Georgia Tech Procurement Assistance Center

DoD and other agencies seek to enhance contractors’ cyber and supply chain security

By

The Department of Defense (DoD) and its component services and agencies are taking several independent steps to assess and enhance their cyber and supply chain security that will directly or indirectly affect DoD contractors and subcontractors.

Other federal agencies, including the Department of Homeland Security (DHS), Commerce, and General Services Administration (GSA), are also considering or implementing measures to enhance cyber and supply chain security that will directly or indirectly affect government contractors and their supply chains.

These initiatives will intensify scrutiny of government contractors and subcontractors, increase their cyber and supply chain security compliance requirements, and affect their ability to compete for, and win, government contracts. This article summarizes these initiatives and states our view that, despite the proposal and likely adoption of a comprehensive new Federal Acquisition Regulation (FAR) cybersecurity clause next year, federal government contractors and subcontractors are likely to face multiple, overlapping, and possibly conflicting cybersecurity and supply chain requirements for some time to come.

Keep reading this article at: http://www.mondaq.com/article.asp?articleid=767144

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

Contractors are a bull’s-eye for hackers

By

The U.S. defense industrial supply chain is vast, complex and vulnerable. Organic components, large-scale integrators, myriad commercial service providers, and tens of thousands of private companies sustain the Defense Department. According to the SANS Institute, the percentage of cyber breaches that originate in the supply chain could be as high as 80 percent.

Some progress has undoubtedly been made with regard to securing the supply chain. The Defense Federal Acquisition Regulation Supplement (DFARS) NIST SP 800-171 supply chain program, for instance, introduced 109 stringent requirements for Defense Department suppliers dealing with sensitive government data—53 related to technology and 56 related to security policy.

But while DFARS applies to all contractors and suppliers regardless of size, it has not yet been fully implemented and it is not bulletproof.  Still, it is a big step toward securing the supply chain at all levels.

Keep reading this article at: https://www.afcea.org/content/contractors-are-bulls-eye-hackers

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

Pentagon considers cybersecurity certification for its contractors

By

In cybersecurity, you’re only as strong as your weakest link.

For the Defense Department, the area with the fewest cyber protections are the defense contractors the department works with, particularly the small businesses that don’t have the expertise or resources to build a robust security posture.

The Pentagon put together a task force to assess whether small businesses within the defense industrial base are complying with the cybersecurity framework published by the National Institute of Standards and Technology and provide assistance to companies that need help.

The department issued a new rule last year requiring vendors to show that they are in compliance with NIST standards or have a plan to get there quickly. Those plans were due Jan. 1.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2018/12/pentagon-considers-cybersecurity-certification-its-contractors/153330/

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

DoD issues final guidance for assessing contractor compliance with NIST SP 800-171

By

The Department of Defense (DoD) recently issued final guidance for requiring activities to assess contractors’ System Security Plans (SSPs) and their implementation of the security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.

A draft of this guidance was made available for public comment in April 2018.  As noted in an earlier post on the draft guidance, DoD’s proposed approach raised significant questions as to what role offerors’ implementation of the security controls in NIST SP 800-171 would play in bid protests, contract performance, and post award audits.  In the memorandum accompanying the final guidance documents, DoD notes that it has incorporated comments it received from the public into the final guidance.  As discussed below, although the DoD has addressed some of the issues raised by the April draft, the final guidance adds some additional concerns and ambiguities.

The final guidance consists of two documents.  The first document is “Guidance for Assessing Compliance of and Enhancing Protections for a Contractor’s Internal Unclassified Information System,” which provides direction to requiring activities for including evaluation criteria in solicitations and in contracts for assessing contractor compliance with NIST SP 800-171.  The second document is “DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented,” which addresses how DoD should assess the impact and risk of NIST SP 800-171 security controls that a contractor has not yet implemented.

Keep reading this article at: https://www.insidegovernmentcontracts.com/2018/11/dod-issues-final-guidance-for-assessing-contractor-compliance-with-nist-sp-800-171/

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

GSA proposes new cybersecurity reporting rules for contractors

By

The General Services Administration (GSA) is proposing new rules shaping how contractors protect government information on the IT systems they manage.

