Georgia Tech Procurement Assistance Center

Getting Ready for CMMC (Resources and Links)

By

The Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) program will be a new contractual requirement for all DoD contractors.  It will impact the 300,000 firms that make up the defense industrial base.  It will not be a self-attestation model, but rather a third-party certification and compliance model.

In 2020, the DoD plans to finalize the CMMC framework and to start implementation with a select group of acquisitions.

Here are some go-to facts and resources to help you prepare.

You can find the resources and links at:  JD Supra

Recent cases indicate viability of False Claims Act liability connected to federal cybersecurity standards

By

Government contractors are no strangers to the numerous quality standards and assurances required by the government.  Over the past several years, cybersecurity in federal contracting has emerged as yet another standard to achieve.  While data breaches are big news in the private sector, the issue remained somewhat under the radar for public contracts — until now.

Last summer, two significant whistleblower cases sent ripples through the False Claims Act (FCA) community by demonstrating the specter of FCA liability resulting from the failure to comply with cybersecurity requirements in government contracts.  In May, the U.S. District Court for the Eastern District of California refused to dismiss a case alleging that Aerojet Rocketdyne Holdings Inc. falsely asserted its compliance with the Department of Defense’s (DOD) cybersecurity standards.  Then, in late July, the government announced that Cisco Systems Inc. agreed to pay $8.6 million to settle a whistleblower suit alleging that the company fell short of federal cybersecurity standards by selling video surveillance products with known vulnerabilities that hackers could exploit.  These cases show that cybersecurity-based FCA claims may be the new frontier and that such claims may prove difficult to defeat depending on the facts in any given case.

Continue reading at:  Carlton Fields

How DoD’s new cybersecurity rules affect government contractors

By

At the end of the last year the Department of Defense (DoD) issued six guidance memoranda aimed at assisting acquisition personnel in developing what has been described as “effective cybersecurity strategies to enhance existing protection requirements.”  This included a mandate for the Defense Contract Management Agency to ensure that cybersecurity compliance will be a part of a contractor’s purchasing system audit and approval process.

Among the changes is the new Cybersecurity Maturity Model Certification (CMMC), which will replace the self-attestation model and move towards third party certification.  It will require all defense contractors and subcontractors to undergo a third party assessment of their internal cybersecurity technical practices and process maturity against published standards.

The final version of CMMC is set to be published by the end of January.  The certification will be built on existing requirements such as NIST SP 800-171, NIST SP 800-53, AIA NAS9933, private sector contributions, and input from academia.  An independent accrediting body will soon begin training the auditors.

Continue reading at:  Clearance Jobs

Defense contractors: Prepare for CMMC in 2020

By

In 2016, the U.S. Department of Defense (DoD) issued a Defense Federal Acquisition Regulation Supplement (DFARs) intended to better protect defense data and networks.  Beginning in 2017, DoD began issuing a series of memoranda to further enhance protection of defense data and networks via Cybersecurity Maturity Model Certification (CMMC).

In December 2019, the Department of State, Directorate of Defense Trade Controls (DDTC) issued long-awaited guidance in part governing the minimum encryption requirements for storage, transport and/or transmission of controlled but unclassified information (CUI) and technical defense information (TDI) otherwise restricted by ITAR.

The foregoing multi-year effort to protect defense data and national security networks are culminating in 2020  ̶  and government contractors must be prepared to comply or face potentially draconian consequences ranging from disqualification to enforcement.

Continue reading at:  Bradley

Will defense contractors be ready for CMMC?

By

Defense contractors will face big changes and tight timelines over the next year as the Department of Defense rolls out its new Cybersecurity Maturity Model Certification framework, experts say.

The framework, which aims to certify a company’s compliance with federal cybersecurity regulations around controlled unclassified information (CUI), was announced by DOD officials in June.  It will be used to evaluate and rate contractors’ ability to protect sensitive data on a 1-5 scale starting next year.

The initial version of the framework is scheduled to go public in January 2020.  By June 2020, its requirements will start appearing in requests for information, and will become a regular feature of defense procurement by September 2020.  That means defense contractors will have less than eight months to implement changes for compliance with the Defense Federal Acquisition Regulation Supplement and National Institute of Standards and Technology guidance on protecting CUI.

