Georgia Tech Procurement Assistance Center

Security tips for choosing and using passwords

By

You probably use a number of personal identification numbers (PINs), passwords, and passphrases every day: from getting money from the ATM or using your debit card in a store, to logging in to your email or into an online retailer. Keeping track of all of the number, letter, and word combinations may be frustrating at times, but you’ve seen enough news coverage to know that hackers represent a real threat to your information. Often, an attack is not specifically about your account, but about using the access to your information to launch a larger attack.

One of the best ways to protect information or physical property is to ensure that only authorized people have access to it. Verifying that those requesting access are the people they claim to be is the next step. This authentication process is more important and more difficult in the cyber world. Passwords are the most common means of authentication, but only work if they are complex and confidential. Many systems and services have been successfully breached because of insecure and inadequate passwords. Once a system is compromised, it’s open to exploitation by other unwanted sources.

How to choose good passwords

Avoid common mistakes

Most people use passwords that are based on personal information and are easy to remember. However, that also makes it easier for an attacker to crack them. Consider a four-digit PIN. Is yours a combination of the month, day, or year of your birthday? Does it contain your address or phone number? Think about how easy it is to find someone’s birthday or similar information. What about your email password—is it a word that can be found in the dictionary? If so, it may be susceptible to dictionary attacks, which attempt to guess passwords based on common words or phrases.

Although intentionally misspelling a word (“daytt” instead of “date”) may offer some protection against dictionary attacks, an even better method is to rely on a series of words and use memory techniques, or mnemonics, to help you remember how to decode it. For example, instead of the password “hoops,” use “IlTpbb” for “[I] [l]ike [T]o [p]lay [b]asket[b]all.” Using both lowercase and capital letters adds another layer of obscurity. Changing the same example used above to “Il!2pBb.” creates a password very different from any dictionary word.

Length and complexity

The National Institute of Standards and Technology (NIST) has developed specific guidelines for strong passwords. According to NIST guidance, you should  consider using the longest password or passphrase permissible (16–64 characters) when you can. For example, “Pattern2baseball#4mYmiemale!” would be a strong password because it has 28 characters. It also includes the upper and lowercase letters, numbers, and special characters. You may need to try different variations of a passphrase—some applications limit the length of passwords, some do not accept spaces or certain special characters. Avoid common phrases, famous quotations, and song lyrics.

Dos and don’ts

Once you’ve come up with a strong, memorable password it’s tempting to reuse it ­– don’t! Reusing a password, even a strong one, endangers your accounts just as much as using a weak password. If attackers guess your password, they would have access to all of your accounts. Use the following techniques to develop unique passwords for each of your accounts:

  • Do use different passwords on different systems and accounts.
  • Don’t use passwords that are based on personal information that can be easily accessed or guessed.
  • Use the longest password or passphrase permissible by each password system
  • Don’t use words that can be found in any dictionary of any language.
  • Do develop mnemonics to remember complex passwords.
  • Do consider using a password manager program to keep track of your passwords. (See more information below.)

How to protect your passwords

Now that you’ve chosen a password that’s easy for your to remember, but difficult for others to guess, you have to make sure not to leave it someplace for people to find. Writing it down and leaving it in your desk, next to your computer, or, worse, taped to your computer, is just making it easy for someone who has physical access to your office. Don’t tell anyone your passwords, and watch for attackers trying to trick you through phone calls or email messages requesting that you reveal your passwords. (See Avoiding Social Engineering and Phishing Attacks for more information.)

Programs called password managers offer the option to create randomly generated passwords for all of your accounts. You then access those strong passwords with a master password. If you use a password manager, remember to use a strong master password.

Password problems can stem from your web browsers’ ability to save passwords and your online sessions in memory. Depending on your web browsers’ settings, anyone with access to your computer may be able to discover all of your passwords and gain access to your information. Always remember to log out when you are using a public computer (at the library, an Internet cafe, or even a shared computer at your office). Avoid using public computers and public Wi-Fi to access sensitive accounts such as banking and email.

