Georgia Tech Procurement Assistance Center

Pentagon cyber shortfalls leave data at risk, key senators warn

By

The Pentagon isn’t taking strong enough action to ensure that defense contractors are protecting highly technical but unclassified information from hacking, according to the top lawmakers on the Senate Armed Services Committee.

The Senate panel “has gathered information that suggests DoD is simply not doing enough to protect controlled, unclassified information,” the lawmakers, including ailing Republican Chairman John McCain and Jack Reed, the panel’s top Democrat, wrote to Defense Secretary Jim Mattis in a previously undisclosed letter obtained by Bloomberg News.

“We are concerned with existing regulations and best practices” not being followed in matters such as contracts lacking appropriate cybersecurity clauses, computer networks operating without multifactor authentication for access, strong remote user policies and “insufficient third-party verification of compliance with cybersecurity standards,” the lawmakers wrote last month.

The vulnerability of U.S. systems to hacking has been highlighted in recent years by incidents including attacks on banks and energy infrastructure, as well as efforts to infiltrate state election systems in 2016 and this year. Earlier this year, five pipeline operators in the U.S. said their third-party electronic communications systems were shut down by hackers. The U.S. says the biggest foreign hacking threats come from Russia, China and Iran.

Keep reading this article at: https://www.bloomberg.com/news/articles/2018-08-23/pentagon-cyber-shortfalls-leave-data-at-risk-key-senators-warn

The Georgia Tech Procurement Assistance Center (GTPAC) has produced a video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules.  These resources are available  at: http://gtpac.org/cybersecurity-training-video/

Software companies push Senate to weaken lowest price contracting rule

By

Lawmakers are once again looking at ways to peel back the use of lowest price technically acceptable, or LPTA, contracting decisions to enable federal agencies to spend a little more for better products and services.

As part of the Federal Acquisition Regulation, LPTA requires agencies to choose the lowest priced option that meets the requirements set forth in a given solicitation. Abiding by the letter of the law has led to poor contracting decisions for the sake of saving some money.

“LPTA contracting is a useful source selection method for acquisitions with simple, well-defined requirements when cost is the sole objective differentiating factor,” BSA | The Software Alliance Vice President Craig Albright wrote in a letter to the Senate Armed Services Committee. “However, when it comes to more complex acquisitions involving multiple technical variable or functions … LPTA’s priority of price over value leads to acquisition outcomes that actually prevent the government from getting the most for its money.”

Keep reading this article at: https://www.nextgov.com/policy/2018/07/software-companies-push-senate-weaken-lowest-price-contracting-rule/149878/

NIST to host CUI information security workshop on Oct. 18th

By

The National Institute of Standards and Technology (NIST), in coordination with the Department of Defense (DoD) and the National Archives and Records Administration (NARA), will host a Workshop providing an overview of Controlled Unclassified Information (CUI) on October 18, 2018.

The agenda for the Workshop shows a full day of panels, including those addressing DoD’s “Safeguarding Covered Defense Information and Cyber Incident Reporting” Clause (DFARS Cyber Rule), overviews of NIST Special Publications (SPs) 800-171 and 800-171A, and Government expectations when evaluating contractor implementation of the 800-171 security controls.

In addition to the panels described in the agenda, the Workshop may provide an opportunity to address questions about DoD’s April 2018 draft guidance for the Department’s assessment of contractors’ System Security Plans (SSPs) and implementation of the security controls in NIST SP 800-171.

The NIST Workshop is open to all interested stakeholders and is free to attend. Registration for in-person attendance can be made at the NIST website and is required by October 11, 2018. NIST has stated that the Workshop also will be available via webcast.  Advanced registration is not required for the webcast.

More information available at: https://www.insidegovernmentcontracts.com/2018/07/cui-workshop/

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

How multifactor authentication can help DoD contractors achieve DFARS compliance

By

To say that organizations today are concerned about cybersecurity would be a gross understatement.

Every time we turn around, there are reports of incidents where cybercriminals have either gamed a global social media tool or compromised a corporate customer database.

