Georgia Tech Procurement Assistance Center

Chinese government hackers steal massive amounts of data from Navy contractor computers

By

Chinese government hackers have stolen large swaths of highly sensitive data on undersea warfare from a Navy contractor’s computers, The Washington Post reports.

The stolen information includes secret plans to develop a supersonic anti-ship missile to be used by submarines by 2020, American officials told the Post.

The incidents took place in January and February, but officials did not disclose the contractor that was targeted, the newspaper reported Friday.

Although the information was highly sensitive, it was housed on the contractor’s unclassified network, according to the Post.

“Per federal regulations, there are measures in place that require companies to notify the government when a ‘cyber incident’ has occurred that has actual or potential adverse effects on their networks that contain controlled unclassified information,” Navy Lt. Marycate Walsh said in a statement. “It would be inappropriate to discuss further details at this time.”

Keep reading this article at: http://wtkr.com/2018/06/08/wapo-chinese-government-hackers-steal-massive-amounts-of-data-from-navy-contractor-computers/

Draft DoD guidance reveals how cyber readiness will impact contract evaluations

By

Editor’s Note: This post was created by Jon Williams who is a partner with PilieroMazza and a member of the firm’s Government Contracts Group. 

We have been blogging and giving webinars since last year about the DoD requirements around cybersecurity for contractors that are subject to DFARS 252.204-7012. Please view our past blogs and webinars here and here to get more of the backstory.

In a nutshell, DoD contractors operating nonfederal IT systems and subject to DFARS 252.204-7012 were required to have a system security plan (“SSP”) in place by December 31, 2017, to demonstrate compliance with the recommended security controls in NIST SP 800-171. Although the DFARS requirements were black-and-white, there was a fair amount of uncertainty late last year and continuing into this year about what contractors needed to do to comply and if/how DoD would enforce the requirements.

DoD has taken some of the mystery out of these cyber requirements in a recently-released draft guidance.

Keep reading this blog post at: http://www.pilieromazza.com/the-protests-are-coming-draft-dod-guidance-reveals-how-cyber-readiness-will-impact-contract-evaluations

See GTPAC’s instructional video on achieving compliance with DFARS 252.204-7012 and NIST guidance at: http://gtpac.org/cybersecurity-training-video/

Faster detection, cleanup of network infections are goals of $12.8 million Georgia Tech project

By

Cybersecurity researchers at the Georgia Institute of Technology have been awarded a $12.8 million contract to develop fundamentally new techniques designed to dramatically accelerate the detection and remediation of infections in local and remote networks. Using novel machine learning techniques that take advantage of large datasets, the researchers will develop ways to detect network infections within 24 hours – before invaders can do serious damage.

The technical goal for the new system, dubbed “Gnomon,” is to detect changes in individual computer systems by analyzing suspicious network traffic that appears weeks or months before any evidence of malicious software – or malware – can be identified. As a proof-of-concept, the researchers will work with two major U.S. telecommunication companies and several petabytes of data in basic research aimed at detecting signals of malicious activity on their networks.

Funded by the Defense Advanced Research Projects Agency (DARPA), the four-year award is part of the agency’s Harnessing Autonomy for Countering Cyberadversary Systems (HACCS) program. Beyond rapid detection of infections, the project will also accelerate the cleanup after such infections, creating a clearer pathway in a process known as remediation.

“A compromise becomes a breach only if the original infection remains undetected long enough for the adversaries to do damage,” said Manos Antonakakis, an assistant professor in Georgia Tech’s School of Electrical and Computer Engineering and the project’s co-principal investigator. “If you look at the major breaches that have occurred, you see that the adversaries were in the systems for months. We want to identify them in a matter of hours to contain the infection before any real damage can be done.”

The new techniques to be developed will address the realization that network attacks cannot be completely blocked by existing defenses and malware-based detection systems. Dynamic intelligence will be a key feature of the system, with the intent of creating a continuously-updated dossier of every address in IPv4 space.

“Gnomon will search for illicit behavior in computer systems and network signals that indicate the start of an infection,” said Michael Farrell, chief strategist at the Georgia Tech Research Institute (GTRI), and the principal investigator on the program. “We’ll use our experience with taking down botnets – networks of infected computers – to accelerate the detection and remediation process. It’s imperative to evolve our view of the internetwork infrastructure at the same pace that the threat evolves.”

To protect millions of computers on the networks of the two companies, the researchers must find ways to identify troubling behavior on individual IP addresses without endangering the privacy of individuals. Among the signs of trouble are communications with network locations known to house malicious activity. Such communication is necessary for malicious groups to control computers that have been compromised, and to move data stolen from them.

