Georgia Tech Procurement Assistance Center

Contractors have questions about DOD’s cyber requirements

By

The Pentagon is making big moves in an effort to improve cybersecurity for its industrial base, but so far the department’s biggest roadblocks early on may be the same confusion, doubt and uneven compliance from contractors that led to the vulnerabilities in the first place.

Officials from the Department of Defense and the National Institute of Standards and Technology gave updates on two nascent programs at an Aug. 8 Information Security and Privacy Advisory Board meeting: NIST’s new draft cybersecurity guidance for contractor systems deemed high value assets and the Pentagon’s Cybersecurity Maturity Model Certification (CMMC) program.

Both are designed to shore up different aspects of DOD’s cybersecurity regime for contractors, and both are causing heartburn among companies who are still unclear about how best to comply.

The NIST draft guidance around high value assets recently went out for public comment earlier this year.  The more than 600 responses reflect confusion about the scope and application of the requirements.

Continue reading at:  FCW.com

Cybersecurity – The Times (and Standards) They Are A Changin’ – FAST!

By

As we reported last month, the Department of Defense (DoD) has been engaging in an unusual rollout of its new cybersecurity certification program by way of  road tours—led by Katie Arrington, the Special Assistant to the Assistant Secretary of Defense for Acquisition and Sustainment for Cyber—that address the tiered, five-level Cybersecurity Maturity Model Certification (CMMC).  At bottom, DoD intends for the CMMC to help streamline the acquisition process by providing acquiring agencies and consenting contractors with more exacting cybersecurity requirements for future acquisitions.  What’s unique about the CMMC rollout is the lack of written guidance on the program.  DoD representatives have orally provided a majority of publicly available information about CMMC only during various webinars and defense-industry events held over the past couple of months.  Indeed, a quick Google search for “CMMC” indicates that, at this time, hard facts about the program appear to be limited to FAQs on a DoD website.

That word of mouth rollout continued during a July 9 presentation at the National Defense Industrial Agency Procurement Division Meeting in Washington, D.C.  During this presentation, Ms. Arrington both reconfirmed some previously discussed details about the CMMC program and provided additional insight into program components that will be of interest to contractors doing business with DoD when the program comes to fruition.

Continue reading at:  McCarter & English

Industry wants to know exactly what Huawei ban means for contractors

By

Due to concerns of espionage and infiltration, federal agencies can no longer contract with companies that use technologies from two Chinese companies: Huawei and ZTE.  But exactly how that ban will impact the federal contracting community is still up in the air.

A provision in the 2019 National Defense Authorization Act prevents agency heads from signing contracts “with an entity that uses any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.”

As federal agencies grapple with how to meet this directive, the Defense Department, General Services Administration and NASA held a forum Friday to hear from industry stakeholders and allow members of the Federal Acquisition Regulatory Council to ask questions.

Comments varied from nonplused to strongly concerned over how the legislation will affect ongoing federal business, including federal grants used for local public safety improvements.  Despite differences in perspective, all speakers agreed on one thing: The current language is ambiguous.

Continue reading at:  Nextgov

Uncle Sam wants you — and your DFARS compliance

By

Following rules of engagement is a common concept, but knowing the rules — and whether they really apply to one’s own business — is not always a common condition.  The federal market can be especially confusing for smaller companies that may be delivering similar products or services to both civilian and military/defense/aerospace agencies.

If you know enough to ask about DFARS 252.204-7012 compliance, hold grants or contract awards subject to the provisions, or are contemplating entering the Department of Defense (DoD) market, you should at least be on the path to Defense Federal Acquisition Regulation Supplement (DFARS) compliance.  By September 2020, meeting the required security level contained in a DoD solicitation will be the basis for a go/no-go decision on further consideration of an offeror’s cost, schedule, and performance qualifications.

Announced changes to federal procurement practices, particularly for DoD-related contracts, put into play provisions for supply chain security and resiliency based, in part, on the 2018 “Deliver Uncompromised” study from MITRE Corporation.  Widely publicized leaks of government-funded intellectual property and other proprietary information have intensified concerns about the vulnerability of the defense industrial base (DIB), one of the 16 industry sectors defined by the Department of Homeland Security (DHS) as “critical infrastructure.”  The Office of the Under Secretary of Defense for Acquisition & Sustainment notes on its website that DoD is “planning a series of engagements across the United States in order to solicit inputs and feedback from the [DIB] sector.”

Continue reading at:  IndustryWeek

Will defense contractors be ready for CMMC?

By

Defense contractors will face big changes and tight timelines over the next year as the Department of Defense rolls out its new Cybersecurity Maturity Model Certification framework, experts say.

The framework, which aims to certify a company’s compliance with federal cybersecurity regulations around controlled unclassified information (CUI), was announced by DOD officials in June.  It will be used to evaluate and rate contractors’ ability to protect sensitive data on a 1-5 scale starting next year.

The initial version of the framework is scheduled to go public in January 2020.  By June 2020, its requirements will start appearing in requests for information, and will become a regular feature of defense procurement by September 2020.  That means defense contractors will have less than eight months to implement changes for compliance with the Defense Federal Acquisition Regulation Supplement and National Institute of Standards and Technology guidance on protecting CUI.