There’s no guarantee that these techniques will prevent an attacker from learning your password, but they will make it more difficult.

For more information on passwords, multi-factor authentication, and related password topics, see Supplementing Passwords.

Don’t forget security basics

  • Keep your operating system, browser, and other software up-to-date.
  • Use and maintain anti-virus software and a firewall.
  • Regularly scan your computer for spyware. (Some anti-virus programs incorporate spyware detection.)
  • Use caution with email attachments and untrusted links.
  • Watch for suspicious activity on your accounts.

Source: The National Cybersecurity and Communications Integration Center’s (NCCIC) – https://www.us-cert.gov/ncas

New cyber rule requires critical documents

By

Contractors and their supply chain with active Defense Department contracts, or those that plan on doing business with it, must assure that any of their data systems that transmit, process or store controlled unclassified information are compliant with National Institute of Standards and Technology Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations.”

It’s clear that meeting the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 mandate to comply to the special publication is a required priority for defense contractors, subcontractors and suppliers.

Making a system security plan and plan of actions and mitigations is crucial to winning new business and keeping existing contracts this year and moving forward. Here are some tips on how to approach creating and utilizing these complex compliance documents.

Keep reading this article at: http://www.nationaldefensemagazine.org/articles/2018/3/30/new-cyber-rule-requires-critical-documents

The Georgia Tech Procurement Assistance Center (GTPAC) has developed an instructional video and a template to help contractors comply with DoD’s cybersecurity requirements.  You can view and download these resources at: http://gtpac.org/cybersecurity-training-video/

 

GTPAC’s cybersecurity initiative recognized with national ‘Outstanding Project Award’

By

GTPAC received the Outstanding Project Award at APTAC’s annual training conference on Mar. 7, 2018.

The Georgia Tech Procurement Assistance Center (GTPAC) was honored this week by the Association of Procurement Assistance Centers (APTAC), the organization which represents 98 procurement technical assistance centers (PTACs) across the United States, Guam and Puerto Rico.

GTPAC was presented with APTAC’s Outstanding Project Award which annually recognizes an accomplishment that stands out from the day-to-day activities that all PTACs organize and undertake.

The project recognized by APTAC is GTPAC’s instructional video that provides step-by-step guidance to government contractors on how they can achieve compliance with Department of Defense (DoD) cybersecurity requirements  designed to safeguard DoD information and report on cyber incidents.

GTPAC’s video and accompanying resources – including a template which contractors may use – are made available free of charge on the GTPAC web site at: http://gtpac.org/cybersecurity-training-video.

The video and template have been heralded both by PTACs, who counsel businesses, and by businesses themselves as valuable one-stop resources for existing contractors and aspiring DoD contractors alike.  Since the launch of these training tools at the end of last year, 1,284 persons have viewed the video and downloaded the template 1,508 times.

Specifically, the video explains Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, including its key definitions and cyber obligations, including its primary requirement that defense contractors which process, store or transmit “covered defense information” must address 110 individual cybersecurity controls outlined in National Institute of Standards and Technology (NIST) Special Publication 800-171.

The 20-minute video not only provides information on these requirements, but also provides specific guidance on how government contractors can achieve compliance with the DFARS clause and the NIST standards.  The video guides government contractors on how they can perform a “self-assessment” of their information system using NIST’s Manufacturing Extension Partnership (MEP) Cybersecurity Self-Assessment Handbook.

One of the most creative and innovative aspects of the project is the 127-page cybersecurity template GTPAC created in conjunction with the video.  The template provides step-by-step instructions on how government contractors can create a “Systems Security Plan” and “Plan of Action” – documentation necessary to achieve compliance.

The resources GTPAC created are very timely in light of recent warnings from DoD that it plans to request and evaluate cyber plans from businesses as a part of the contract award decision-making process.   If the video is carefully reviewed and the template is fully completed and properly filled out, contractors will be in a position to document their compliance with the DFARS cybersecurity requirements.

