Georgia Tech Procurement Assistance Center

NIST to host CUI information security workshop on Oct. 18th

By

The National Institute of Standards and Technology (NIST), in coordination with the Department of Defense (DoD) and the National Archives and Records Administration (NARA), will host a Workshop providing an overview of Controlled Unclassified Information (CUI) on October 18, 2018.

The agenda for the Workshop shows a full day of panels, including those addressing DoD’s “Safeguarding Covered Defense Information and Cyber Incident Reporting” Clause (DFARS Cyber Rule), overviews of NIST Special Publications (SPs) 800-171 and 800-171A, and Government expectations when evaluating contractor implementation of the 800-171 security controls.

In addition to the panels described in the agenda, the Workshop may provide an opportunity to address questions about DoD’s April 2018 draft guidance for the Department’s assessment of contractors’ System Security Plans (SSPs) and implementation of the security controls in NIST SP 800-171.

The NIST Workshop is open to all interested stakeholders and is free to attend. Registration for in-person attendance can be made at the NIST website and is required by October 11, 2018. NIST has stated that the Workshop also will be available via webcast.  Advanced registration is not required for the webcast.

More information available at: https://www.insidegovernmentcontracts.com/2018/07/cui-workshop/

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

How multifactor authentication can help DoD contractors achieve DFARS compliance

By

To say that organizations today are concerned about cybersecurity would be a gross understatement.

Every time we turn around, there are reports of incidents where cybercriminals have either gamed a global social media tool or compromised a corporate customer database.

Needless to say, the U.S. government has also been extremely focused on cybersecurity — as evidenced by its recent directive, the Defense Federal Acquisition Regulation Supplement (DFARS), which aims to help government agencies protect their own data and that of organizations with which they do business.

What Does the DFARS Require?

The regulation requires any Department of Defense (DOD) contractor or subcontractor who handles controlled unclassified information (CUI) to comply with the data-protection standards outlined in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. According to NIST, CUI consists of “any sensitive federal government information routinely processed, stored or transmitted by a contractor in the course of its work providing essential products and services to federal agencies.”

DFARS is part of a worldwide trend of increasingly stringent data security standards. In May 2018, for example, the European Union (EU) enacted its General Data Protection Regulation (GDPR) to enhance user privacy and provide legal recourse when refuting algorithm-based decisions. Also, the Payment Card Industry Data Security Standard (PCI DSS) requires companies that accept credit card payments to host customer data securely with a PCI-compliant hosting provider. These and countless other standards show that data security is top of mind for industry leaders around the world.

Keep reading this article at: https://securityintelligence.com/how-multifactor-authentication-can-help-u-s-government-contractors-achieve-dfars-compliance/

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

DHS would get more power to bar risky contractors under dueling proposals

By

Two House Republicans are working on legislation that would expand the Homeland Security Department’s authority to deny contracts to companies that pose cybersecurity supply chain threats while the Trump administration is pushing an even more expansive proposal.

The bill in the House will be modeled on authorities Congress gave the Defense Department in 2011 that were implemented in 2015, said Rep. Scott Perry, R-Pa., who is drafting the bill with Rep. Peter King, R-N.Y.

Under those rules, Pentagon contracting officers can bar vendors that pose a security risk from competing for contracts before they’re awarded and halt contractors from hiring risky subcontractors after an award.

Under current Homeland Security Department rules, contracting officers working on unclassified contracts can’t bar vendors before an award based on information provided by intelligence agencies, Soraya Correa, the department’s chief procurement officer, who testified before two House Homeland Security panels last Thursday.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2018/07/dhs-would-get-more-power-bar-risky-contractors-under-forthcoming-bill/149675/

Some FAQs answered about DoD’s new cybersecurity rule

By

The majority of Defense Department contractors no doubt by now have drafted and populated a system security plan in accordance with Defense Federal Acquisition Regulation Supplement cybersecurity provisions, which require implementation of the security controls in National Institute of Standards and Technology (NIST) Special Publication 800-171.

The Defense Department clarified last year that the requirement to implement the security controls by the Dec. 31 deadline was satisfied by the creation of a system security plan with plans of action for controls not yet met.

While establishing a system security plan means the contractor is initially compliant, understanding the contractor’s remaining obligations under the defense cybersecurity provisions will help ensure the contractor avoids potentially unforeseen pitfalls and liability.

The “frequently asked questions” updated on April 2 by the Defense Department regarding the provisions, discussed below, provide helpful insight into contractor obligations as well as best practices.

For example, when does a company need to update its system security plan?