Continue reading at:  FCW

Cybersecurity: front and center for industry

By

“Deliver Uncompromised,” the “Fourth Pillar of Acquisition” or “Securing the DoD Supply Chain” — no matter what turn of phrase one uses to discuss protecting the defense industrial base and the equipment and support it provides warfighters from cyber threats, this issue stands front and center for the Pentagon and for the people and companies that provide its capabilities.

Experts estimate losses of about $600 billion per year in the transfer of wealth, expertise and trade secrets due to cyber crime.  Adversaries and bad actors specifically target the defense industrial base, using the pilfered data to close capability gaps with the United States, its allies and partners.

The National Defense Strategy and the National Cyber Strategy lay it bare, “Our competitors — including … foreign adversaries such as Russia and China — are also using cyber to try to steal our technology.”  Protecting U.S. advantages demands better government-industry collaboration.  Fortunately, that is happening with the end state an effective, holistic cyber defense.

Despite being the home of cyberspace and the innovative tech giants who used it to transform society and the economy, America — both its government and its traditional industries — has responded slowly to growing and increasingly adaptive cyber threats.  That said, stakeholders now recognize the challenge and have begun responding with concrete actions.  Called out in the series of 2018 strategy documents, the cyber hygiene of U.S. government contractors, especially those in the defense industrial base, will likely soon require third-party cybersecurity certification for contractors to participate in any Defense Department contract.

Continue reading at:  National Defense Magazine 

CBP reportedly suspends subcontractor over cyberattack

By

The US Customs and Border Protection has reportedly suspended a subcontractor following a “malicious cyberattack” in May that caused it to lose photos of travelers into and out of the country.  Perceptics, which makes license plate scanners and other surveillance equipment for CBP, has been suspended from contracting with the federal government, The Washington Post reported Tuesday.

On June 12, CBP had confirmed that in violation of its policies, a subcontractor had “transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network.”  The subcontractor’s network was then compromised by a cyberattack that affected under 100,000 people who entered and exited the US in a vehicle through several specific lanes at one land border during a 1.5-month period.

Continue reading at:  CNET News

DOD’s proposed cybersecurity maturity model certification requirements: what we know and how to prepare

By

The final DFARS cybersecurity rule promulgated in 2016, which included the latest changes to the DFARS clause at 252.204-7012, was a significant development for DoD contractors, in part because it mandates compliance with the 110 security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.  DoD has been working with the contracting community since that time with respect to the implementation of the final rule, but has concluded that further compliance steps are needed in the form of cybersecurity certification standards.

The anticipated new cybersecurity certification standards for DoD contractors are quickly taking shape.  Katie Arrington, former South Carolina legislator and current special assistant for Cybersecurity to Assistant Secretary of Defense for Acquisition, recently announced that DoD is partnering with the Carnegie Mellon University Software Engineering Institute and the Johns Hopkins University Applied Physics Laboratory in developing the new certification standard: the Cybersecurity Maturity Model Certification or “CMMC.”  This Alert outlines what has been revealed thus far about the CMMC, how the CMMC will affect DoD contractors, and steps you can take to be ready when the CMMC goes live.

Continue reading at:  Miles & Stockbridge

7 steps for getting right with NIST 800-171

By

The deadline for defense contractors and subcontractors to implement the information security requirements listed in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 has come and gone.  There are more than 100 information security requirements in NIST 800-171, and it is a good bet that many smaller companies without ample IT resources fall into the category of: “We missed the deadline… what now?”

If you want to continue working with the Department of Defense, the simple answer is you will have to be 800-171 compliant.  This includes secure file sharing and information exchange governance, namely how you store, access, exchange and govern sensitive (but unclassified) information with the agency.  And while the December 31, 2017, deadline was directed at DOD’s industry partners, NIST 800-171 applies to all non-federal organizations that work with U.S. government systems and data.  So the suggestions below are in no way limited to defense contractors!

Continue reading at:  Federal Computer Week

The importance of compliance with DFARS cybersecurity regulations

By

Clicking the “COMPLY” check box on the list of government requirement flow-downs may seem like a necessary evil of being a supplier to the defense market, but some regulations around information and cybersecurity provide the critical foundations of a trusted computing supply chain.

Cyber and information warfare are the hottest and possibly most contested battlefields in the race for military dominance. Case in point, the U.S. Navy recently changed the name of Space and Naval Warfare Systems Command (SPAWAR) to the Naval Information Warfare Systems Command (NAVWAR), in recognition of how important information warfare to defense strategy.

Similarly, earlier this year, the U.S. Army, announced the evolution of its Cyber Command into the Information Warfare Command, and the U.S. Air Force announced the merger of the 24th Air Force (Air Forces Cyber) and the 25th Air Force, to create a new information warfare focused command.

By all indicators, information currently sits near the top of the food chain of assets requiring protection.  To that end, the U.S. Department of Defense (DOD) upped the ante on regulations around what types of information need protection and how much suppliers must protect that information.

Continue reading here:  Military and Aerospace Electronics

Contracting News

Read More

Contracting Tips

Read More

GTPAC News

Read More

Georgia Tech News

Read More