Members of the GTPAC team proudly show off the national award they received.

GTPAC program manager Joe Beaulieu points out that “by providing the video and cybersecurity template, GTPAC’s objective is to make the process of achieving compliance much easier, especially for small defense contractors who may not have the resources necessary to develop such plans from scratch.”  Indeed, the template makes the process of drafting the required documentation easier, as contractors merely have to fill in the blanks and answer specific questions, rather than work from a blank slate.  While it is ultimately up to the contractor to meet the requirements and to provide accurate information, GTPAC’s video and template provide contractors with an excellent starting point for assessing, achieving and documenting compliance.

In honoring GTPAC with the Outstanding Project Award, APTAC encouraged other PTACs to make use of the video, template, and resource materials posted at http://gtpac.org/cybersecurity-training-video.  NIST recently provided similar encouragement to their nationwide network of MEPs in their work with U.S. manufacturers.  GTPAC coordinated the creation of the cybersecurity materials with the Georgia MEP (GaMEP) which, like GTPAC, is a part of the Georgia Institute of Technology’s Enterprise Innovation Institute (EI2).

EI2 is Georgia Tech’s business outreach organization which serves as the primary vehicle to achieve Georgia Tech’s goal of expanded local, regional, and global outreach.  EI2 is the nation’s largest and most comprehensive university-based program of business and industry assistance, technology commercialization, and economic development.

GTPAC is a state-wide program operated by EI2 under a cooperative agreement with the Defense Logistics Agency (DLA).   In 2017, Georgia businesses won more than 5,000 government contracts – worth more than $1 billion – with GTPAC’s help.  All totalled, GTPAC provided counseling, instruction, and bid opportunities to 2,548 Georgia businesses during the past year.

DHS cyber info sharing tool to get a reboot this year

By

The Homeland Security Department plans to update its system for automatically sharing cybersecurity threat information with companies, critical infrastructure providers and other federal agencies this coming summer or fall, a top official said last week.

More than 200 organizations have signed up to automatically receive the indicators, but most of them aren’t using that information to automatically block malicious traffic into their networks, Jeanette Manfra, assistant secretary in Homeland Security’s Office of Cybersecurity and Communications, said.

Generally, that’s because customer organizations say the indicators don’t include enough information for them to determine what’s truly relevant, Manfra told an audience at the industry group US Telecom’s cybersecurity policy forum.

Keep reading this article at: http://www.defenseone.com/technology/2018/01/dhs-cyber-info-sharing-tool-get-reboot-year/145517

The Department of Homeland Security’s (DHS) free Automated Indicator Sharing (AIS) can be accessed at: https://www.us-cert.gov/ais

Have you watched GTPAC’s cybersecurity compliance video yet?  Check it out at: http://gtpac.org/cybersecurity-training-video/

Changes coming to GSA’s contractor cybersecurity requirements

By

The General Services Administration (GSA) plans to officialize regulations on how contractors should handle and protect sensitive information for federal clients, as well as report any incidents that could put that information at risk.

GSA’s proposed contractor cybersecurity rules changes — a pair of actions included in a Federal Register notice published Jan. 12 — follow in the footsteps of the Pentagon’s move last year to update its acquisition regulations, heightening the security standards of the defense contractors who work with sensitive DoD data.

The actions aren’t exactly new. In part, GSA is putting existing contractor information security requirements through the rulemaking and public comment process so they will be be officially added to the GSA Acquisition Regulation, or GSAR, with any subsequent updates.

Keep reading this article at: https://www.fedscoop.com/changes-coming-gsas-contractor-cybersecurity-requirements/

GTPAC has created a video and a template to help businesses comply with DoD’s cybersecurity requirements.  These new resources appear at: http://gtpac.org/cybersecurity-training-video/

Cybersecurity training video and template released

By

The Georgia Tech Procurement Assistance Center (GTPAC) has produced a 20-minute instructional video designed to assist contractors comply with Defense Department (DoD) cybersecurity requirements.