Tucked in a Friday Federal Register post detailing the Unified Agenda of Federal Regulatory and Deregulatory Actions, two proposed rules — GSAR Case 2016-G511 and 2016-G515 — call for amending the General Services Administration Acquisition Regulation to include requirements for contractors to safeguard GSA information in a solicitation’s statement of work, as well as the procedures for they inform the agency of a potential breach.

GSAR Case 2016-G511 allows contracting officers to implement agency cyber requirements and standards into each solicitation, providing a centralized cybersecurity guidance across the enterprise for contractors to adhere to.

Keep reading this article at: https://www.fedscoop.com/gsa-proposes-2-new-cybersecurity-reporting-rules-contractors/

Resources for complying with DoD’s current contractor cybersecurity rules may be found here: https://gtpac.org/cybersecurity-training-video/

Revisions coming for NIST’s data protection guide, will address ‘advanced’ cyber threats

By

The National Institute of Standards and Technology (NIST) is planning to issue a draft second revision to its guidelines for controlled unclassified information handled by the Defense Department and government contractors, in order to better address “advanced persistent threats,” according to a key NIST official.

The upcoming draft revisions are based on recent assessments that information critical for national security requires “enhanced” protections, the NIST official said at a public meeting updating industry and government officials on the data requirements at NIST headquarters on Oct. 18, 2018.

NIST’s Ron Ross said a draft revision to NIST guideline 800-171 would be issued before the end of the year for public comment. The revisions are “just in the planning stages this week” and a formal announcement will be issued soon. Ross said the enhanced requirements would be proposed for comment as an appendix to the overall document to offer additional protections beyond “basic” controls outlined in chapter three of the guidelines.

The NIST guidelines are the basis for Defense Federal Acquisition Regulation Supplement, or DFARS, for cybersecurity risks issued in 2017 and still being implemented by DOD.

Keep reading this article at: https://insidedefense.com/insider/nist-official-revisions-coming-data-protection-guide-will-address-advanced-cyber-threats

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

Cybersecurity compliance: A key to future DoD contract awards

By

In a recent address at the Air Force Association’s Air, Space & Cyber Conference, Deputy Secretary of Defense Patrick Shanahan emphasized that cybersecurity will become a “critical measurement” for making contract awards as well as a significant consideration in holding a government contractor accountable for its performance.

Shanahan noted that while DoD acquisitions currently focus on three critical measurements—quality, cost and schedule—cybersecurity is “probably going to be what we call the . . . fourth critical measurement.” The DoD is “going to work with [its] industrial partners to help them be as accountable for security as they are for quality.”

Shanahan also noted that adequate cybersecurity protection is part of the standard baseline of government contracting security—it is not an optional feature. He commented, “And it shouldn’t be that being secure comes with a big bill. It’s just like we wouldn’t pay extra for quality.” Consequently, government contractors should recognize that the government “shouldn’t pay extra for security,” he added. Rather, “security is the standard. It’s the expectation. It’s not something that’s above and beyond what we’ve done before.”

Keep reading this article at: http://www.mondaq.com/article.asp?articleid=742094

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

Security assessments soon may be part of DoD government contracts acquisition process

By

Identifying threats and improving network and supply chain security has been an ongoing effort by Congress and the Department of Defense (DoD) for the past several years.

Congress has included multiple provisions in the annual National Defense Authorization Acts to spur action by the DoD to address weaknesses in contractor supply chains for electronic parts and vulnerabilities to cyber threats in contractor information technology systems. In turn, the DoD has amended the Defense Federal Acquisition Regulation Supplement (DFARS) to impose new performance requirements on contractors and subcontractors in DoD procurement contracts. This cascading effort of turning policy into contract performance has been steady but slow and of questionable efficacy.

