Georgia Tech Procurement Assistance Center

  • Home
  • About Us
  • Training
    • Class Registration
    • On-demand Training
    • GTPAC COVID-19 Resource Page
    • Cybersecurity Video
    • Veterans Verification Video
    • GTPAC Community
    • Other Training Audio & Video
  • Useful Links
  • Team Directory
    • Albany Counselor
    • Athens Counselor
    • Atlanta Counselors
    • Augusta Counselor
    • Carrollton Counselor
    • Columbus Counselor
    • Gainesville Counselor
    • Savannah Counselor
    • Warner Robins Counselor
  • Directions
    • Athens
    • Atlanta – Training Facility
    • Atlanta – Office
    • Albany
    • Augusta
    • Carrollton
    • Columbus
    • Gainesville
    • Savannah
    • Warner Robins
  • COVID-19
  • New Client Application
  • Contact Us

DoD publishes long awaited interim rule on CMMC

October 2, 2020 By Andrew Smith

At long last, the Department of Defense (“DoD”) has provided its interim rule, published in the Federal Register on September 29, 2020, amending the Defense Federal Acquisition Regulation Supplement (“DFARS”) to set forth requirements for the Cybersecurity Maturity Model Certification (“CMMC”) program, as well as new requirements for a “NIST SP 800-171 DoD Assessment Methodology.”  The interim rule is effective November 30, 2020, and comments to the interim rule should be submitted by November 30 as well. 

NIST SP 800-171 DoD Assessment Methodology

For contractors already required to comply with NIST SP 800-171, per DFARS 252.204-7012, DoD now is going to hold those contractors accountable, instituting an assessment and reporting system to verify compliance before new contracts can be awarded.  While the new requirement is for information to be provided prior to contract award, DoD encourages affected contractors to begin their self-assessments immediately.

The Assessment Methodology will include three assessment levels:  (1) Basic, (2) Medium, and (3) High.  The Basic Assessment will be a self-assessment completed by the contractor prior to contract award, while the Medium and High Assessments are available options for DoD to complete after award.  DoD estimates it will conduct 200 Medium Assessments and 110 High Assessments each year.  Additional information regarding DoD assessments is available here.

There is a specific scoring methodology to be followed for the Assessment.  A contractor that has fully implemented all 110 NIST SP 800-171 controls will have a score of “110.”  It goes without saying that contractors will need to be careful here – an inaccurate report could subject a company to exposure under the False Claims Act.

Assessments will be valid for three years unless there are issues requiring a reassessment sooner.  The newly-announced Assessment Methodology appears to be an immediate solution to provide DoD some peace of mind on contractor data security until the CMMC program can be fully implemented.

Continue reading at the Sheppard Mullin GovCon Blog.

Filed Under: Contracting News Tagged With: CMMC, cybersecurity, Cybersecurity Maturity Model Certification, DFARS 252.204-7012

Who pays for CMMC certification?

February 14, 2020 By Andrew Smith

Last week, DOD announced the release of CMMC Version 1.0.  CMMC Version 1.0 is a comprehensive certification process featuring 171 cybersecurity best practices to ensure that contractors secure their information systems.  The question on everyone’s mind is who is going to pay for the certification and all of the work necessary to comply.

DOD has been less than clear on how contractors are expected to pay for CMMC certification. But what is clear is that the costs associated with obtaining CMMC certification will be significant.  It is unclear whether contractors can seek reimbursement for these costs.  They may be able to claim costs as an allowable indirect cost.  We suspect that the cost of certification itself will be covered, but that the greater costs associated with becoming compliant will not be covered as a reimbursable direct cost.

Continue reading at:  Fox Rothschild

Filed Under: Contracting Tips Tagged With: allowable costs, CMMC, cybersecurity, Cybersecurity Maturity Model Certification

The CMMC has arrived: DoD publishes version 1.0 of its new cybersecurity framework

February 14, 2020 By Andrew Smith

On January 31, 2020, the Department of Defense (“DoD”) publicly released Version 1.0 of the Cybersecurity Maturity Model Certification (“CMMC”) framework.  The CMMC is a certification framework developed by DoD that measures a defense contractor’s ability to safeguard Federal Contract Information (“FCI”) and Controlled Unclassified Information (“CUI”) handled in the performance of DoD contracts.  By FY 2026, CMMC certification will be a requirement for any company doing business with DoD, either as a prime contractor or lower-tier subcontractor.  Version 1.0 of the CMMC fills in several gaps from the earlier drafts, which we assess in prior articles.  Additionally, the public briefing that accompanied the release of Version 1.0 included new insights into DoD’s rollout of the CMMC framework.  This alert walks through the CMMC framework, highlights updates from prior drafts, summarizes DoD’s proposed rollout, and provides considerations for companies during CMMC implementation.