“If you know where the infecting groups are located, you can very easily exclude most of the benign activities occurring on the network,” Antonakakis said. “We need to be able to identify what has changed in computers throughout the network, understand why the change has happened, and determine whether that change can be attributed to benign or malicious activity. This is a groundbreaking new approach to network security that will require tremendous computing power and infrastructure.”

Ever since the first viruses hit computers in the 1980s, cybersecurity has seen rapid evolution of detection and attack tactics. The success of Gnomon will likely drive adversaries to new attack techniques that may be more complex – and expensive – than existing activities. Making cyberattacks more costly to launch may reduce the profit from such activities, making them less attractive.

“If we can clean up our networks faster and more efficiently, that will increase the cost of the attack, making the adversaries work harder,” Antonakakis said. “If you raise the cost of an attack, the return on investment becomes smaller, while the risk of getting identified becomes higher. We would like to make the business of an attack so unprofitable and so risky for the adversaries that it will not make sense for them to conduct major operations in our networks.”

Success in developing new techniques with the first two telecommunication companies could open the door for scaling up Gnomon to other large networks in industry – and to U.S. government systems.

“Not only will deployment have an obvious benefit of improved hygiene for a significant portion of the U.S. internet infrastructure, but the public-private partnership will allow us to provide valuable feedback throughout the HACCS program on the sort of prototypes that will be necessary to have true business and mission impact in the real world,” Farrell said. “The goals are very ambitious, but if we’re successful, we’ll be able to close the gap between an infection and remediation.”

This program is the latest interdisciplinary research collaboration in cybersecurity at Georgia Tech, orchestrated by the Institute for Information Security & Privacy (IISP). In addition to the School of Electrical and Computer Engineering and GTRI, the project will include Professor Brian Kennedy from Georgia Tech’s School of Physics.

Attribution of malicious cyber activity is an established research thrust at Georgia Tech, and this new contract builds on the early success of another Department of Defense (DoD) sponsored program to enhance attribution. The “Rhamnousia” program is now a $25.3 million contract being led by the same research team of Farrell and Antonakakis.

This material is based upon work supported by the Defense Advanced Research Projects Agency (DARPA) under contract number HR001118C0057. Any opinions, findings and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the Defense Advanced Research Projects Agency (DARPA).

Source: http://www.news.gatech.edu/2018/05/14/faster-detection-cleanup-network-infections-are-goals-128-million-project

Next NDAA might add more cyber provisions

By

The next defense authorization bill could have a slew of new cyber provisions aimed at streamlining the Defense Department’s collaboration with the rest of government.

The House Armed Services Committee’s Subcommittee on Emerging Threats and Capabilities released a markup of the 2019 National Defense Authorization Act on April 26 that includes a range of cyber provisions and recommendations focusing on expanding cyber forces, protecting critical infrastructure and consolidating cyber responsibilities.

Key provisions include:

  • Studying state cyber teams.
  • Protecting critical infrastructure with more hackathons.
  • Boosting breach notification requirements. 
  • Prioritizing tech needs at DOD installations.
  • Fully integrating DIUx’s Silicon Valley vibe into defense labs. 
  • Mapping cyber vulnerabilities in weapons systems. 
  • Cyber Command absorbing (some of) DISA’s responsibilities.

Read details on each of these provisions at: https://washingtontechnology.com/articles/2018/04/27/ndaa-markup-cyber.aspx

Security tips for choosing and using passwords

By

You probably use a number of personal identification numbers (PINs), passwords, and passphrases every day: from getting money from the ATM or using your debit card in a store, to logging in to your email or into an online retailer. Keeping track of all of the number, letter, and word combinations may be frustrating at times, but you’ve seen enough news coverage to know that hackers represent a real threat to your information. Often, an attack is not specifically about your account, but about using the access to your information to launch a larger attack.

One of the best ways to protect information or physical property is to ensure that only authorized people have access to it. Verifying that those requesting access are the people they claim to be is the next step. This authentication process is more important and more difficult in the cyber world. Passwords are the most common means of authentication, but only work if they are complex and confidential. Many systems and services have been successfully breached because of insecure and inadequate passwords. Once a system is compromised, it’s open to exploitation by other unwanted sources.

How to choose good passwords

Avoid common mistakes

Most people use passwords that are based on personal information and are easy to remember. However, that also makes it easier for an attacker to crack them. Consider a four-digit PIN. Is yours a combination of the month, day, or year of your birthday? Does it contain your address or phone number? Think about how easy it is to find someone’s birthday or similar information. What about your email password—is it a word that can be found in the dictionary? If so, it may be susceptible to dictionary attacks, which attempt to guess passwords based on common words or phrases.