Keep reading this article at: http://www.nationaldefensemagazine.org/articles/2018/7/3/viewpoint-some-faqs-answered-about-the-new-cybersecurity-rule

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

Facing Chinese cyberthreat, Pentagon to bake better contractor security into buying decisions

By

In the wake of reports China hacked a Navy contractor for sensitive data on submarine warfare, Pentagon officials said they want to build better security into the military’s acquisitions process to better protect the defense industry from Beijing’s tampering.

But it’s unclear whether the defense industry has bought into the nascent effort.

“It is no longer sufficient to only consider cost, schedule and performance when acquiring defense capabilities,” Deputy Under Secretary of Defense for Intelligence Kari Bingen told lawmakers on June 21st.

“We must establish security as a fourth pillar in defense acquisition and also create incentives for industry to embrace security, not as a cost burden, but as a major factor in their competitiveness for U.S. government business.”

Keep reading this article at: https://www.fifthdomain.com/congress/2018/06/21/pentagon-to-bake-better-contractor-security-into-buying-decisions/

Chinese government hackers steal massive amounts of data from Navy contractor computers

By

Chinese government hackers have stolen large swaths of highly sensitive data on undersea warfare from a Navy contractor’s computers, The Washington Post reports.

The stolen information includes secret plans to develop a supersonic anti-ship missile to be used by submarines by 2020, American officials told the Post.

The incidents took place in January and February, but officials did not disclose the contractor that was targeted, the newspaper reported Friday.

Although the information was highly sensitive, it was housed on the contractor’s unclassified network, according to the Post.

“Per federal regulations, there are measures in place that require companies to notify the government when a ‘cyber incident’ has occurred that has actual or potential adverse effects on their networks that contain controlled unclassified information,” Navy Lt. Marycate Walsh said in a statement. “It would be inappropriate to discuss further details at this time.”

Keep reading this article at: http://wtkr.com/2018/06/08/wapo-chinese-government-hackers-steal-massive-amounts-of-data-from-navy-contractor-computers/

Draft DoD guidance reveals how cyber readiness will impact contract evaluations

By

Editor’s Note: This post was created by Jon Williams who is a partner with PilieroMazza and a member of the firm’s Government Contracts Group. 

We have been blogging and giving webinars since last year about the DoD requirements around cybersecurity for contractors that are subject to DFARS 252.204-7012. Please view our past blogs and webinars here and here to get more of the backstory.

In a nutshell, DoD contractors operating nonfederal IT systems and subject to DFARS 252.204-7012 were required to have a system security plan (“SSP”) in place by December 31, 2017, to demonstrate compliance with the recommended security controls in NIST SP 800-171. Although the DFARS requirements were black-and-white, there was a fair amount of uncertainty late last year and continuing into this year about what contractors needed to do to comply and if/how DoD would enforce the requirements.

DoD has taken some of the mystery out of these cyber requirements in a recently-released draft guidance.

Keep reading this blog post at: http://www.pilieromazza.com/the-protests-are-coming-draft-dod-guidance-reveals-how-cyber-readiness-will-impact-contract-evaluations

See GTPAC’s instructional video on achieving compliance with DFARS 252.204-7012 and NIST guidance at: http://gtpac.org/cybersecurity-training-video/

Faster detection, cleanup of network infections are goals of $12.8 million Georgia Tech project

By

Cybersecurity researchers at the Georgia Institute of Technology have been awarded a $12.8 million contract to develop fundamentally new techniques designed to dramatically accelerate the detection and remediation of infections in local and remote networks. Using novel machine learning techniques that take advantage of large datasets, the researchers will develop ways to detect network infections within 24 hours – before invaders can do serious damage.

The technical goal for the new system, dubbed “Gnomon,” is to detect changes in individual computer systems by analyzing suspicious network traffic that appears weeks or months before any evidence of malicious software – or malware – can be identified. As a proof-of-concept, the researchers will work with two major U.S. telecommunication companies and several petabytes of data in basic research aimed at detecting signals of malicious activity on their networks.

Funded by the Defense Advanced Research Projects Agency (DARPA), the four-year award is part of the agency’s Harnessing Autonomy for Countering Cyberadversary Systems (HACCS) program. Beyond rapid detection of infections, the project will also accelerate the cleanup after such infections, creating a clearer pathway in a process known as remediation.

“A compromise becomes a breach only if the original infection remains undetected long enough for the adversaries to do damage,” said Manos Antonakakis, an assistant professor in Georgia Tech’s School of Electrical and Computer Engineering and the project’s co-principal investigator. “If you look at the major breaches that have occurred, you see that the adversaries were in the systems for months. We want to identify them in a matter of hours to contain the infection before any real damage can be done.”

