Georgia Tech Procurement Assistance Center

Holding government contractors responsible for cybersecurity is trickier than it sounds

By

The federal government wants to hold defense contractors accountable for the cybersecurity of their supply chains but that’s no easy feat, experts said recently.

On March 26th, industry representatives told lawmakers on the Senate Armed Services Committee about attempting to tackle cyber threats as a federal contractor. Much of the hearing was focused on one specific issue: increasingly complex levels of supply chains make it difficult for prime contractor to ensure all subcontractors are upholding cybersecurity protections. And that ever-lengthening chain increases the possibility of compromised information or cyberattacks.

“I don’t know why we don’t hold the larger contractors who are responsible for the contract to make sure the subcontractors they are hiring have protections,” Sen. Joe Manchin, D-W.V., said. “Somebody has to be held accountable.”

Keep reading this article at: https://www.nextgov.com/cybersecurity/2019/03/holding-government-contractors-responsible-cybersecurity-trickier-it-sounds/155862/

In doubt? Check with GTPAC!

By

Your team at the Georgia Tech Procurement Assistance Center (GTPAC) stands ready to offer you advice about any aspect of government contracting — especially when you have any doubt about the legitimacy of a contract-related service or solicitation.

We’ve published many articles before about government contracting scams (click here to see previous articles), and once again we want to bring another one to your attention.

Just a few days ago, a GTPAC client contacted one of our Counselors and asked about the legitimacy of a request for a quotation he received, supposedly from the Dept. of Defense (DoD).  Once we examined the email and the attachment that our client sent us, we told him to run — not walk — away from it!

Here Are the Details

The email was purportedly from a DoD official soliciting a quote for some laptops and computer drives.

We examined the email and its attachment, including the following:

  • We called the phone number in the email which was answered by a person who didn’t identify himself.  When we asked questions, he said that he’d have the person identified in the email call us back with details.  No one called back.
  • We checked the identity of the person who supposedly sent the email.  The email’s Quote form identified him as Deputy Director for Procurement at AT&L.   We determined that, in reality, he is DoD’s Deputy Director for Earned Value Management.  AT&L (Acquisition, Technology and Logistics) is a unit within DoD that no longer exists; it’s been reorganized into two groups: research and engineering (R&E) and acquisition and sustainment (A&S).  (See details of that reorganization by clicking here.)
  • We also identified the DoD official’s real email address and his actual phone number; they were not the email address or phone number shown in the email and on the Quote form that was sent to our client.
  • We noted that the federal solicitation number shown on the Quote form was not in the correct format, and the Quote form itself was not a form we have ever seen before.
  • The wording of the email was sloppy and unprofessionally prepared.

Based on the above, we advised our client to not respond because we believe this is a probable scam which will lead to an order to ship the products to a bogus shipping address, for which payment will never be received.  We also alerted the appropriate DoD officials of this probable scam.

What You Should Do

It’s as simple as 1-2-3.

  1. Stay alert to possible scams involving government contracting.  There are many scams in circulation literally every day.
  2. Don’t let the temptation of landing a sale overtake your common sense.  If it looks like easy money, it’s probably bogus.
  3. Whenever you are in doubt, contact GTPAC for advice.  We’ll be happy to check things out for you and provide you with our opinion.  It’s as simple as forwarding anything suspicious to us at: gtpacatl@innovate.gatech.edu.

Remember, the GTPAC team is here to help you succeed in the government marketplace!

P.S.:  If your business is located outside the state of Georgia, you can find a procurement technical assistance center (PTAC) by clicking here.

 

Facing Chinese cyberthreat, Pentagon to bake better contractor security into buying decisions

By

In the wake of reports China hacked a Navy contractor for sensitive data on submarine warfare, Pentagon officials said they want to build better security into the military’s acquisitions process to better protect the defense industry from Beijing’s tampering.

But it’s unclear whether the defense industry has bought into the nascent effort.

“It is no longer sufficient to only consider cost, schedule and performance when acquiring defense capabilities,” Deputy Under Secretary of Defense for Intelligence Kari Bingen told lawmakers on June 21st.

“We must establish security as a fourth pillar in defense acquisition and also create incentives for industry to embrace security, not as a cost burden, but as a major factor in their competitiveness for U.S. government business.”