Continue reading at:  FCW

The cost to comply with DoD’s new cybersecurity requirements to be reimbursable on cost contracts

By

Law360 published an article recently with the title, “DoD Official Says Cyber is an Allowable Contractor Cost.”  The article states that the U.S. Department of Defense (DoD) will allow defense contractors to treat the costs of bringing their cybersecurity programs in line with DoD requirements as an allowable cost and, therefore, reimbursable.  Specifically, at the June 14, 2019 Professional Services Council’s Federal Acquisition Conference, DoD special assistant for cybersecurity Katie Arrington said, “security is an allowable cost.”

Further, Law360 reported that in May, DoD said it was developing a “Cybersecurity Maturity Model Certification” (CMMC) program to build on the Defense Federal Acquisition Regulation Supplement regulation (DFARS § 252.204-7012(b)(2)) that requires defense contractors to implement the security controls in the National Institute of Standards and Technology’s Special Publication (NIST SP) 800-171.  The security controls are intended to protect covered defense information on nonfederal systems.  DoD said the CMMC will require defense contractors to get third-party audits of their compliance with the NIST SP 800-171 controls, down through their supply chains.

Arrington told the conference attendees that the CMMC will be developed by DoD working in conjunction with the Johns Hopkins University Applied Physics Lab and Carnegie Mellon University Software Engineering Institute.  The goal is to develop one unified standard for cybersecurity.  This standard will include five different levels of required cybersecurity protections, from a level one of “basic hygiene,” which will be cheap and straightforward enough that a small business could meet it, to level five for “state-of-the-art” protections.  Arrington said that DoD has planned 12 related industry days across the United States in July and August to work in a collaborative manner with defense contractors to improve cybersecurity practices in the CMMC plan.  Acknowledgments to Daniel Wilson and Law360 for reporting these developments.

Continue reading at:  Taft Stettinius & Hollister LLP

Doing business with the U.S. Government in an era of cybersecurity, espionage and executive orders

By

In an era of trade wars, espionage, and executive orders, how can companies who wish to dive into government procurement or are already involved in procurement abide by Federal laws and data security regulations and increase the likelihood of proper procurement?

Recently, the D.C. law firm Sheppard Mullin hosted a podcast discussing various government contracting requirements, including those related to cybersecurity.  Topics discussed include:

What does the legal landscape look like for doing business with the U.S. government?

What various layers of laws apply to government contracting?

When it comes to cybersecurity, what new developments have emerged that affect government contracts?

What type of security controls should contractors implement to protect data?

What are security control “families”?

What security rules are specific to government contractors and why are they important for companies of all types to be familiar with them?

Why is it important to be open to checking where your sensitive data and documenting your plan to protect that data?

The “Plan of Action” the Department of Defense requires.

What is the National Defense Authorization Act and what does it establish?

How has the 2019 Executive Order affected information and telecommunications technologies?

How are the Federal Acquisition Regulations playing a role in the trade war with China?

You can listen to the podcast at:  The Sheppard Mullin website

False Claims Act case based on DoD’s cybersecurity regulations survives motion to dismiss

By

In the summer of 2015, we cautioned that the Department of Defense’s (DoD’s) new cybersecurity regulations could be used offensively to support False Claims Act (FCA) cases and bid protests.  Four years later, those premonitions have unfortunately come true.  Recently, a federal court refused to dismiss a relator’s implied certification FCA case in which he alleged that his employer “misrepresented … to the government the extent to which it had equipment required by the regulations, instituted required security controls, and possessed necessary firewalls” in violation of DoD’s cybersecurity regulations.  United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., No. 2:15-cv-2245, 2019 WL 2024595, *3 (E.D. Cal. May 8, 2019).