The new techniques to be developed will address the realization that network attacks cannot be completely blocked by existing defenses and malware-based detection systems. Dynamic intelligence will be a key feature of the system, with the intent of creating a continuously-updated dossier of every address in IPv4 space.

“Gnomon will search for illicit behavior in computer systems and network signals that indicate the start of an infection,” said Michael Farrell, chief strategist at the Georgia Tech Research Institute (GTRI), and the principal investigator on the program. “We’ll use our experience with taking down botnets – networks of infected computers – to accelerate the detection and remediation process. It’s imperative to evolve our view of the internetwork infrastructure at the same pace that the threat evolves.”

To protect millions of computers on the networks of the two companies, the researchers must find ways to identify troubling behavior on individual IP addresses without endangering the privacy of individuals. Among the signs of trouble are communications with network locations known to house malicious activity. Such communication is necessary for malicious groups to control computers that have been compromised, and to move data stolen from them.

“If you know where the infecting groups are located, you can very easily exclude most of the benign activities occurring on the network,” Antonakakis said. “We need to be able to identify what has changed in computers throughout the network, understand why the change has happened, and determine whether that change can be attributed to benign or malicious activity. This is a groundbreaking new approach to network security that will require tremendous computing power and infrastructure.”

Ever since the first viruses hit computers in the 1980s, cybersecurity has seen rapid evolution of detection and attack tactics. The success of Gnomon will likely drive adversaries to new attack techniques that may be more complex – and expensive – than existing activities. Making cyberattacks more costly to launch may reduce the profit from such activities, making them less attractive.

“If we can clean up our networks faster and more efficiently, that will increase the cost of the attack, making the adversaries work harder,” Antonakakis said. “If you raise the cost of an attack, the return on investment becomes smaller, while the risk of getting identified becomes higher. We would like to make the business of an attack so unprofitable and so risky for the adversaries that it will not make sense for them to conduct major operations in our networks.”

Success in developing new techniques with the first two telecommunication companies could open the door for scaling up Gnomon to other large networks in industry – and to U.S. government systems.

“Not only will deployment have an obvious benefit of improved hygiene for a significant portion of the U.S. internet infrastructure, but the public-private partnership will allow us to provide valuable feedback throughout the HACCS program on the sort of prototypes that will be necessary to have true business and mission impact in the real world,” Farrell said. “The goals are very ambitious, but if we’re successful, we’ll be able to close the gap between an infection and remediation.”

This program is the latest interdisciplinary research collaboration in cybersecurity at Georgia Tech, orchestrated by the Institute for Information Security & Privacy (IISP). In addition to the School of Electrical and Computer Engineering and GTRI, the project will include Professor Brian Kennedy from Georgia Tech’s School of Physics.

Attribution of malicious cyber activity is an established research thrust at Georgia Tech, and this new contract builds on the early success of another Department of Defense (DoD) sponsored program to enhance attribution. The “Rhamnousia” program is now a $25.3 million contract being led by the same research team of Farrell and Antonakakis.

This material is based upon work supported by the Defense Advanced Research Projects Agency (DARPA) under contract number HR001118C0057. Any opinions, findings and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the Defense Advanced Research Projects Agency (DARPA).

Source: http://www.news.gatech.edu/2018/05/14/faster-detection-cleanup-network-infections-are-goals-128-million-project

Next NDAA might add more cyber provisions

By

The next defense authorization bill could have a slew of new cyber provisions aimed at streamlining the Defense Department’s collaboration with the rest of government.

The House Armed Services Committee’s Subcommittee on Emerging Threats and Capabilities released a markup of the 2019 National Defense Authorization Act on April 26 that includes a range of cyber provisions and recommendations focusing on expanding cyber forces, protecting critical infrastructure and consolidating cyber responsibilities.

Key provisions include:

  • Studying state cyber teams.
  • Protecting critical infrastructure with more hackathons.
  • Boosting breach notification requirements. 
  • Prioritizing tech needs at DOD installations.
  • Fully integrating DIUx’s Silicon Valley vibe into defense labs. 
  • Mapping cyber vulnerabilities in weapons systems. 
  • Cyber Command absorbing (some of) DISA’s responsibilities.

