Georgia Tech Procurement Assistance Center

Critical changes for contractors working with classified information

By

Two significant changes are underway by the Defense Counterintelligence and Security Agency (DCSA) – both of which require the immediate attention of businesses that hold a U.S. security clearance or are in the process of applying for a clearance.

The first change is the codification of the National Industrial Security Program Operating Manual (NISPOM).  As background, the NISPOM has been the key guidance for protecting classified and certain other controlled information in accordance with the National Industrial Security Program (NISP) as currently overseen by the DCSA.

Continue reading at:  JD Supra

The NISPOM is becoming a regulation and contractors have six months to comply

By

On December 21, 2020, the Department of Defense (“DoD”) published a final rule in the Federal Register that codifies the National Industrial Security Program Operating Manual (“NISPOM”) in the Code of Federal Regulations (“CFR”) at 32 CFR part 117.  The rule became effective on February 24, 2021, giving contractors six months from the effective date to comply with the changes.  

The NISPOM establishes various requirements and standard procedures for the protection of classified information disclosed to or developed by government contractors.  It was first published in 1995 as DoD Manual 5220.22, and was intermittently updated through the years including (most recently) via Conforming Change 1 on March 28, 2013, and NISPOM Change 2 on May 21, 2016.  In addition to adding the NISPOM to the CFR, the new rule will incorporate the requirements of Security Executive Agent Directive (“SEAD”) 3, “Reporting Requirements for Personnel with Access to Classified Information or Who Hold a Sensitive Position” (available here), and will implement the provisions of Section 842 of the 2019 National Defense Authorization Act (“NDAA”) (Public Law 115-232) (both of which are discussed below).

Continue reading at:  Sheppard Mullin

Federal contractor sentenced for removing and transmitting classified materials

By

Reality Winner was sentenced yesterday to five years and three months in prison for removing classified national defense material from a government facility and mailing it to a news outlet.

Winner was arrested by the FBI at her home in Augusta, Georgia on June 3, 2017.  The parties filed a plea agreement on June 21, in which Winner agreed to plead guilty to the one-count indictment charging her with unlawful retention and transmission of national defense information.  The parties agreed that a sentence of imprisonment for 63 months followed by a three-year term of supervised release is the appropriate disposition of the case.  The Court accepted the plea agreement at sentencing.

Winner was a contractor assigned to a unit of Fort Gordon in Georgia. She had been employed at the facility since on or about Feb. 13, 2017, and held a TOP SECRET//Sensitive Compartmented (SCI) clearance during that time.  Prior to that position, Winner had served in the U.S. Air Force from 2010-2016 and held a TOP SECRET//SCI security clearance.

  • Evidence presented at the change of plea hearing established that on or about May 9, 2017, Winner printed an intelligence report that was classified at the TOP SECRET//SCI level, and she removed it from the facility where she worked.  Information may be classified as TOP SECRET if its unauthorized disclosure can reasonably be expected to cause exceptionally grave damage to the national security of the United States.
  • Later on May 9, Winner unlawfully transmitted a hard copy of the intelligence report to an online news outlet. The intelligence report revealed the sources and methods used to acquire the information contained in the report, which, if disclosed, would be harmful to the United States and valuable to our adversaries.

Indeed, Winner, in an interview with the FBI on June 3, 2017, admitted knowing at the time she stole and transmitted the intelligence report that it contained information about intelligence sources and methods, which information she knew was valuable to adversaries of the United States.  Further, the information contained in the intelligence report had not been released to the public at the time Winner retained it and transmitted it to the online news outlet.  Winner, who had received training regarding the proper handling, marking, transportation, and storage of classified information, knew that she was not permitted to remove the intelligence report from the facility where she worked, retain it, or transmit it to the news outlet.

The investigation of this case was conducted by the FBI.

Source: https://www.justice.gov/opa/pr/federal-government-contractor-sentenced-removing-and-transmitting-classified-materials-news

See earlier article on this subject at: https://gtpac.org/2018/06/30/contractor-employee-pleads-guilty-to-espionage-in-connection-with-nsa-data-leak/

Contractor employee pleads guilty to espionage in connection with NSA data leak

By

U.S. Air Force veteran Reality Winner — the first person prosecuted by the Trump administration for leaking government information — pleaded guilty Tuesday to espionage for leaking a classified document detailing Russian efforts to hack into state election systems to an online news magazine.

“She pled guilty to willful retention and transmission of national defense information,” said Billie Jean Winner-Davis.

Winner’s lead defense attorney, Baker Donelson partner and former general counsel of the U.S. Department of Homeland Security Joe Whitley, said in a written statement after Winner’s plea, “She has taken this matter seriously, and has made a very difficult decision that will no doubt impact the rest of her life.”

“Obviously, her final sentencing is still pending, and she has a number of conditions and restrictions in her plea agreement that she is committed to honoring,” Whitley said. “However, Reality wishes to thank the numerous individuals and organizations who have supported her through this process.”

Winner, jailed without bond since her arrest more than a year ago at her Augusta, Georgia, home, pleaded guilty as part of a deal with federal prosecutors, who recommended a 63-month sentence followed by three years of supervised release, Winner-Davis said.

Keep reading this article at: https://www.law.com/dailyreportonline/2018/06/26/reality-winner-pleads-guilty-to-espionage-faces-potential-5-year-sentence/

Company that used Russian coders for Pentagon project strikes deal

By

Russian developers did some of the coding work for a Defense Department software system and stored that code inside a server in Moscow, according to a non-prosecution agreement released Monday.