Continue reading at:  K&L Gates

Filed Under: Contracting News Tagged With: CMMC, cybersecurity, Cybersecurity Maturity Model Certification

CMMC model 1.0 released: DoD’s unified cybersecurity standard for future acquisitions

February 1, 2020 By Andrew Smith

In a major effort to strengthen the cybersecurity posture of the hundred of thousands of Defense Industrial Base (DIB) contractors and subcontractors, the Department of Defense yesterday released final Model Version 1.0 of the Cybersecurity Maturity Model Certification (CMMC) framework.

This version replaces previously released versions 0.4, 0.6, and 0.7, which have been made available to the public via the CMMC official website.

Continue reading at:  JD Supra

Filed Under: Contracting News Tagged With: CMMC, cybersecurity, Cybersecurity Maturity Model Certification

Here are the NSA general counsel’s cybersecurity warnings

January 23, 2020 By Andrew Smith

The U.S. government needs to do more to protect itself in cyberspace as adversaries’ technological capabilities rise, according to the departing general counsel of the NSA.

Glenn Gerstell, who is leaving the NSA later this year, said the expanding threat landscape — caused by the combination of nation-state’s capabilities and the onset of technologies such as 5G, artificial intelligence and the internet of things — presented several challenges that the intelligence community must grapple with long after he leaves the agency.

“It is almost impossible to overstate the gap between the rate at which the cybersecurity threat is getting worse relative to our ability to effectively address it,” Grestell said at an American Bar Association event Jan. 15.

Continue reading at:  Fifth Domain

Filed Under: Contracting Tips Tagged With: CMMC, cybersecurity, Cybersecurity Maturity Model Certification, NSA

Getting Ready for CMMC (Resources and Links)

January 17, 2020 By Andrew Smith

The Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) program will be a new contractual requirement for all DoD contractors.  It will impact the 300,000 firms that make up the defense industrial base.  It will not be a self-attestation model, but rather a third-party certification and compliance model.

In 2020, the DoD plans to finalize the CMMC framework and to start implementation with a select group of acquisitions.

Here are some go-to facts and resources to help you prepare.

You can find the resources and links at:  JD Supra

Filed Under: Contracting Tips Tagged With: CMMC, Cyber Security, cybersecurity, Cybersecurity Maturity Model Certification

Why companies should start preparing for CMMC now

January 17, 2020 By Andrew Smith

It’s a new year — and a new cybersecurity regime for vendors working on defense contracts is coming.

The Defense Department has been steadily working on its new unified standard, the Cybersecurity Maturity Model Certification (CMMC), and is expected to release a final version and a list of accrediting bodies in January.  But while companies shouldn’t wait until things are finalized to prep for certification, many are stuck.

“CMMC is going to be law of the land,” Corbin Evans, the director of regulatory policy for the National Defense Industrial Association, told Defense Systems, yet “folks are a little hesitant to make any major moves.”

Continue reading at:  Defense Systems

Filed Under: Contracting Tips Tagged With: CMMC, cybersecurity, Cybersecurity Maturity Model Certification

Podcast: 2020 will be a busy year for federal procurement

January 17, 2020 By Andrew Smith

Fiscal year 2020, which coincides with calendar year 2020, started off busy on the federal contracting front.  Dan Snyder, the director of government contracts at Bloomberg Government, joined Federal Drive with Tom Temin for a look ahead.

Listen to the podcast at:  Federal News Network

Filed Under: Contracting Tips Tagged With: CMMC, cybersecurity, forecast, GSA Schedule, podcast, procurement forecast, Runway Extension Act, spending

How DoD’s new cybersecurity rules affect government contractors

January 17, 2020 By Andrew Smith

At the end of the last year the Department of Defense (DoD) issued six guidance memoranda aimed at assisting acquisition personnel in developing what has been described as “effective cybersecurity strategies to enhance existing protection requirements.”  This included a mandate for the Defense Contract Management Agency to ensure that cybersecurity compliance will be a part of a contractor’s purchasing system audit and approval process.

Among the changes is the new Cybersecurity Maturity Model Certification (CMMC), which will replace the self-attestation model and move towards third party certification.  It will require all defense contractors and subcontractors to undergo a third party assessment of their internal cybersecurity technical practices and process maturity against published standards.

The final version of CMMC is set to be published by the end of January.  The certification will be built on existing requirements such as NIST SP 800-171, NIST SP 800-53, AIA NAS9933, private sector contributions, and input from academia.  An independent accrediting body will soon begin training the auditors.

Continue reading at:  Clearance Jobs

Filed Under: Contracting Tips Tagged With: CMMC, Cyber Security, cybersecurity

2020 and the Department of Defense’s Cybersecurity Maturity Model Certification Program

January 10, 2020 By Andrew Smith

2019 has been a year of pivotal developments for defense contractors in the realm of cybersecurity compliance.  The Department of Defense (DoD) issued six guidance memoranda to assist its acquisition personnel in developing “effective cybersecurity strategies to enhance existing protection requirements,” including a mandate for the Defense Contract Management Agency to include cybersecurity compliance as a part of a contractor’s purchasing system audit and approval.  2019 also saw the first False Claims Act whistleblower litigation related to contractors’ compliance with DoD cybersecurity contracting provisions.

