Georgia Tech Procurement Assistance Center

  • Home
  • About Us
  • Training
    • Class Registration
    • On-demand Training
    • GTPAC COVID-19 Resource Page
    • Veterans Verification Video
    • Other Training Audio & Video
  • Useful Links
  • Team Directory
    • Albany Counselor
    • Atlanta Counselors
    • Augusta Counselor
    • Carrollton Counselor
    • Columbus Counselor
    • Gainesville Counselor
    • Savannah Counselor
    • Warner Robins Counselor
  • Directions
    • Atlanta – Training Facility
    • Atlanta – Office
    • Albany
    • Augusta
    • Carrollton
    • Columbus
    • Gainesville
    • Savannah
    • Warner Robins
  • COVID-19
  • New Client Application
  • Contact Us

What is CUI – The devil is in the details

April 7, 2021 By Andrew Smith

Controlled unclassified information (CUI) is defined, in part, as “information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.”

Despite this seemingly straightforward definition, identifying CUI has been a challenge for the government and contractors.  This challenge has become particularly evident as the Defense Department implements its interim rule to the Defense Federal Acquisition Regulation Supplement to protect CUI through a mandatory Defense Department assessment methodology and through a slow rollout of its Cybersecurity Maturity Model Certification program.

Continue reading at:  National Defense Magazine

Filed Under: Contracting Tips Tagged With: CMMC, CUI, cybersecurity, Cybersecurity Maturity Model Certification

Strict security notification and disclosure requirements for government contractors

September 25, 2018 By Andrew Smith

Businesses that seek to obtain and preserve contracts with the United States government, or to deal in certain enumerated defense articles and services, are subject to strict privacy regulations imposed by the U.S. government.

For those under contract (or subcontract) with the U.S. Department of Defense (DoD), the Defense Federal Acquisition Regulation Supplements (DFARS) place stringent minimum security requirements and reporting obligations that must be met, otherwise a business could face financial penalties or termination of its contract.

Businesses that export and import defense articles or services and related technical data must comply with the International Traffic in Arms Regulations (ITAR), which comprise approval, registration and records maintenance requirements. If a violation of ITAR is voluntarily reported, the penalties imposed by the U.S. Department of State’s Directorate of Defense Trade Controls (DDTC) can be reduced.

Businesses subject to DFARS and ITAR should have a compliance program in place that includes an appropriate response to any security incident.

Keep reading this article at: http://www.mondaq.com/article.asp?articleid=733388

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

Filed Under: Contracting Tips Tagged With: controlled unclassified information, CUI, cybersecurity, DFARS, DoD, federal regulations, ITAR, NIST, NIST 800-171

Be sure to read this reminder about upcoming events

August 21, 2018 By Andrew Smith

The Georgia Tech Procurement Assistance Center (GTPAC) wants to remind you of a series of events coming up in the next few months.

Each event is designed to provide businesses with instruction and information on how to do business with particular elements of the government.  Check them out below:

  • August 30 – Coffee Break with Small Business Specialists – Columbus, GA.  Click here for details.
  • September 6 – Coffee Break with Small Business Specialists – Albany, GA.  Click here for details.
  • September 26 – National PTAC Day, including a free instructional webinar.  Click here for details.
  • October 18 – NIST Controlled Unclassified Information (CUI) webinar.  Click here for details.
  • November 1 – Warner Robins Air Force Base Civil Engineering Industry Day. Warner Robins, GA.  Click here for details.
  • November 30 – University System of Georgia’s annual procurement expo, Georgia State Univerity-Clarkston Campus  Click here for details.

And, finally, GTPAC also wants to remind of all of our own seminars and webinars.  They are free, and the complete list is available here: https://gtpac.ecenterdirect.com/events.

 

Filed Under: GTPAC News Tagged With: #PTACDay, CUI, Georgia Tech, government contract training, GTPAC, National PTAC Day, NIST, outreach, UGA, WRAFB

Chinese government hackers steal massive amounts of data from Navy contractor computers

June 12, 2018 By Andrew Smith

Chinese government hackers have stolen large swaths of highly sensitive data on undersea warfare from a Navy contractor’s computers, The Washington Post reports.

The stolen information includes secret plans to develop a supersonic anti-ship missile to be used by submarines by 2020, American officials told the Post.

The incidents took place in January and February, but officials did not disclose the contractor that was targeted, the newspaper reported Friday.

Although the information was highly sensitive, it was housed on the contractor’s unclassified network, according to the Post.

“Per federal regulations, there are measures in place that require companies to notify the government when a ‘cyber incident’ has occurred that has actual or potential adverse effects on their networks that contain controlled unclassified information,” Navy Lt. Marycate Walsh said in a statement. “It would be inappropriate to discuss further details at this time.”

