Georgia Tech Procurement Assistance Center

What is CUI – The devil is in the details

By

Controlled unclassified information (CUI) is defined, in part, as “information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.”

Despite this seemingly straightforward definition, identifying CUI has been a challenge for the government and contractors.  This challenge has become particularly evident as the Defense Department implements its interim rule to the Defense Federal Acquisition Regulation Supplement to protect CUI through a mandatory Defense Department assessment methodology and through a slow rollout of its Cybersecurity Maturity Model Certification program.

Continue reading at:  National Defense Magazine

Strict security notification and disclosure requirements for government contractors

By

Businesses that seek to obtain and preserve contracts with the United States government, or to deal in certain enumerated defense articles and services, are subject to strict privacy regulations imposed by the U.S. government.

For those under contract (or subcontract) with the U.S. Department of Defense (DoD), the Defense Federal Acquisition Regulation Supplements (DFARS) place stringent minimum security requirements and reporting obligations that must be met, otherwise a business could face financial penalties or termination of its contract.

Businesses that export and import defense articles or services and related technical data must comply with the International Traffic in Arms Regulations (ITAR), which comprise approval, registration and records maintenance requirements. If a violation of ITAR is voluntarily reported, the penalties imposed by the U.S. Department of State’s Directorate of Defense Trade Controls (DDTC) can be reduced.

Businesses subject to DFARS and ITAR should have a compliance program in place that includes an appropriate response to any security incident.

Keep reading this article at: http://www.mondaq.com/article.asp?articleid=733388

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

Be sure to read this reminder about upcoming events

By

The Georgia Tech Procurement Assistance Center (GTPAC) wants to remind you of a series of events coming up in the next few months.

Each event is designed to provide businesses with instruction and information on how to do business with particular elements of the government.  Check them out below:

  • August 30 – Coffee Break with Small Business Specialists – Columbus, GA.  Click here for details.
  • September 6 – Coffee Break with Small Business Specialists – Albany, GA.  Click here for details.
  • September 26 – National PTAC Day, including a free instructional webinar.  Click here for details.
  • October 18 – NIST Controlled Unclassified Information (CUI) webinar.  Click here for details.
  • November 1 – Warner Robins Air Force Base Civil Engineering Industry Day. Warner Robins, GA.  Click here for details.
  • November 30 – University System of Georgia’s annual procurement expo, Georgia State Univerity-Clarkston Campus  Click here for details.

And, finally, GTPAC also wants to remind of all of our own seminars and webinars.  They are free, and the complete list is available here: https://gtpac.ecenterdirect.com/events.

 

Chinese government hackers steal massive amounts of data from Navy contractor computers

By

Chinese government hackers have stolen large swaths of highly sensitive data on undersea warfare from a Navy contractor’s computers, The Washington Post reports.

The stolen information includes secret plans to develop a supersonic anti-ship missile to be used by submarines by 2020, American officials told the Post.

The incidents took place in January and February, but officials did not disclose the contractor that was targeted, the newspaper reported Friday.

Although the information was highly sensitive, it was housed on the contractor’s unclassified network, according to the Post.

“Per federal regulations, there are measures in place that require companies to notify the government when a ‘cyber incident’ has occurred that has actual or potential adverse effects on their networks that contain controlled unclassified information,” Navy Lt. Marycate Walsh said in a statement. “It would be inappropriate to discuss further details at this time.”

Keep reading this article at: http://wtkr.com/2018/06/08/wapo-chinese-government-hackers-steal-massive-amounts-of-data-from-navy-contractor-computers/

Deadlines approach for government contractors on cybersecurity compliance

By

Government contractors are subject to cybersecurity requirements, found in the Federal Acquisition Regulation (FAR) and each agency’s supplement to the FAR, and some important deadlines are fast approaching. Set forth below is a high-level overview of cybersecurity requirements found in the FAR and the Department of Defense (DoD) FAR Supplement (DFARS).

The FAR requires government contractors that handle “federal contract information” to comply with 15 requirements for safeguarding that information. These requirements are similar to certain requirements found in NIST SP 800-171.

Under the FAR, “federal contract information” is defined as:

information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments.

This is a broad category of information, and some commentators have suggested that it would apply to “virtually all” federal contracts.

Keep reading this article at: https://www.jdsupra.com/legalnews/deadlines-approach-for-government-74231/

Reminder: DoD contractors required to meet cybersecurity requirements by year-end

By

The window for Department of Defense (DoD) contractors to bring themselves into compliance with cybersecurity requirements is closing.

Specifically, changes to the Defense Federal Acquisition Regulation Supplement (DFARS) published in late 2016 require that DoD contractors and subcontractors provide “adequate security” on “covered information systems.”  The new rule also imposes reporting requirements for cyber incidents.  Failure to comply with these requirements could result in loss of government contracting opportunities and civil and criminal liability for responsible companies and individuals.

