Global Ordnance Holdings
Facebook-f Youtube Linkedin-in
Connect

Secure, compliant global supply chain.

GOH manages sourcing, licensing, and transport across sensitive categories with mature compliance and risk‑management frameworks.

Compliance Framework

ISO 9001:2015 • NIST 800‑171 • DFARS 7012 • ITAR/EAR • UK CyberEssentials • GDPR • CMMC 2.0 • DoD 5100.76 • NISPOM • ATF Type 11

ATF import licenses, State Dept. export/broker registrations, and DFARS‑aligned controls across multi‑national suppliers.

Trade Compliance & Licensing

ITAR/EAR, ATF, and State Department licensing; rigorous screening of suppliers, end users, and intermediaries.

Logistics into Complex Theaters

Multi‑modal routing, bonded storage, in‑country partners, and contingency planning for deliveries into high‑risk environments.

Quality & InfoSec

ISO 9001:2015 quality management and CMMC 2.0‑aligned practices for handling controlled unclassified information (CUI).

Supplier Guide: Understanding DFARS 7012 & CMMC

Obligations for Global Ordnance Suppliers, Vendors, and Subcontractors regarding Cybersecurity and CUI.

At Global Ordnance, navigating the complex landscape of government contracting is central to our mission. As we support the Department of Defense (DoD), ensuring the security of our supply chain is not just a priority—it is a contractual obligation.

This guide outlines your obligations under DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) and prepares you for the implementation of the Cybersecurity Maturity Model Certification (CMMC).

The Foundation: What is DFARS 7012?

DFARS 7012 serves as the foundation for cybersecurity within the Defense Industrial Base (DIB). Its primary goal is to protect Controlled Unclassified Information (CUI).

  • What is CUI? Government-created or owned information that requires safeguarding. It is not classified, but must be protected from threat actors.
  • Your Obligation: If Global Ordnance shares CUI with your organization, you are required to comply with DFARS 7012.
  • Incident Reporting: You must report cyber incidents to the DoD via DIBNet within 72 hours of discovery.

As a prime contractor, Global Ordnance assumes responsibility for ensuring our supply chain protects sensitive data. When the DoD includes DFARS 7012 in our contract, we are legally mandated to “flow down” these requirements to you.

"If a subcontractor does not agree to comply with the terms of DFARS Clause 252.204–7012, then covered defense information shall not be shared with the subcontractor or otherwise reside on its information system."
Simply put: If you cannot demonstrate compliance, Global Ordnance cannot legally share the data necessary for you to perform your work.

Compliance requires implementing the 110 security controls outlined in NIST SP 800-171. Currently operating on a self-attestation model, you must confirm fulfillment of these controls or have a concrete Plan of Action and Milestones (POAM).

The 14 Security Families:

  • Access Control (22)
  • Awareness & Training (3)
  • Audit & Accountability (9)
  • Configuration Mgmt (9)
  • ID & Authentication (11)
  • Incident Response (3)
  • Maintenance (6)
  • Media Protection (9)
  • Personnel Security (2)
  • Physical Protection (6)
  • Risk Assessment (3)
  • Security Assessment (4)
  • System & Comms Protection (16)
  • System & Info Integrity (7)

CMMC does not replace DFARS 7012; it reinforces it. DFARS 7012 defines what you must do, while CMMC verifies that you are actually doing it.

  • The Timeline: DoD has finalized the rule for CMMC 2.0, with phased inclusion in contracts beginning November 10, 2025.
  • The Shift: Unlike self-attestation, CMMC will require independent validation. Suppliers handling CUI will eventually require a Level 2 Certification performed by a C3PAO.

Supplier Onboarding

To be approved as a Global Ordnance supplier, please request the supply chain documentation packet below