Although intentionally misspelling a word (“daytt” instead of “date”) may offer some protection against dictionary attacks, an even better method is to rely on a series of words and use memory techniques, or mnemonics, to help you remember how to decode it. For example, instead of the password “hoops,” use “IlTpbb” for “[I] [l]ike [T]o [p]lay [b]asket[b]all.” Using both lowercase and capital letters adds another layer of obscurity. Changing the same example used above to “Il!2pBb.” creates a password very different from any dictionary word.

Length and complexity

The National Institute of Standards and Technology (NIST) has developed specific guidelines for strong passwords. According to NIST guidance, you should  consider using the longest password or passphrase permissible (16–64 characters) when you can. For example, “Pattern2baseball#4mYmiemale!” would be a strong password because it has 28 characters. It also includes the upper and lowercase letters, numbers, and special characters. You may need to try different variations of a passphrase—some applications limit the length of passwords, some do not accept spaces or certain special characters. Avoid common phrases, famous quotations, and song lyrics.

Dos and don’ts

Once you’ve come up with a strong, memorable password it’s tempting to reuse it ­– don’t! Reusing a password, even a strong one, endangers your accounts just as much as using a weak password. If attackers guess your password, they would have access to all of your accounts. Use the following techniques to develop unique passwords for each of your accounts:

  • Do use different passwords on different systems and accounts.
  • Don’t use passwords that are based on personal information that can be easily accessed or guessed.
  • Use the longest password or passphrase permissible by each password system
  • Don’t use words that can be found in any dictionary of any language.
  • Do develop mnemonics to remember complex passwords.
  • Do consider using a password manager program to keep track of your passwords. (See more information below.)

How to protect your passwords

Now that you’ve chosen a password that’s easy for your to remember, but difficult for others to guess, you have to make sure not to leave it someplace for people to find. Writing it down and leaving it in your desk, next to your computer, or, worse, taped to your computer, is just making it easy for someone who has physical access to your office. Don’t tell anyone your passwords, and watch for attackers trying to trick you through phone calls or email messages requesting that you reveal your passwords. (See Avoiding Social Engineering and Phishing Attacks for more information.)

Programs called password managers offer the option to create randomly generated passwords for all of your accounts. You then access those strong passwords with a master password. If you use a password manager, remember to use a strong master password.

Password problems can stem from your web browsers’ ability to save passwords and your online sessions in memory. Depending on your web browsers’ settings, anyone with access to your computer may be able to discover all of your passwords and gain access to your information. Always remember to log out when you are using a public computer (at the library, an Internet cafe, or even a shared computer at your office). Avoid using public computers and public Wi-Fi to access sensitive accounts such as banking and email.

There’s no guarantee that these techniques will prevent an attacker from learning your password, but they will make it more difficult.

For more information on passwords, multi-factor authentication, and related password topics, see Supplementing Passwords.

Don’t forget security basics

  • Keep your operating system, browser, and other software up-to-date.
  • Use and maintain anti-virus software and a firewall.
  • Regularly scan your computer for spyware. (Some anti-virus programs incorporate spyware detection.)
  • Use caution with email attachments and untrusted links.
  • Watch for suspicious activity on your accounts.

Source: The National Cybersecurity and Communications Integration Center’s (NCCIC) – https://www.us-cert.gov/ncas

New cyber rule requires critical documents

By

Contractors and their supply chain with active Defense Department contracts, or those that plan on doing business with it, must assure that any of their data systems that transmit, process or store controlled unclassified information are compliant with National Institute of Standards and Technology Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations.”

It’s clear that meeting the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 mandate to comply to the special publication is a required priority for defense contractors, subcontractors and suppliers.

Making a system security plan and plan of actions and mitigations is crucial to winning new business and keeping existing contracts this year and moving forward. Here are some tips on how to approach creating and utilizing these complex compliance documents.

Keep reading this article at: http://www.nationaldefensemagazine.org/articles/2018/3/30/new-cyber-rule-requires-critical-documents

The Georgia Tech Procurement Assistance Center (GTPAC) has developed an instructional video and a template to help contractors comply with DoD’s cybersecurity requirements.  You can view and download these resources at: http://gtpac.org/cybersecurity-training-video/

 

GTPAC’s cybersecurity initiative recognized with national ‘Outstanding Project Award’

By

GTPAC received the Outstanding Project Award at APTAC’s annual training conference on Mar. 7, 2018.