Read details on each of these provisions at: https://washingtontechnology.com/articles/2018/04/27/ndaa-markup-cyber.aspx

Security tips for choosing and using passwords

By

You probably use a number of personal identification numbers (PINs), passwords, and passphrases every day: from getting money from the ATM or using your debit card in a store, to logging in to your email or into an online retailer. Keeping track of all of the number, letter, and word combinations may be frustrating at times, but you’ve seen enough news coverage to know that hackers represent a real threat to your information. Often, an attack is not specifically about your account, but about using the access to your information to launch a larger attack.

One of the best ways to protect information or physical property is to ensure that only authorized people have access to it. Verifying that those requesting access are the people they claim to be is the next step. This authentication process is more important and more difficult in the cyber world. Passwords are the most common means of authentication, but only work if they are complex and confidential. Many systems and services have been successfully breached because of insecure and inadequate passwords. Once a system is compromised, it’s open to exploitation by other unwanted sources.

How to choose good passwords

Avoid common mistakes

Most people use passwords that are based on personal information and are easy to remember. However, that also makes it easier for an attacker to crack them. Consider a four-digit PIN. Is yours a combination of the month, day, or year of your birthday? Does it contain your address or phone number? Think about how easy it is to find someone’s birthday or similar information. What about your email password—is it a word that can be found in the dictionary? If so, it may be susceptible to dictionary attacks, which attempt to guess passwords based on common words or phrases.

Although intentionally misspelling a word (“daytt” instead of “date”) may offer some protection against dictionary attacks, an even better method is to rely on a series of words and use memory techniques, or mnemonics, to help you remember how to decode it. For example, instead of the password “hoops,” use “IlTpbb” for “[I] [l]ike [T]o [p]lay [b]asket[b]all.” Using both lowercase and capital letters adds another layer of obscurity. Changing the same example used above to “Il!2pBb.” creates a password very different from any dictionary word.

Length and complexity

The National Institute of Standards and Technology (NIST) has developed specific guidelines for strong passwords. According to NIST guidance, you should  consider using the longest password or passphrase permissible (16–64 characters) when you can. For example, “Pattern2baseball#4mYmiemale!” would be a strong password because it has 28 characters. It also includes the upper and lowercase letters, numbers, and special characters. You may need to try different variations of a passphrase—some applications limit the length of passwords, some do not accept spaces or certain special characters. Avoid common phrases, famous quotations, and song lyrics.

Dos and don’ts

Once you’ve come up with a strong, memorable password it’s tempting to reuse it ­– don’t! Reusing a password, even a strong one, endangers your accounts just as much as using a weak password. If attackers guess your password, they would have access to all of your accounts. Use the following techniques to develop unique passwords for each of your accounts:

  • Do use different passwords on different systems and accounts.
  • Don’t use passwords that are based on personal information that can be easily accessed or guessed.
  • Use the longest password or passphrase permissible by each password system
  • Don’t use words that can be found in any dictionary of any language.
  • Do develop mnemonics to remember complex passwords.
  • Do consider using a password manager program to keep track of your passwords. (See more information below.)

How to protect your passwords

Now that you’ve chosen a password that’s easy for your to remember, but difficult for others to guess, you have to make sure not to leave it someplace for people to find. Writing it down and leaving it in your desk, next to your computer, or, worse, taped to your computer, is just making it easy for someone who has physical access to your office. Don’t tell anyone your passwords, and watch for attackers trying to trick you through phone calls or email messages requesting that you reveal your passwords. (See Avoiding Social Engineering and Phishing Attacks for more information.)

Programs called password managers offer the option to create randomly generated passwords for all of your accounts. You then access those strong passwords with a master password. If you use a password manager, remember to use a strong master password.

Password problems can stem from your web browsers’ ability to save passwords and your online sessions in memory. Depending on your web browsers’ settings, anyone with access to your computer may be able to discover all of your passwords and gain access to your information. Always remember to log out when you are using a public computer (at the library, an Internet cafe, or even a shared computer at your office). Avoid using public computers and public Wi-Fi to access sensitive accounts such as banking and email.

There’s no guarantee that these techniques will prevent an attacker from learning your password, but they will make it more difficult.

For more information on passwords, multi-factor authentication, and related password topics, see Supplementing Passwords.

Don’t forget security basics

  • Keep your operating system, browser, and other software up-to-date.
  • Use and maintain anti-virus software and a firewall.
  • Regularly scan your computer for spyware. (Some anti-virus programs incorporate spyware detection.)
  • Use caution with email attachments and untrusted links.
  • Watch for suspicious activity on your accounts.

Source: The National Cybersecurity and Communications Integration Center’s (NCCIC) – https://www.us-cert.gov/ncas

Contracting News

Read More

Contracting Tips

Read More

GTPAC News

Read More

Georgia Tech News

Read More