By way of background, the False Claims Act imposes civil and potentially criminal liability on anyone who knowingly presents a false or fraudulent claim for payment to the federal Government, or knowingly makes, uses or causes to be made or used, a false record or statement material to a false or fraudulent claim.  31 U.S.C. § 3729(a)(1)(A) & (B).  The FCA permits a private person, known as a relator, to bring a qui tam civil lawsuit in the name of Government against anyone who violates the Act.  Civil remedies can include up to three times the actual damages suffered by the Government as a result of the false claim along with a civil penalty between $5,000 and $10,000 for each violation.  The relator receives a share of any proceeds from the action—generally 15 to 25 percent if the Government intervenes, and 25 to 30 percent if it does not, plus attorneys’ fees and costs.  The FCA also has a lengthy statute of limitations of either six years from when the fraud is committed or three years after the Government knows or should know about the material facts giving rise to the claim, whichever is later, as long as the action is filed within ten years of the alleged fraud.  31 U.S.C. § 3731(b); Cochise Consultancy, Inc. v. United States ex rel. Hunt, 587 U.S. __ (May 13, 2019) (noting “if the Government discovers the fraud on the day it occurred, it would have 6 years to bring suit, but if a relator instead discovers the fraud on the day it occurred and the Government does not discover it, the relator could have as many as 10 years to bring suit”).

Read more at:  Privacy and Data Security Insight

Security assessments soon may be part of DoD government contracts acquisition process

By

Identifying threats and improving network and supply chain security has been an ongoing effort by Congress and the Department of Defense (DoD) for the past several years.

Congress has included multiple provisions in the annual National Defense Authorization Acts to spur action by the DoD to address weaknesses in contractor supply chains for electronic parts and vulnerabilities to cyber threats in contractor information technology systems. In turn, the DoD has amended the Defense Federal Acquisition Regulation Supplement (DFARS) to impose new performance requirements on contractors and subcontractors in DoD procurement contracts. This cascading effort of turning policy into contract performance has been steady but slow and of questionable efficacy.

A new initiative under consideration by the DoD could change that. In June testimony to Congress, the DoD said it has started a new initiative known as “Deliver Uncompromised” to “elevate the private sector’s focus on security.” The DoD’s goal is to establish security as a “fourth pillar” in acquisition, “on par with cost, schedule and performance.” The hope is to create incentives for industry to “embrace security, not as a ‘cost center,’ but as a key differentiator” in competitions for procurement contracts.

In August 2018, the nonprofit group Mitre Corporation (Mitre) released a report called “Deliver Uncompromised,” which describes how the DoD and the intelligence community face daily strategic attacks from foreign adversaries in the supply chain domain (e.g., software, hardware, and services) and cyber domain (e.g., informational technology and cyber-physical such as weapons systems). Mitre’s report calls for a unified focus of resources from both the DoD and government contractors to prioritize risk mitigation through enhanced infrastructure and better coordination.

While the DoD cannot require private companies to invest in specific security measures, the Mitre report recommends that the DoD use its purchasing power and regulatory authority to influence and shape the conduct of the DoD suppliers. For example, the DoD may begin defining procurement requirements with new security measures, or rewarding contractor proposals with superior security measures by elevating security as a primary metric for evaluation during the source selection process. The DoD could also include terms and conditions in its contracts that impose security requirements, and then use those contractual terms post-award to monitor contractor compliance.

Keep reading this article at: http://www.mondaq.com/article.asp?articleid=737662

GTPAC has created a video and a template to help businesses comply with DoD’s cybersecurity requirements.  These resources appear at: http://gtpac.org/cybersecurity-training-video/

Just 5 percent of federal contractors are fully protecting against email spoofing

By

Government contractors still lag far behind on implementing an email security tool that’s now mandatory for government agencies, according to industry data released Thursday.

Among the top 98 government contractors by dollar value, only 45 have properly installed the tool known as DMARC and only five have set it up to quarantine or reject spoofed or phishing emails that might contain malware, according to an analysis by the company ValiMail.

That means 93 of those companies are more vulnerable to phishing and spoofed emails, which might endanger those contractors’ federal clients—even if those agencies have installed DMARC themselves.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2018/06/just-5-percent-federal-contractors-are-fully-protecting-against-email-spoofing/149165/

Contracting News

Read More

Contracting Tips

Read More

GTPAC News

Read More

Georgia Tech News

Read More