The Georgia Tech Procurement Assistance Center (GTPAC) was honored this week by the Association of Procurement Assistance Centers (APTAC), the organization which represents 98 procurement technical assistance centers (PTACs) across the United States, Guam and Puerto Rico.

GTPAC was presented with APTAC’s Outstanding Project Award which annually recognizes an accomplishment that stands out from the day-to-day activities that all PTACs organize and undertake.

The project recognized by APTAC is GTPAC’s instructional video that provides step-by-step guidance to government contractors on how they can achieve compliance with Department of Defense (DoD) cybersecurity requirements  designed to safeguard DoD information and report on cyber incidents.

GTPAC’s video and accompanying resources – including a template which contractors may use – are made available free of charge on the GTPAC web site at: http://gtpac.org/cybersecurity-training-video.

The video and template have been heralded both by PTACs, who counsel businesses, and by businesses themselves as valuable one-stop resources for existing contractors and aspiring DoD contractors alike.  Since the launch of these training tools at the end of last year, 1,284 persons have viewed the video and downloaded the template 1,508 times.

Specifically, the video explains Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, including its key definitions and cyber obligations, including its primary requirement that defense contractors which process, store or transmit “covered defense information” must address 110 individual cybersecurity controls outlined in National Institute of Standards and Technology (NIST) Special Publication 800-171.

The 20-minute video not only provides information on these requirements, but also provides specific guidance on how government contractors can achieve compliance with the DFARS clause and the NIST standards.  The video guides government contractors on how they can perform a “self-assessment” of their information system using NIST’s Manufacturing Extension Partnership (MEP) Cybersecurity Self-Assessment Handbook.

One of the most creative and innovative aspects of the project is the 127-page cybersecurity template GTPAC created in conjunction with the video.  The template provides step-by-step instructions on how government contractors can create a “Systems Security Plan” and “Plan of Action” – documentation necessary to achieve compliance.

The resources GTPAC created are very timely in light of recent warnings from DoD that it plans to request and evaluate cyber plans from businesses as a part of the contract award decision-making process.   If the video is carefully reviewed and the template is fully completed and properly filled out, contractors will be in a position to document their compliance with the DFARS cybersecurity requirements.

Members of the GTPAC team proudly show off the national award they received.

GTPAC program manager Joe Beaulieu points out that “by providing the video and cybersecurity template, GTPAC’s objective is to make the process of achieving compliance much easier, especially for small defense contractors who may not have the resources necessary to develop such plans from scratch.”  Indeed, the template makes the process of drafting the required documentation easier, as contractors merely have to fill in the blanks and answer specific questions, rather than work from a blank slate.  While it is ultimately up to the contractor to meet the requirements and to provide accurate information, GTPAC’s video and template provide contractors with an excellent starting point for assessing, achieving and documenting compliance.

In honoring GTPAC with the Outstanding Project Award, APTAC encouraged other PTACs to make use of the video, template, and resource materials posted at http://gtpac.org/cybersecurity-training-video.  NIST recently provided similar encouragement to their nationwide network of MEPs in their work with U.S. manufacturers.  GTPAC coordinated the creation of the cybersecurity materials with the Georgia MEP (GaMEP) which, like GTPAC, is a part of the Georgia Institute of Technology’s Enterprise Innovation Institute (EI2).

EI2 is Georgia Tech’s business outreach organization which serves as the primary vehicle to achieve Georgia Tech’s goal of expanded local, regional, and global outreach.  EI2 is the nation’s largest and most comprehensive university-based program of business and industry assistance, technology commercialization, and economic development.

GTPAC is a state-wide program operated by EI2 under a cooperative agreement with the Defense Logistics Agency (DLA).   In 2017, Georgia businesses won more than 5,000 government contracts – worth more than $1 billion – with GTPAC’s help.  All totalled, GTPAC provided counseling, instruction, and bid opportunities to 2,548 Georgia businesses during the past year.

DHS cyber info sharing tool to get a reboot this year

By

The Homeland Security Department plans to update its system for automatically sharing cybersecurity threat information with companies, critical infrastructure providers and other federal agencies this coming summer or fall, a top official said last week.

More than 200 organizations have signed up to automatically receive the indicators, but most of them aren’t using that information to automatically block malicious traffic into their networks, Jeanette Manfra, assistant secretary in Homeland Security’s Office of Cybersecurity and Communications, said.

Generally, that’s because customer organizations say the indicators don’t include enough information for them to determine what’s truly relevant, Manfra told an audience at the industry group US Telecom’s cybersecurity policy forum.