Click image above to view video and access resource documents.

Accompanying the video is a 127-page template that can be used by contractors to create a Security Assessment Report, a System Security Plan, and a Plan of Action.

The video and template, along with related resources, can be found at: http://gtpac.org/cybersecurity-training-video.

Background

The Defense Federal Acquisition Regulation Supplement (DFARS) prescribes that DFARS clause 252.204-7012 (“Safeguarding Covered Defense Information and Cyber Incident Reporting”)  be inserted in many DoD contracts.

In general, the clause requires that contractors provide adequate security on all applicable contractor information systems – and investigate and report on any compromises of such systems.  The DFARS clause also requires contractors to:

  • isolate malicious software,
  • preserve and protect all media involved in a cyber incident,
  • provide DoD with access to information or equipment for purposes of forensic analysis,
  • assess damage as a result of a cyber incident, and
  • “flow down” the clause in any subcontracts involving information covered by the requirements.
Click on the graphic above to see the government’s complete list of Controlled Unclassified Information (CUI) covered by the regulation.
Impact

If you are a DoD contractor, it is very likely that your contract incorporates DFARS clause 252.204-7012.  The clause is required in all solicitations and contracts, including solicitations and contracts issued under Federal Acquisition Regulation (FAR) Part 12 procedures for the acquisition of commercial items.  (Note: The clause is not required for solicitations and contracts solely for the acquisition of Commercial Off the Shelf – or COTS – items.)

To provide adequate security, DoD contractors covered by the DFARS clause are expected, at a minimum and effective immediately, to implement the standards set forth in National Institute of Standards and Technology (NIST) Special Publication 800-171 (Revision 1).

In general terms, to meet the government’s cybersecurity standards, contractors must assess their information systems, develop a security plan, and create an action plan.  GTPAC’s template – available for download as a Word document on the same webpage where the video appears – provides a step-by-step process by which each of these tasks can be completed and documentation can be compiled.

Information and Assistance

The video and template were funded through a cooperative agreement with the Defense Logistics Agency, and created with the support of the Georgia Institute of Technology.  The content of the video presentation does not necessarily reflect the official views of or imply endorsement by the U.S. Department of Defense, the Defense Logistics Agency, or Georgia Tech.

For further assistance with complying with DoD’s contractual cybersecurity requirements, please feel free to contact a GTPAC Procurement Counselor.  A list of Counselors, their locations, and contact information can be found at: http://gtpac.org/team-directory.

Companies located outside the state of Georgia may contact their nearest Procurement Technical Assistance Center (PTAC) for assistance with government contracting matters.  PTACs are located in all 50 states, the District of Columbia, Guam, and Puerto Rico.  Find a directory of PTACs at: http://www.aptac-us.org/find-a-ptac.

GTPAC is a part of the Enterprise Innovation Institute (EI2), Georgia Tech’s business outreach organization which serves as the primary vehicle to achieve Georgia Tech’s goal of expanded local, regional, and global outreach.  EI2 is the nation’s largest and most comprehensive university-based program of business and industry assistance, technology commercialization, and economic development.

 

 

 

Army and Navy cyber command ready way ahead of schedule

By

U.S. Army Cyber Command announced November 2 that all 41 of its active duty Cyber Mission Force teams were validated as having achieved full operational capability in September 2017, more than a year ahead of schedule. To read the official announcement, click on photo above.   (Photo Credit: U.S. Army photo by Steve Stover)

The Army and Navy components of the military’s Cyber Mission Forces have reached full operational capability, the services announced Thursday, beating their 2018 deadline by roughly a year.

The Army and Navy announcement marks a major milestone for U.S. Cyber Command, which has grown since 2010 from a rough plan to build a military unit complementary to the largely civilian National Security Agency to what will soon be a full combatant command.

Together, the Army and Navy components comprise about 60 percent of the 6,200 cyber troops divided among 133 teams that will make up a fully operational U.S. Cyber Command next year.

