with more options in defining your CMMC information. Then, you can associate this certification with the vendor on the Vendor Certifications subtask of Manage Subcontracts.

The CMMC Level field will be removed in a future release.

Attention: For more information on CMMC, visit https://dodcio.defense.gov/CMMC/.

ITAR Status

Select the option to indicate the International Traffic in Arms Regulations (ITAR) requirements of the subcontract. Valid options are:

US Person Authorized for ITAR: Select this option if the subcontract requires employees who are US citizens and authorized to do ITAR transactions.
Foreign Person with U.S. Dept of State Authorization/Special Exemption: Select this option if the subcontract requires employees who are authorized by the U.S. Department of State for ITAR transactions or have special exemption.
Not Authorized: Select this option if the subcontract allows employees who are not authorized to do ITAR transactions.
Not Applicable: Select this option if the ITAR status is not applicable to the employees associated with the subcontract.

Subtask

Subtask	Description
Vendor Certifications	Use this subtask to add, view, or modify certifications associated with the vendor.

Costpoint Online Help

Security/Vendor Certifications Tab

Security Requirements

Subtask