Keep reading this article at: http://www.defenseone.com/technology/2018/01/dhs-cyber-info-sharing-tool-get-reboot-year/145517

The Department of Homeland Security’s (DHS) free Automated Indicator Sharing (AIS) can be accessed at: https://www.us-cert.gov/ais

Have you watched GTPAC’s cybersecurity compliance video yet?  Check it out at: http://gtpac.org/cybersecurity-training-video/

Changes coming to GSA’s contractor cybersecurity requirements

By

The General Services Administration (GSA) plans to officialize regulations on how contractors should handle and protect sensitive information for federal clients, as well as report any incidents that could put that information at risk.

GSA’s proposed contractor cybersecurity rules changes — a pair of actions included in a Federal Register notice published Jan. 12 — follow in the footsteps of the Pentagon’s move last year to update its acquisition regulations, heightening the security standards of the defense contractors who work with sensitive DoD data.

The actions aren’t exactly new. In part, GSA is putting existing contractor information security requirements through the rulemaking and public comment process so they will be be officially added to the GSA Acquisition Regulation, or GSAR, with any subsequent updates.

Keep reading this article at: https://www.fedscoop.com/changes-coming-gsas-contractor-cybersecurity-requirements/

GTPAC has created a video and a template to help businesses comply with DoD’s cybersecurity requirements.  These new resources appear at: http://gtpac.org/cybersecurity-training-video/

Cybersecurity training video and template released

By

The Georgia Tech Procurement Assistance Center (GTPAC) has produced a 20-minute instructional video designed to assist contractors comply with Defense Department (DoD) cybersecurity requirements.

Click image above to view video and access resource documents.

Accompanying the video is a 127-page template that can be used by contractors to create a Security Assessment Report, a System Security Plan, and a Plan of Action.

The video and template, along with related resources, can be found at: http://gtpac.org/cybersecurity-training-video.

Background

The Defense Federal Acquisition Regulation Supplement (DFARS) prescribes that DFARS clause 252.204-7012 (“Safeguarding Covered Defense Information and Cyber Incident Reporting”)  be inserted in many DoD contracts.

In general, the clause requires that contractors provide adequate security on all applicable contractor information systems – and investigate and report on any compromises of such systems.  The DFARS clause also requires contractors to:

  • isolate malicious software,
  • preserve and protect all media involved in a cyber incident,
  • provide DoD with access to information or equipment for purposes of forensic analysis,
  • assess damage as a result of a cyber incident, and
  • “flow down” the clause in any subcontracts involving information covered by the requirements.
Click on the graphic above to see the government’s complete list of Controlled Unclassified Information (CUI) covered by the regulation.
Impact

If you are a DoD contractor, it is very likely that your contract incorporates DFARS clause 252.204-7012.  The clause is required in all solicitations and contracts, including solicitations and contracts issued under Federal Acquisition Regulation (FAR) Part 12 procedures for the acquisition of commercial items.  (Note: The clause is not required for solicitations and contracts solely for the acquisition of Commercial Off the Shelf – or COTS – items.)

To provide adequate security, DoD contractors covered by the DFARS clause are expected, at a minimum and effective immediately, to implement the standards set forth in National Institute of Standards and Technology (NIST) Special Publication 800-171 (Revision 1).

In general terms, to meet the government’s cybersecurity standards, contractors must assess their information systems, develop a security plan, and create an action plan.  GTPAC’s template – available for download as a Word document on the same webpage where the video appears – provides a step-by-step process by which each of these tasks can be completed and documentation can be compiled.

Information and Assistance

The video and template were funded through a cooperative agreement with the Defense Logistics Agency, and created with the support of the Georgia Institute of Technology.  The content of the video presentation does not necessarily reflect the official views of or imply endorsement by the U.S. Department of Defense, the Defense Logistics Agency, or Georgia Tech.

For further assistance with complying with DoD’s contractual cybersecurity requirements, please feel free to contact a GTPAC Procurement Counselor.  A list of Counselors, their locations, and contact information can be found at: http://gtpac.org/team-directory.

Companies located outside the state of Georgia may contact their nearest Procurement Technical Assistance Center (PTAC) for assistance with government contracting matters.  PTACs are located in all 50 states, the District of Columbia, Guam, and Puerto Rico.  Find a directory of PTACs at: http://www.aptac-us.org/find-a-ptac.

GTPAC is a part of the Enterprise Innovation Institute (EI2), Georgia Tech’s business outreach organization which serves as the primary vehicle to achieve Georgia Tech’s goal of expanded local, regional, and global outreach.  EI2 is the nation’s largest and most comprehensive university-based program of business and industry assistance, technology commercialization, and economic development.

 

 

 

Contracting News

Read More

Contracting Tips

Read More

GTPAC News

Read More

Georgia Tech News

Read More