Beyond merely focusing on enforcement of existing compliance obligations, the DoD upped the ante in June 2019 with its announcement of its forthcoming Cybersecurity Maturity Model Certification (CMMC).  CMMC is the next step in the DoD’s efforts to protect the government’s sensitive, unclassified information against data exfiltration, and once it goes into effect CMMC will be a mandatory, third-party certification for all DoD contractors and subcontractors.

While there remain many unanswered questions surrounding the details and implementation of CMMC, the DoD has made clear that CMMC is coming and the defense contracting community must be ready to implement these requirements in order to continue receiving defense contracts, subcontracts and other DoD-funded agreements.

What Will CMMC Require?

As currently drafted, CMMC will require all defense contractors and subcontractors to undergo a third party assessment of their internal cybersecurity technical practices and process maturity against published standards.  This assessment will result in certification at one of five levels – 1 being the lowest and 5 the highest – or no certification.  Each subsequent level is cumulative, meaning a company must meet the requirements of all lower levels to qualify for a higher level of certification.  In addition, an organization must satisfy both the defined practices and process maturity criteria within a given level across all areas of the model to achieve certification at that level (e.g., having a Level 3 assessment on technical practices and Level 2 on process maturity results in an overall Level 2 certification).

The DoD expects contractor CMMC assessments to begin in early June 2020.  CMMC requirements will start appearing in DoD Requests for Information around this same time, and they become mandatory in all DoD solicitations beginning fall 2020.  Once implemented, each DoD solicitation will identify the minimum required CMMC level a company must have to be eligible for that contract award.

On December 6, 2019, the DoD released Version 0.7 of the draft CMMC framework.  This update refines the technical practice requirements for Levels 1-5 and provides further guidance regarding process maturity expectations.  Level 1 identifies 17 basic requirements, mostly consistent with existing general government contractor cybersecurity requirements, while Level 3 aligns with full NIST SP 800-171 Rev 1 compliance.  Levels 4 and 5 require “proactive” and “progressive” cybersecurity programs, respectively, and impose additional practices derived from Draft NIST SP 800-171B and other heightened cyber standards.  These top two levels are expected to be reserved for companies handling information related to critical technologies.

The CMMC model will not be static, however: it will be adapted and revised whenever and however needed as the DoD identifies new threat vectors.  While a company’s certification is generally expected to last for  three years, including interim spot checks, model revisions could necessitate earlier reassessment.

Continue reading at:  National Law Review

Filed Under: Contracting Tips Tagged With: CMMC, cybersecurity, Cybersecurity Maturity Model Certification, DoD

  • 1
  • 2
  • 3
  • Next Page »

Recent Posts

  • DoD publishes long awaited interim rule on CMMC
  • GSA Region 4 OSDBU hosting small business webinar
  • GTPAC launches COVID-19 resource page
  • GDEcD seeks GA Manufacturers and Distributors that can help with critical health care supply needs related to COVID-19
  • Georgia DOAS to hold 4th Annual Georgia Procurement Conference April 21-23, 2020

Popular Topics

8(a) abuse Army bid protest budget budget cuts certification construction contract awards contracting opportunities cybersecurity DoD DOJ False Claims Act FAR federal contracting federal contracts fraud GAO Georgia Tech government contracting government contract training government trends GSA GSA Schedule GTPAC HUBZone innovation IT Justice Dept. marketing NDAA OMB SBA SDVOSB set-aside small business small business goals spending subcontracting technology VA veteran owned business VOSB wosb

Contracting News

DoD publishes long awaited interim rule on CMMC

Small business subcontracting for cloud computing gets easier

Long awaited changes to WOSB/EDWOSB regulations expected this summer

The CMMC has arrived: DoD publishes version 1.0 of its new cybersecurity framework

GSA keeping ‘on track’ with schedule consolidation

Read More

Contracting Tips

A guide to labor and employment obligations for federal contractors

Who pays for CMMC certification?

Other transaction agreements: Where does an unsuccessful bidder go?

Knowledge is power, if you know how to use it

EAJA provides relief to construction contractor for government’s bad actions

Read More

GTPAC News

GSA Region 4 OSDBU hosting small business webinar

GTPAC launches COVID-19 resource page

GDEcD seeks GA Manufacturers and Distributors that can help with critical health care supply needs related to COVID-19

Georgia DOAS to hold 4th Annual Georgia Procurement Conference April 21-23, 2020

MICC Fort Stewart hosting acquisition forecast open house on Thursday, Feb. 6, 2020

Read More

Georgia Tech News

Dr. Abdallah testifies on U.S. competitiveness, research, STEM pipeline at Congressional hearing

Georgia Tech’s Technology Square Phase III to include George Tower

Student surprises his teacher with Georgia Tech acceptance news

Georgia Tech Applied Research will support DHS information safeguarding effort

$25 million project will advance DNA-based archival data storage

Read More

  • SAM.gov registration is free, and help with SAM is free, too
APTAC RSS Twitter GTPAC - 30th Year of Service

Copyright © 2021 · Georgia Tech - Enterprise Innovation Institute