Keep reading this article at: https://www.fifthdomain.com/congress/2018/06/21/pentagon-to-bake-better-contractor-security-into-buying-decisions/

Just 5 percent of federal contractors are fully protecting against email spoofing

By

Government contractors still lag far behind on implementing an email security tool that’s now mandatory for government agencies, according to industry data released Thursday.

Among the top 98 government contractors by dollar value, only 45 have properly installed the tool known as DMARC and only five have set it up to quarantine or reject spoofed or phishing emails that might contain malware, according to an analysis by the company ValiMail.

That means 93 of those companies are more vulnerable to phishing and spoofed emails, which might endanger those contractors’ federal clients—even if those agencies have installed DMARC themselves.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2018/06/just-5-percent-federal-contractors-are-fully-protecting-against-email-spoofing/149165/

Chinese government hackers steal massive amounts of data from Navy contractor computers

By

Chinese government hackers have stolen large swaths of highly sensitive data on undersea warfare from a Navy contractor’s computers, The Washington Post reports.

The stolen information includes secret plans to develop a supersonic anti-ship missile to be used by submarines by 2020, American officials told the Post.

The incidents took place in January and February, but officials did not disclose the contractor that was targeted, the newspaper reported Friday.

Although the information was highly sensitive, it was housed on the contractor’s unclassified network, according to the Post.

“Per federal regulations, there are measures in place that require companies to notify the government when a ‘cyber incident’ has occurred that has actual or potential adverse effects on their networks that contain controlled unclassified information,” Navy Lt. Marycate Walsh said in a statement. “It would be inappropriate to discuss further details at this time.”

Keep reading this article at: http://wtkr.com/2018/06/08/wapo-chinese-government-hackers-steal-massive-amounts-of-data-from-navy-contractor-computers/

Scam Alert: Malicious e-mail spoofs being sent to vendors

By

The Defense Logistics Agency (DLA) is reporting that a fake solicitation is being sent to vendors in the form of a Request for Quotation (RFQ).

The fake email solicitation, purporting to be from DLA, has been targeting GSA STARS II vendors.

The emails are not from DLA.mil.  Instead, they are coming from a “Reply-To” address ending in @dla-mil.us, which is not a government address.

In some cases, “stars2@american consultants.com” has been identified to supposedly send messages on behalf of a DLA Contract Specialist — these are also fake.

Some of the bogus emails suggest that vendors use the “stars2” Google Group at https//groups.google.com/a/americanconsultants.com to obtain more information or to unsubscribe from the email communication.  Be advised that “stars2” is not a DLA affiliated group.

Always remain cautious of emails that arrive in your inbox that are not explicitly addressed to you.  Sometimes scammers attempt to hide their actions by addressing their targets in the “bcc” line.

Also, please be aware that the phone number in these recent bogus emails is not a DLA phone number.  In addition, the RFQ form in the email is not an official government form, nor is the signature block legitimate.

DLA’s notice about this matter can be seen here: Vendor Phishing Notice -DLA – 8 June 2018.  The notice shows copies of the bogus emails.

Bottom line: Vendors should always remain vigilant about suspicious emails, and be cautious about opening email attachments.  Questions or comments can be directed to DLA at CERTFusionCell@dla.mil.

In addition, if you ever have a question about the legitimacy of any emails having to do government contracting opportunities, especially those which solicit a fee, please feel free to contact the Georgia Tech Procurement Assistance Center (GTPAC) for advice.  GTPAC can be emailed at gtpacatl@innovate.gatech.edu.

To read previous articles about scams involving government contracting, visit http://gtpac.org/?s=scam

Security tips for choosing and using passwords

By

You probably use a number of personal identification numbers (PINs), passwords, and passphrases every day: from getting money from the ATM or using your debit card in a store, to logging in to your email or into an online retailer. Keeping track of all of the number, letter, and word combinations may be frustrating at times, but you’ve seen enough news coverage to know that hackers represent a real threat to your information. Often, an attack is not specifically about your account, but about using the access to your information to launch a larger attack.

One of the best ways to protect information or physical property is to ensure that only authorized people have access to it. Verifying that those requesting access are the people they claim to be is the next step. This authentication process is more important and more difficult in the cyber world. Passwords are the most common means of authentication, but only work if they are complex and confidential. Many systems and services have been successfully breached because of insecure and inadequate passwords. Once a system is compromised, it’s open to exploitation by other unwanted sources.