Background

On October 21, 2016, DoD published a final rule significantly expanding the obligations of private industry with respect to cybersecurity on contractor information systems that host certain government and other sensitive data. 81 Fed. Reg. 72986 (Oct. 16, 2016).  Specifically, the new rule amends the contract clause at DFARS 252.204-7012, which addresses “Safeguarding Covered Defense Information and Cyber Incident Reporting.” According to DoD, “[t]he objectives of the rule are to improve information security for DoD information stored on or transiting contractor information systems as well as in a cloud environment.”  

The amended DFARS clause imposes a critical and fast-approaching compliance deadline for DoD contractors and subcontractors to implement specific security measures on their “covered systems” by December 31, 2017.

The new contract clause at DFARS 252.204-7012 mandates that DoD contractors and their subcontractors “provide adequate security” on all “covered contractor information systems.”

Keep reading this article at: http://www.jdsupra.com/legalnews/alert-dod-contractors-required-to-meet-65186/

New DHS acquisition rules proposal could disrupt contracts, hurt small business

By

President Donald Trump celebrated a new executive order designed to eliminate regulations on small businesses. But a series of new acquisition rules proposed weeks ago by the Department of Homeland Security (DHS) have Federal contracting experts worried about future governmentwide disruptions and a decrease in competition.

DHS’s Office of the Chief Procurement Officer on Jan. 18 issued three proposed rules that would require privacy training and security awareness training for contractors, and would add five new categories of Controlled Unclassified Information (CUI)—unclassified information that is still sensitive—that contractors will need to secure and manage.

DHS’s proposed regulations are troubling to some Federal contracting experts because they disrupt the governmentwide standards that took years to set up, and may impose costs on small businesses that make it impossible for them to compete for DHS contracts.

Alan Chvotkin, executive vice president and counsel for the Professional Services Council (PSC), said the new CUI categories “don’t square” with the governmentwide rule that took six years to create.

Keep reading this article at: https://www.meritalk.com/articles/new-dhs-acquisition-rules-proposal-could-disrupt-contracts-hurt-small-business/

Final rule beefs up mandates for contractor information systems security

By

Federal RegisterA new final rule four years in the making will amend the Federal Acquisition Regulations, or FAR, with new sections on the basic safeguarding of contractor information systems.

The rule, published on May 16, 2016 in the Federal Register and issued by the Defense Department, General Services Administration and NASA, will add a subpart and contract clause on contractor systems that process, store or transmit federal contract information, and calls on contractors to apply a minimum of 15 security control requirements.

This type of information is not intended for public release and excludes information that the government provides to the public or that is related to processing payments.

The focus of the rule is on a basic level of safeguarding, and contractors still have to comply with safeguarding requirements for protecting controlled unclassified information, or CUI. “Systems that contain classified information, or CUI, such as personally identifiable information, require more than the basic level of protection,” the rule stated.

Keep reading this article at: http://www.fiercegovernmentit.com/story/final-rule-beefs-mandates-contractor-information-systems-security/2016-05-17

Actions foreshadow uniform cybersecurity regulations for federal contractors

By

Two recent Executive Agency actions lay the groundwork for a FAR cybersecurity clause in 2016.

  • Government contractors should expect an amendment to the Federal Acquisition Regulation in 2016 that mandates cybersecurity clauses and standards.
  • Companies can prepare now by comparing new government standards to their existing system protections.
  • As part of this process, companies should not just be reviewing the capabilities of their information systems, but also their written information assurance policies, training materials, and employment and third-party agreements.

cyber securityFederal government contractors handling Controlled Unclassified Information (CUI) should take notice of two recent executive agency actions. Combined, they lay the groundwork for a new cybersecurity clause to be added to the Federal Acquisition Regulation (FAR) in 2016.

Keep reading this article at: http://www.jdsupra.com/legalnews/actions-foreshadow-uniform-45314/

For more information on this topic, see: www.gtpac.org/tag/controlled-unclassified-information

NIST issues guidance on contractor cybersecurity standards for controlled unclassified information

By

On June 19, 2015, the National Institute of Standards and Technology (“NIST”) published the final version of guidance for federal agencies to ensure sensitive information remains confidential when stored outside of federal systems.

NIST Pub 800-171The guidelines, Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, apply to nonfederal information systems and organizations that process, store, or transmit federal controlled unclassified information (CUI) and match the guidelines published for public comment last fall.

The new guidance is step two in a three-part plan with the National Archives and Records Administration (NARA) to ensure the confidentiality of sensitive federal information no matter where it is stored.  As data breaches continue to make near-daily news, federal contractors not using the “recommendations” laid out in SP 800-171 would be wise to take another look, as they contain, more than ever, the Government’s express expectations of how it wants its information protected.

Keep reading this article at: http://www.mondaq.com/article.asp?articleid=408096

Contracting News

Read More

Contracting Tips

Read More

GTPAC News

Read More

Georgia Tech News

Read More