Keep reading this article at: http://www.nextgov.com/cybersecurity/2017/11/army-and-navy-cyber-command-ready-way-ahead-schedule/142278

Note: The Army Cyber Command is headquartered at Fort Gordon in Augusta, GA.  In June of 2017, groundbreaking was held for the construction of the Georgia Cyber Innovation and Training Center, a $60 million compound that will feature research and classroom space for Augusta University and the state’s technical colleges, as well as office space for established and startup companies.  For more information, see: http://gtpac.org/2017/06/21/new-training-center-in-augusta-to-counter-emerging-cyberthreats/

Deadlines approach for government contractors on cybersecurity compliance

By

Government contractors are subject to cybersecurity requirements, found in the Federal Acquisition Regulation (FAR) and each agency’s supplement to the FAR, and some important deadlines are fast approaching. Set forth below is a high-level overview of cybersecurity requirements found in the FAR and the Department of Defense (DoD) FAR Supplement (DFARS).

The FAR requires government contractors that handle “federal contract information” to comply with 15 requirements for safeguarding that information. These requirements are similar to certain requirements found in NIST SP 800-171.

Under the FAR, “federal contract information” is defined as:

information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments.

This is a broad category of information, and some commentators have suggested that it would apply to “virtually all” federal contracts.

Keep reading this article at: https://www.jdsupra.com/legalnews/deadlines-approach-for-government-74231/

Reminder: DoD contractors required to meet cybersecurity requirements by year-end

By

The window for Department of Defense (DoD) contractors to bring themselves into compliance with cybersecurity requirements is closing.

Specifically, changes to the Defense Federal Acquisition Regulation Supplement (DFARS) published in late 2016 require that DoD contractors and subcontractors provide “adequate security” on “covered information systems.”  The new rule also imposes reporting requirements for cyber incidents.  Failure to comply with these requirements could result in loss of government contracting opportunities and civil and criminal liability for responsible companies and individuals.

Background

On October 21, 2016, DoD published a final rule significantly expanding the obligations of private industry with respect to cybersecurity on contractor information systems that host certain government and other sensitive data. 81 Fed. Reg. 72986 (Oct. 16, 2016).  Specifically, the new rule amends the contract clause at DFARS 252.204-7012, which addresses “Safeguarding Covered Defense Information and Cyber Incident Reporting.” According to DoD, “[t]he objectives of the rule are to improve information security for DoD information stored on or transiting contractor information systems as well as in a cloud environment.”  

The amended DFARS clause imposes a critical and fast-approaching compliance deadline for DoD contractors and subcontractors to implement specific security measures on their “covered systems” by December 31, 2017.

The new contract clause at DFARS 252.204-7012 mandates that DoD contractors and their subcontractors “provide adequate security” on all “covered contractor information systems.”

Keep reading this article at: http://www.jdsupra.com/legalnews/alert-dod-contractors-required-to-meet-65186/

Federal cybersecurity requirements seminar now available on video

By

Video coverage of the August 9th seminar on Cybersecurity Requirements for Federal Contractors is now available for viewing, along with pertinent printed resources.

The Georgia Tech Procurement Assistance Center (GTPAC) co-hosted the recent event, along with the Georgia Manufacturing Extension Program (GaMEP).

At the end of this year — if you are a Department of Defense (DoD) contractor or hope to be one — there are new cybersecurity requirements that will be in your contract that will require you to limit access to your information systems, identify system users, and take measures to safeguard federal contract information (FCI).  Your compliance with these rules, among others, require documented processes and procedures.  And, similar requirements are expected to be included in other federal contracts in the near future.

Access to the video is right here.  Following introductory remarks, details on the cyber requirements begin at the 18:00 minute mark in the video.

Click on the image above to start video.

In addition, the following links to the actual presentation materials and other resources are provided below:

GTPAC will continue to provide to our clients additional cybersecurity compliance materials as they become available.

Contracting News

Read More

Contracting Tips

Read More

GTPAC News

Read More

Georgia Tech News

Read More