Those Russian coders only worked on unclassified portions of the Defense Information Systems Agency project, but, in some cases, knew they were helping to develop a highly sensitive system that would attach to Defense Department information networks, according to the agreement between the Justice Department and Netcracker Technology Corp., the subcontractor that hired the Russian coders.

The non-prosecution deal ends a criminal investigation against Netcracker that was led by the Justice Department’s national security division and the U.S. Attorney’s Office for the Eastern District of Virginia.

Keep reading this article at: http://www.nextgov.com/cybersecurity/2017/12/company-used-russian-coders-pentagon-project-strikes-deal/144466/

Counterintelligence chief: Contractors ‘kicking butt’ in combating insider threats

By

Though some of the most damaging exposures of classified material have come from companies working for the federal government in recent years, the intelligence community’s 100,000 contractors overall “are kicking butt” in helping agencies head off insider threats, the nation’s top counterintelligence chief said on Monday.

Anticipating threats “is a team sport,” Bill Evanina, the government’s national counterintelligence executive, told a gathering of the Intelligence and National Security Alliance, a nonprofit group made up of contractors and former intelligence officials. “The only way to win is a partnership, a whole-of-government, whole-of-country approach” that includes contractors and the news media as well.

“We have to get back to patriotism,” he said.

Despite incidents involving National Security Agency contractors such as Edward Snowden and Howard Martin, “we need to eliminate with urgency the idea that most insider threats are contractors,” Evanina said. “There’s no evidence” either for that, he said, or for the common notion that “millennials want to be leakers.”

Keep reading this article at: http://www.govexec.com/defense/2017/04/counterterrorism-chief-contractors-kicking-butt-combating-insider-threats/136904

Contractors need clarity on handling federal data, says IT alliance

By

Discrepancies and deficiencies in the way various rules designate and govern covered defense information and controlled unclassified information can impact how contractors protect confidential government information.

In a white paper prepared by associate member Rogers Joseph O’Donnell, the IT Alliance for Public Sector looked at the scope, implementation, compliance tools and inconsistencies of regulatory constructs and requirements to safeguard federal data and information.

Keep reading this article at: http://www.federaltimes.com/articles/contractors-need-clarity-on-handling-federal-data-says-it-alliance

 

Final rule beefs up mandates for contractor information systems security

By

Federal RegisterA new final rule four years in the making will amend the Federal Acquisition Regulations, or FAR, with new sections on the basic safeguarding of contractor information systems.

The rule, published on May 16, 2016 in the Federal Register and issued by the Defense Department, General Services Administration and NASA, will add a subpart and contract clause on contractor systems that process, store or transmit federal contract information, and calls on contractors to apply a minimum of 15 security control requirements.

This type of information is not intended for public release and excludes information that the government provides to the public or that is related to processing payments.

The focus of the rule is on a basic level of safeguarding, and contractors still have to comply with safeguarding requirements for protecting controlled unclassified information, or CUI. “Systems that contain classified information, or CUI, such as personally identifiable information, require more than the basic level of protection,” the rule stated.

Keep reading this article at: http://www.fiercegovernmentit.com/story/final-rule-beefs-mandates-contractor-information-systems-security/2016-05-17

Doing business with the government? What you should know about cybersecurity

By

Government contractors are in a difficult position when it comes to cybersecurity. Not only do they need to worry about cybersecurity issues that affect almost every company, but they also often house sensitive government data that can carry additional obligations.

cyber securityFurther, the very fact that they have access to this information, and their relationship to the U.S. government, makes them an attractive target for malicious efforts. Escalating these concerns, not only are contractors with sensitive information prime targets for standard hackers trying to prove their worth, but they are also in the cross-hairs for attacks sponsored by countries hostile to the United States or interested in obtaining technology otherwise prohibited to them.

The U.S. government recognizes this threat and has responded in two major ways. The first is to impose additional cybersecurity responsibilities on contractors who have access to sensitive data. While the goal of these additional obligations is to harden security to protect data, their parameters are not always apparent and can be easily misunderstood. Just identifying what a contractor is expected to do can be a challenge. The second element of the government’s approach is to assist in combating cyber attacks by offering to work with companies, including contractors, who find themselves victims. This help can be invaluable, especially for sophisticated and persistent state-sponsored cyber threats. It also raises additional issues, however, and many companies are justifiably suspicious of opening their information technology systems to the government.

In this Commentary, we highlight the aligned and competing priorities of the government and companies in this space. We discuss some of the main requirements imposed on contractors that go above and beyond those required of standard companies. We also delve into practical considerations for government contractors in this area and developing trends.

Keep reading this article at: http://www.mondaq.com/article.asp?articleid=402096

Contractors could get new rules for handling sensitive government data

By

Private sector government contractors may soon be subjected to new rules for managing sensitive federal information.

The National Institute of Standards and Technology (NIST) recently published draft requirements for federal and nonfederal groups with access to “controlled unclassified information” — a subset of confidential information that, while not classified, must still be protected. The Commerce Department agency is accepting public comments on the draft until May 12, 2015.

These requirements are meant to supplement rules under the Federal Information Security Management Act, which governs how federal agencies (and contractors, on their behalf) manage their own data in their own information systems, according to NIST fellow Ron Ross.

The new guidance aims to cover situations not explicitly mentioned in FISMA — for instance, when state and local governments, colleges and universities, or private organizations happen to receive federal CUI data through a contract or an agreement.

Keep reading this article at: http://www.nextgov.com/big-data/2015/04/nist-refining-rules-non-federal-groups-handling-federal-data/109399

Contracting News

Read More

Contracting Tips

Read More

GTPAC News

Read More

Georgia Tech News

Read More