How to choose good passwords

Avoid common mistakes

Most people use passwords that are based on personal information and are easy to remember. However, that also makes it easier for an attacker to crack them. Consider a four-digit PIN. Is yours a combination of the month, day, or year of your birthday? Does it contain your address or phone number? Think about how easy it is to find someone’s birthday or similar information. What about your email password—is it a word that can be found in the dictionary? If so, it may be susceptible to dictionary attacks, which attempt to guess passwords based on common words or phrases.

Although intentionally misspelling a word (“daytt” instead of “date”) may offer some protection against dictionary attacks, an even better method is to rely on a series of words and use memory techniques, or mnemonics, to help you remember how to decode it. For example, instead of the password “hoops,” use “IlTpbb” for “[I] [l]ike [T]o [p]lay [b]asket[b]all.” Using both lowercase and capital letters adds another layer of obscurity. Changing the same example used above to “Il!2pBb.” creates a password very different from any dictionary word.

Length and complexity

The National Institute of Standards and Technology (NIST) has developed specific guidelines for strong passwords. According to NIST guidance, you should  consider using the longest password or passphrase permissible (16–64 characters) when you can. For example, “Pattern2baseball#4mYmiemale!” would be a strong password because it has 28 characters. It also includes the upper and lowercase letters, numbers, and special characters. You may need to try different variations of a passphrase—some applications limit the length of passwords, some do not accept spaces or certain special characters. Avoid common phrases, famous quotations, and song lyrics.

Dos and don’ts

Once you’ve come up with a strong, memorable password it’s tempting to reuse it ­– don’t! Reusing a password, even a strong one, endangers your accounts just as much as using a weak password. If attackers guess your password, they would have access to all of your accounts. Use the following techniques to develop unique passwords for each of your accounts:

  • Do use different passwords on different systems and accounts.
  • Don’t use passwords that are based on personal information that can be easily accessed or guessed.
  • Use the longest password or passphrase permissible by each password system
  • Don’t use words that can be found in any dictionary of any language.
  • Do develop mnemonics to remember complex passwords.
  • Do consider using a password manager program to keep track of your passwords. (See more information below.)

How to protect your passwords

Now that you’ve chosen a password that’s easy for your to remember, but difficult for others to guess, you have to make sure not to leave it someplace for people to find. Writing it down and leaving it in your desk, next to your computer, or, worse, taped to your computer, is just making it easy for someone who has physical access to your office. Don’t tell anyone your passwords, and watch for attackers trying to trick you through phone calls or email messages requesting that you reveal your passwords. (See Avoiding Social Engineering and Phishing Attacks for more information.)

Programs called password managers offer the option to create randomly generated passwords for all of your accounts. You then access those strong passwords with a master password. If you use a password manager, remember to use a strong master password.

Password problems can stem from your web browsers’ ability to save passwords and your online sessions in memory. Depending on your web browsers’ settings, anyone with access to your computer may be able to discover all of your passwords and gain access to your information. Always remember to log out when you are using a public computer (at the library, an Internet cafe, or even a shared computer at your office). Avoid using public computers and public Wi-Fi to access sensitive accounts such as banking and email.

There’s no guarantee that these techniques will prevent an attacker from learning your password, but they will make it more difficult.

For more information on passwords, multi-factor authentication, and related password topics, see Supplementing Passwords.

Don’t forget security basics

  • Keep your operating system, browser, and other software up-to-date.
  • Use and maintain anti-virus software and a firewall.
  • Regularly scan your computer for spyware. (Some anti-virus programs incorporate spyware detection.)
  • Use caution with email attachments and untrusted links.
  • Watch for suspicious activity on your accounts.

Source: The National Cybersecurity and Communications Integration Center’s (NCCIC) – https://www.us-cert.gov/ncas

SAM.gov hackers used spearphishing, spoofing, credential theft

By

Cybercrooks who stole federal payments by hacking contractor accounts on a General Services Administration (GSA) website used sophisticated spearphishing techniques to steal login credentials and then diverted payments to bank accounts they controlled, an executive of a contractor targeted in the scam told FedScoop.

It’s unclear how much the scammers have netted through their scheme, which is being investigated by the GSA inspector general and federal law enforcement.

The inspector general’s office declined to comment, but sources familiar with the investigation told FedScoop that the cyberattacks that facilitated the fraud had been identified last year and were ongoing as
recently as last week.