Keep reading this article at: http://wtkr.com/2018/06/08/wapo-chinese-government-hackers-steal-massive-amounts-of-data-from-navy-contractor-computers/

Filed Under: Contracting News Tagged With: controlled unclassified information, CUI, cyber, cyber incident, cyber incidents, cyberattack, FBI, hack, hackers, investigation, Navy, network services, unclassified information, undersea warfare

Deadlines approach for government contractors on cybersecurity compliance

October 27, 2017 By Andrew Smith

Government contractors are subject to cybersecurity requirements, found in the Federal Acquisition Regulation (FAR) and each agency’s supplement to the FAR, and some important deadlines are fast approaching. Set forth below is a high-level overview of cybersecurity requirements found in the FAR and the Department of Defense (DoD) FAR Supplement (DFARS).

The FAR requires government contractors that handle “federal contract information” to comply with 15 requirements for safeguarding that information. These requirements are similar to certain requirements found in NIST SP 800-171.

Under the FAR, “federal contract information” is defined as:

information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments.

This is a broad category of information, and some commentators have suggested that it would apply to “virtually all” federal contracts.

Keep reading this article at: https://www.jdsupra.com/legalnews/deadlines-approach-for-government-74231/

Filed Under: Contracting Tips Tagged With: contract clauses, controlled unclassified information, CUI, cyber, cyber incidents, cybersecurity, DFARS, DoD, False Claims Act, FAR, FCI, flow down clause, NIST

Reminder: DoD contractors required to meet cybersecurity requirements by year-end

October 12, 2017 By Andrew Smith

The window for Department of Defense (DoD) contractors to bring themselves into compliance with cybersecurity requirements is closing.

Specifically, changes to the Defense Federal Acquisition Regulation Supplement (DFARS) published in late 2016 require that DoD contractors and subcontractors provide “adequate security” on “covered information systems.”  The new rule also imposes reporting requirements for cyber incidents.  Failure to comply with these requirements could result in loss of government contracting opportunities and civil and criminal liability for responsible companies and individuals.

Background

On October 21, 2016, DoD published a final rule significantly expanding the obligations of private industry with respect to cybersecurity on contractor information systems that host certain government and other sensitive data. 81 Fed. Reg. 72986 (Oct. 16, 2016).  Specifically, the new rule amends the contract clause at DFARS 252.204-7012, which addresses “Safeguarding Covered Defense Information and Cyber Incident Reporting.” According to DoD, “[t]he objectives of the rule are to improve information security for DoD information stored on or transiting contractor information systems as well as in a cloud environment.”  

The amended DFARS clause imposes a critical and fast-approaching compliance deadline for DoD contractors and subcontractors to implement specific security measures on their “covered systems” by December 31, 2017.

The new contract clause at DFARS 252.204-7012 mandates that DoD contractors and their subcontractors “provide adequate security” on all “covered contractor information systems.”

Keep reading this article at: http://www.jdsupra.com/legalnews/alert-dod-contractors-required-to-meet-65186/

Filed Under: Contracting News Tagged With: controlled unclassified information, CUI, cyber, cyber incidents, cybersecurity, DFARS, DoD, NIST

New DHS acquisition rules proposal could disrupt contracts, hurt small business

February 13, 2017 By Andrew Smith

President Donald Trump celebrated a new executive order designed to eliminate regulations on small businesses. But a series of new acquisition rules proposed weeks ago by the Department of Homeland Security (DHS) have Federal contracting experts worried about future governmentwide disruptions and a decrease in competition.

DHS’s Office of the Chief Procurement Officer on Jan. 18 issued three proposed rules that would require privacy training and security awareness training for contractors, and would add five new categories of Controlled Unclassified Information (CUI)—unclassified information that is still sensitive—that contractors will need to secure and manage.

DHS’s proposed regulations are troubling to some Federal contracting experts because they disrupt the governmentwide standards that took years to set up, and may impose costs on small businesses that make it impossible for them to compete for DHS contracts.

Alan Chvotkin, executive vice president and counsel for the Professional Services Council (PSC), said the new CUI categories “don’t square” with the governmentwide rule that took six years to create.

Keep reading this article at: https://www.meritalk.com/articles/new-dhs-acquisition-rules-proposal-could-disrupt-contracts-hurt-small-business/

Filed Under: Contracting News Tagged With: competition, controlled unclassified information, CUI, cyber, cybersecurity, DHS, Executive Order, federal regulations, government regulations, IT, PSC, small business

Final rule beefs up mandates for contractor information systems security

May 24, 2016 By Andrew Smith

Federal RegisterA new final rule four years in the making will amend the Federal Acquisition Regulations, or FAR, with new sections on the basic safeguarding of contractor information systems.

The rule, published on May 16, 2016 in the Federal Register and issued by the Defense Department, General Services Administration and NASA, will add a subpart and contract clause on contractor systems that process, store or transmit federal contract information, and calls on contractors to apply a minimum of 15 security control requirements.

This type of information is not intended for public release and excludes information that the government provides to the public or that is related to processing payments.

The focus of the rule is on a basic level of safeguarding, and contractors still have to comply with safeguarding requirements for protecting controlled unclassified information, or CUI. “Systems that contain classified information, or CUI, such as personally identifiable information, require more than the basic level of protection,” the rule stated.