A new initiative under consideration by the DoD could change that. In June testimony to Congress, the DoD said it has started a new initiative known as “Deliver Uncompromised” to “elevate the private sector’s focus on security.” The DoD’s goal is to establish security as a “fourth pillar” in acquisition, “on par with cost, schedule and performance.” The hope is to create incentives for industry to “embrace security, not as a ‘cost center,’ but as a key differentiator” in competitions for procurement contracts.

In August 2018, the nonprofit group Mitre Corporation (Mitre) released a report called “Deliver Uncompromised,” which describes how the DoD and the intelligence community face daily strategic attacks from foreign adversaries in the supply chain domain (e.g., software, hardware, and services) and cyber domain (e.g., informational technology and cyber-physical such as weapons systems). Mitre’s report calls for a unified focus of resources from both the DoD and government contractors to prioritize risk mitigation through enhanced infrastructure and better coordination.

While the DoD cannot require private companies to invest in specific security measures, the Mitre report recommends that the DoD use its purchasing power and regulatory authority to influence and shape the conduct of the DoD suppliers. For example, the DoD may begin defining procurement requirements with new security measures, or rewarding contractor proposals with superior security measures by elevating security as a primary metric for evaluation during the source selection process. The DoD could also include terms and conditions in its contracts that impose security requirements, and then use those contractual terms post-award to monitor contractor compliance.

Keep reading this article at: http://www.mondaq.com/article.asp?articleid=737662

GTPAC has created a video and a template to help businesses comply with DoD’s cybersecurity requirements.  These resources appear at: http://gtpac.org/cybersecurity-training-video/

Here’s a description of information security requirements for federal contractors

By

The federal government is requiring federal contractors to implement specific guidance in the form of NIST 800-171 in an effort to curb the trend of federal government data being exposed on contractor networks. This disturbing trend has occurred for a few reasons.

First, federal contracts often require the use of contractor-owned information systems to process federal information. These information systems historically do not meet the government’s requirements and, as a result, have led to information being exfiltrated by nation-state attackers.

An example of this lack of security in contractor information systems became known in May 2017 when federal contractor Booz Allen Hamilton left unencrypted Pentagon files on a publically accessible Amazon server. This resulted in 60,000 sensitive files — plenty of which referred to the U.S. National Geospatial-Intelligence Agency (NGA) — being exposed on the internet for anyone to access.

Keep reading this article at: https://www.forbes.com/sites/forbestechcouncil/2018/09/04/information-security-requirements-for-u-s-federal-contractors/#3daa7183451b

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

Pentagon cyber shortfalls leave data at risk, key senators warn

By

The Pentagon isn’t taking strong enough action to ensure that defense contractors are protecting highly technical but unclassified information from hacking, according to the top lawmakers on the Senate Armed Services Committee.

The Senate panel “has gathered information that suggests DoD is simply not doing enough to protect controlled, unclassified information,” the lawmakers, including ailing Republican Chairman John McCain and Jack Reed, the panel’s top Democrat, wrote to Defense Secretary Jim Mattis in a previously undisclosed letter obtained by Bloomberg News.

“We are concerned with existing regulations and best practices” not being followed in matters such as contracts lacking appropriate cybersecurity clauses, computer networks operating without multifactor authentication for access, strong remote user policies and “insufficient third-party verification of compliance with cybersecurity standards,” the lawmakers wrote last month.

The vulnerability of U.S. systems to hacking has been highlighted in recent years by incidents including attacks on banks and energy infrastructure, as well as efforts to infiltrate state election systems in 2016 and this year. Earlier this year, five pipeline operators in the U.S. said their third-party electronic communications systems were shut down by hackers. The U.S. says the biggest foreign hacking threats come from Russia, China and Iran.

Keep reading this article at: https://www.bloomberg.com/news/articles/2018-08-23/pentagon-cyber-shortfalls-leave-data-at-risk-key-senators-warn

The Georgia Tech Procurement Assistance Center (GTPAC) has produced a video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules.  These resources are available  at: http://gtpac.org/cybersecurity-training-video/

Contracting News

Read More

Contracting Tips

Read More

GTPAC News

Read More

Georgia Tech News

Read More