Keep reading this article at: https://www.fedscoop.com/sam-gov-hackers-used-spearphishing-spoofing-credential-theft/

Also see Tips for Surviving Compromise of Government’s Vendor Database: http://gtpac.org/2018/03/26/tips-for-surviving-compromise-of-governments-vendor-database/

Cybersecurity training video and template released

By

The Georgia Tech Procurement Assistance Center (GTPAC) has produced a 20-minute instructional video designed to assist contractors comply with Defense Department (DoD) cybersecurity requirements.

Click image above to view video and access resource documents.

Accompanying the video is a 127-page template that can be used by contractors to create a Security Assessment Report, a System Security Plan, and a Plan of Action.

The video and template, along with related resources, can be found at: http://gtpac.org/cybersecurity-training-video.

Background

The Defense Federal Acquisition Regulation Supplement (DFARS) prescribes that DFARS clause 252.204-7012 (“Safeguarding Covered Defense Information and Cyber Incident Reporting”)  be inserted in many DoD contracts.

In general, the clause requires that contractors provide adequate security on all applicable contractor information systems – and investigate and report on any compromises of such systems.  The DFARS clause also requires contractors to:

  • isolate malicious software,
  • preserve and protect all media involved in a cyber incident,
  • provide DoD with access to information or equipment for purposes of forensic analysis,
  • assess damage as a result of a cyber incident, and
  • “flow down” the clause in any subcontracts involving information covered by the requirements.
Click on the graphic above to see the government’s complete list of Controlled Unclassified Information (CUI) covered by the regulation.
Impact

If you are a DoD contractor, it is very likely that your contract incorporates DFARS clause 252.204-7012.  The clause is required in all solicitations and contracts, including solicitations and contracts issued under Federal Acquisition Regulation (FAR) Part 12 procedures for the acquisition of commercial items.  (Note: The clause is not required for solicitations and contracts solely for the acquisition of Commercial Off the Shelf – or COTS – items.)

To provide adequate security, DoD contractors covered by the DFARS clause are expected, at a minimum and effective immediately, to implement the standards set forth in National Institute of Standards and Technology (NIST) Special Publication 800-171 (Revision 1).

In general terms, to meet the government’s cybersecurity standards, contractors must assess their information systems, develop a security plan, and create an action plan.  GTPAC’s template – available for download as a Word document on the same webpage where the video appears – provides a step-by-step process by which each of these tasks can be completed and documentation can be compiled.

Information and Assistance

The video and template were funded through a cooperative agreement with the Defense Logistics Agency, and created with the support of the Georgia Institute of Technology.  The content of the video presentation does not necessarily reflect the official views of or imply endorsement by the U.S. Department of Defense, the Defense Logistics Agency, or Georgia Tech.

For further assistance with complying with DoD’s contractual cybersecurity requirements, please feel free to contact a GTPAC Procurement Counselor.  A list of Counselors, their locations, and contact information can be found at: http://gtpac.org/team-directory.

Companies located outside the state of Georgia may contact their nearest Procurement Technical Assistance Center (PTAC) for assistance with government contracting matters.  PTACs are located in all 50 states, the District of Columbia, Guam, and Puerto Rico.  Find a directory of PTACs at: http://www.aptac-us.org/find-a-ptac.

GTPAC is a part of the Enterprise Innovation Institute (EI2), Georgia Tech’s business outreach organization which serves as the primary vehicle to achieve Georgia Tech’s goal of expanded local, regional, and global outreach.  EI2 is the nation’s largest and most comprehensive university-based program of business and industry assistance, technology commercialization, and economic development.

 

 

 

Oct. 27 cybersecurity webinar reviews key regulatory actions impacting government contractors

By

The Georgia Tech Procurement Assistance Center (GTPAC) is hosting a one-hour lunchtime webinar on Oct. 27, 2017 on the subject of the regulatory obligations federal contractors have for protecting data from cyber-attacks.

Interested parties can sign-up to participate in this free webinar by clicking here.  After registering, enrollees will receive webinar access information from the instructor a few days before the webinar.

Businesses seeking information and resources on the subject of government cybersecurity rules can visit this page.  GTPAC hosted a half-day briefing for businesses on Aug. 9th, and visitors to this page can view a video of the event, plus download a number of resource materials.

Contracting News

Read More

Contracting Tips

Read More

GTPAC News

Read More

Georgia Tech News

Read More