Georgia Tech Procurement Assistance Center

Will defense contractors be ready for CMMC?

By

Defense contractors will face big changes and tight timelines over the next year as the Department of Defense rolls out its new Cybersecurity Maturity Model Certification framework, experts say.

The framework, which aims to certify a company’s compliance with federal cybersecurity regulations around controlled unclassified information (CUI), was announced by DOD officials in June.  It will be used to evaluate and rate contractors’ ability to protect sensitive data on a 1-5 scale starting next year.

The initial version of the framework is scheduled to go public in January 2020.  By June 2020, its requirements will start appearing in requests for information, and will become a regular feature of defense procurement by September 2020.  That means defense contractors will have less than eight months to implement changes for compliance with the Defense Federal Acquisition Regulation Supplement and National Institute of Standards and Technology guidance on protecting CUI.

Continue reading at:  FCW

Cybersecurity: front and center for industry

By

“Deliver Uncompromised,” the “Fourth Pillar of Acquisition” or “Securing the DoD Supply Chain” — no matter what turn of phrase one uses to discuss protecting the defense industrial base and the equipment and support it provides warfighters from cyber threats, this issue stands front and center for the Pentagon and for the people and companies that provide its capabilities.

Experts estimate losses of about $600 billion per year in the transfer of wealth, expertise and trade secrets due to cyber crime.  Adversaries and bad actors specifically target the defense industrial base, using the pilfered data to close capability gaps with the United States, its allies and partners.

The National Defense Strategy and the National Cyber Strategy lay it bare, “Our competitors — including … foreign adversaries such as Russia and China — are also using cyber to try to steal our technology.”  Protecting U.S. advantages demands better government-industry collaboration.  Fortunately, that is happening with the end state an effective, holistic cyber defense.

Despite being the home of cyberspace and the innovative tech giants who used it to transform society and the economy, America — both its government and its traditional industries — has responded slowly to growing and increasingly adaptive cyber threats.  That said, stakeholders now recognize the challenge and have begun responding with concrete actions.  Called out in the series of 2018 strategy documents, the cyber hygiene of U.S. government contractors, especially those in the defense industrial base, will likely soon require third-party cybersecurity certification for contractors to participate in any Defense Department contract.

Continue reading at:  National Defense Magazine 

DOD’s proposed cybersecurity maturity model certification requirements: what we know and how to prepare

By

The final DFARS cybersecurity rule promulgated in 2016, which included the latest changes to the DFARS clause at 252.204-7012, was a significant development for DoD contractors, in part because it mandates compliance with the 110 security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.  DoD has been working with the contracting community since that time with respect to the implementation of the final rule, but has concluded that further compliance steps are needed in the form of cybersecurity certification standards.

The anticipated new cybersecurity certification standards for DoD contractors are quickly taking shape.  Katie Arrington, former South Carolina legislator and current special assistant for Cybersecurity to Assistant Secretary of Defense for Acquisition, recently announced that DoD is partnering with the Carnegie Mellon University Software Engineering Institute and the Johns Hopkins University Applied Physics Laboratory in developing the new certification standard: the Cybersecurity Maturity Model Certification or “CMMC.”  This Alert outlines what has been revealed thus far about the CMMC, how the CMMC will affect DoD contractors, and steps you can take to be ready when the CMMC goes live.

Continue reading at:  Miles & Stockbridge

DoD unveils proposed cybersecurity capability model certification standards

By

Cybersecurity.  It’s never over, is it?  In what can only be described as a “soft” release, the Department of Defense (DoD) has slowly and quietly begun to reveal its intent to provide federal contractors with a formal cybersecurity certification as early as next year.  The program, known as the Cybersecurity Capability Model Certification (CCMC), is an effort to streamline the acquisition process by providing acquiring agencies and consenting contractors with more exacting cybersecurity requirements for forthcoming acquisitions.

Moreover, as announced clearly and repeatedly by the Special Assistant to the Assistant Secretary of Defense for Acquisition and Sustainment for Cyber, Katie Arrington, during events on May 23, 2019, and June 12, 2019, certain cybersecurity costs will be allowable under certain circumstances.  This means that not only is DoD again in the process of facilitating the acquisition of cybersecurity capabilities throughout its entire supply chain, but now the DoD recognizes that it should actually pay for what it requires of contractors.

Continue reading at:  McCarter and English

The cost to comply with DoD’s new cybersecurity requirements to be reimbursable on cost contracts

By

Law360 published an article recently with the title, “DoD Official Says Cyber is an Allowable Contractor Cost.”  The article states that the U.S. Department of Defense (DoD) will allow defense contractors to treat the costs of bringing their cybersecurity programs in line with DoD requirements as an allowable cost and, therefore, reimbursable.  Specifically, at the June 14, 2019 Professional Services Council’s Federal Acquisition Conference, DoD special assistant for cybersecurity Katie Arrington said, “security is an allowable cost.”

Further, Law360 reported that in May, DoD said it was developing a “Cybersecurity Maturity Model Certification” (CMMC) program to build on the Defense Federal Acquisition Regulation Supplement regulation (DFARS § 252.204-7012(b)(2)) that requires defense contractors to implement the security controls in the National Institute of Standards and Technology’s Special Publication (NIST SP) 800-171.  The security controls are intended to protect covered defense information on nonfederal systems.  DoD said the CMMC will require defense contractors to get third-party audits of their compliance with the NIST SP 800-171 controls, down through their supply chains.

Arrington told the conference attendees that the CMMC will be developed by DoD working in conjunction with the Johns Hopkins University Applied Physics Lab and Carnegie Mellon University Software Engineering Institute.  The goal is to develop one unified standard for cybersecurity.  This standard will include five different levels of required cybersecurity protections, from a level one of “basic hygiene,” which will be cheap and straightforward enough that a small business could meet it, to level five for “state-of-the-art” protections.  Arrington said that DoD has planned 12 related industry days across the United States in July and August to work in a collaborative manner with defense contractors to improve cybersecurity practices in the CMMC plan.  Acknowledgments to Daniel Wilson and Law360 for reporting these developments.

Continue reading at:  Taft Stettinius & Hollister LLP

Pentagon to unveil new Cybersecurity Maturity Model Certification (CMMC) for defense contractors

By

The Department of Defense announced that it is developing a new cybersecurity standard and certification for defense contractors.  It is named the “Cybersecurity Maturity Model Certification” (CMMC).

Notably, the intent of the CMMC is to improve cybersecurity deficiencies in the defense industrial base and secure the supply chain.

The CMMC is expected to be based on NIST SP 800-171, as is the current Defense Federal Acquisition Regulation Supplement (DFARS) rule.  Specifically, DFARS Clause 252.204-7012 requires defense contractors handling sensitive, unclassified information to implement the 110 security controls of NIST SP 800-171.

However, the CMMC may incorporate or rely on frameworks in addition to NIST SP 800-171.

According to news reports, the CMMC will serve as the enforcement mechanism lacking in the current DFARS rule.

Although the draft CMMC has not yet been published, it’s been reported that there will be 5 levels of certification.  The levels will range from basic cyber hygiene to “State-of-the-Art.”  DoD contracts will require specific levels — and awards will be “go/no-go” based on the contractor’s certification status.

This is a fundamental change to how defense contracts are awarded today.

Read more at:  JD Supra

Contracting News

Read More

Contracting Tips

Read More

GTPAC News

Read More

Georgia Tech News

Read More