Keep reading this article at: http://www.fiercegovernmentit.com/story/final-rule-beefs-mandates-contractor-information-systems-security/2016-05-17

Filed Under: Contracting News Tagged With: classified information, contractor information system, controlled unclassified information, CUI, cybersecurity, data security, FAR, Federal Register, IT, safeguarding information, security, security control, technology

Actions foreshadow uniform cybersecurity regulations for federal contractors

July 24, 2015 By Andrew Smith

Two recent Executive Agency actions lay the groundwork for a FAR cybersecurity clause in 2016.

  • Government contractors should expect an amendment to the Federal Acquisition Regulation in 2016 that mandates cybersecurity clauses and standards.
  • Companies can prepare now by comparing new government standards to their existing system protections.
  • As part of this process, companies should not just be reviewing the capabilities of their information systems, but also their written information assurance policies, training materials, and employment and third-party agreements.

cyber securityFederal government contractors handling Controlled Unclassified Information (CUI) should take notice of two recent executive agency actions. Combined, they lay the groundwork for a new cybersecurity clause to be added to the Federal Acquisition Regulation (FAR) in 2016.

Keep reading this article at: http://www.jdsupra.com/legalnews/actions-foreshadow-uniform-45314/

For more information on this topic, see: www.gtpac.org/tag/controlled-unclassified-information

Filed Under: Contracting News Tagged With: controlled unclassified information, CUI, cybersecurity, data security, FAR, NIST 800-171

NIST issues guidance on contractor cybersecurity standards for controlled unclassified information

July 7, 2015 By Andrew Smith

On June 19, 2015, the National Institute of Standards and Technology (“NIST”) published the final version of guidance for federal agencies to ensure sensitive information remains confidential when stored outside of federal systems.

NIST Pub 800-171The guidelines, Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, apply to nonfederal information systems and organizations that process, store, or transmit federal controlled unclassified information (CUI) and match the guidelines published for public comment last fall.

The new guidance is step two in a three-part plan with the National Archives and Records Administration (NARA) to ensure the confidentiality of sensitive federal information no matter where it is stored.  As data breaches continue to make near-daily news, federal contractors not using the “recommendations” laid out in SP 800-171 would be wise to take another look, as they contain, more than ever, the Government’s express expectations of how it wants its information protected.

Keep reading this article at: http://www.mondaq.com/article.asp?articleid=408096

Filed Under: Contracting News Tagged With: controlled unclassified information, CUI, cybersecurity, federal regulations, NIST

  • 1
  • 2
  • Next Page »

Recent Posts

  • OMB releases guidance related to small business goals
  • Are verbal agreements good enough for government contractors?
  • OMB issues guidance on impact of injunction on government contractor vaccine mandate
  • CMMC 2.0 simplifies requirements but raises risks for government contractors
  • OFCCP launches contractor portal initiating AAP verification program

Popular Topics

8(a) abuse Army bid protest budget budget cuts certification construction contract awards contracting opportunities cybersecurity DoD DOJ False Claims Act FAR federal contracting federal contracts fraud GAO Georgia Tech government contracting government contract training government trends GSA GSA Schedule GTPAC HUBZone innovation IT Justice Dept. marketing NDAA OMB SBA SDVOSB set-aside small business small business goals spending subcontracting technology VA veteran owned business VOSB wosb

Contracting News

OMB releases guidance related to small business goals

OMB issues guidance on impact of injunction on government contractor vaccine mandate

Changes coming to DOD’s Cybersecurity Maturity Model Certification under CMMC 2.0

Judge issues nationwide injunction halting enforcement of COVID-19 vaccine mandate

Nondisplacement of qualified workers is back, but with changes

Read More

Contracting Tips

Are verbal agreements good enough for government contractors?

CMMC 2.0 simplifies requirements but raises risks for government contractors

OFCCP launches contractor portal initiating AAP verification program

GAO rules that DoD may not require small business Joint Venture itself hold facility security clearance

Terminations for convenience clauses vs. mutual termination clauses

Read More

GTPAC News

VA direct access program events in 2022

Sandia National Laboratories seeks small business suppliers

Navy OSBP hosting DCAA overview (part 2) event Jan. 12, 2022

Navy OSBP hosting cybersecurity “ask me anything” event Dec. 16th

State of Georgia hosting supplier systems training on January 26, 2022

Read More

Georgia Tech News

Undergraduate enrollment growth reflects inclusive excellence

Georgia Tech delivers $4 billion in economic impact to the State of Georgia

Georgia Tech awards first round of seed grants to support team-based research

Georgia Tech announces inaugural Associate Vice President of Corporate Engagement

DoD funds Georgia Tech to enhance U.S. hypersonics capabilities

Read More

  • SAM.gov registration is free, and help with SAM is free, too
APTAC RSS Twitter GTPAC - 30th Year of Service

Copyright © 2022 · Georgia Tech - Enterprise Innovation Institute