Needless to say, the U.S. government has also been extremely focused on cybersecurity — as evidenced by its recent directive, the Defense Federal Acquisition Regulation Supplement (DFARS), which aims to help government agencies protect their own data and that of organizations with which they do business.

What Does the DFARS Require?

The regulation requires any Department of Defense (DOD) contractor or subcontractor who handles controlled unclassified information (CUI) to comply with the data-protection standards outlined in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. According to NIST, CUI consists of “any sensitive federal government information routinely processed, stored or transmitted by a contractor in the course of its work providing essential products and services to federal agencies.”

DFARS is part of a worldwide trend of increasingly stringent data security standards. In May 2018, for example, the European Union (EU) enacted its General Data Protection Regulation (GDPR) to enhance user privacy and provide legal recourse when refuting algorithm-based decisions. Also, the Payment Card Industry Data Security Standard (PCI DSS) requires companies that accept credit card payments to host customer data securely with a PCI-compliant hosting provider. These and countless other standards show that data security is top of mind for industry leaders around the world.

Keep reading this article at: https://securityintelligence.com/how-multifactor-authentication-can-help-u-s-government-contractors-achieve-dfars-compliance/

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

DHS would get more power to bar risky contractors under dueling proposals

By

Two House Republicans are working on legislation that would expand the Homeland Security Department’s authority to deny contracts to companies that pose cybersecurity supply chain threats while the Trump administration is pushing an even more expansive proposal.

The bill in the House will be modeled on authorities Congress gave the Defense Department in 2011 that were implemented in 2015, said Rep. Scott Perry, R-Pa., who is drafting the bill with Rep. Peter King, R-N.Y.

Under those rules, Pentagon contracting officers can bar vendors that pose a security risk from competing for contracts before they’re awarded and halt contractors from hiring risky subcontractors after an award.

Under current Homeland Security Department rules, contracting officers working on unclassified contracts can’t bar vendors before an award based on information provided by intelligence agencies, Soraya Correa, the department’s chief procurement officer, who testified before two House Homeland Security panels last Thursday.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2018/07/dhs-would-get-more-power-bar-risky-contractors-under-forthcoming-bill/149675/

In doubt? Check with GTPAC!

By

Your team at the Georgia Tech Procurement Assistance Center (GTPAC) stands ready to offer you advice about any aspect of government contracting — especially when you have any doubt about the legitimacy of a contract-related service or solicitation.

We’ve published many articles before about government contracting scams (click here to see previous articles), and once again we want to bring another one to your attention.

Just a few days ago, a GTPAC client contacted one of our Counselors and asked about the legitimacy of a request for a quotation he received, supposedly from the Dept. of Defense (DoD).  Once we examined the email and the attachment that our client sent us, we told him to run — not walk — away from it!

Here Are the Details

The email was purportedly from a DoD official soliciting a quote for some laptops and computer drives.

We examined the email and its attachment, including the following:

  • We called the phone number in the email which was answered by a person who didn’t identify himself.  When we asked questions, he said that he’d have the person identified in the email call us back with details.  No one called back.
  • We checked the identity of the person who supposedly sent the email.  The email’s Quote form identified him as Deputy Director for Procurement at AT&L.   We determined that, in reality, he is DoD’s Deputy Director for Earned Value Management.  AT&L (Acquisition, Technology and Logistics) is a unit within DoD that no longer exists; it’s been reorganized into two groups: research and engineering (R&E) and acquisition and sustainment (A&S).  (See details of that reorganization by clicking here.)
  • We also identified the DoD official’s real email address and his actual phone number; they were not the email address or phone number shown in the email and on the Quote form that was sent to our client.
  • We noted that the federal solicitation number shown on the Quote form was not in the correct format, and the Quote form itself was not a form we have ever seen before.
  • The wording of the email was sloppy and unprofessionally prepared.

Based on the above, we advised our client to not respond because we believe this is a probable scam which will lead to an order to ship the products to a bogus shipping address, for which payment will never be received.  We also alerted the appropriate DoD officials of this probable scam.

What You Should Do

It’s as simple as 1-2-3.

  1. Stay alert to possible scams involving government contracting.  There are many scams in circulation literally every day.
  2. Don’t let the temptation of landing a sale overtake your common sense.  If it looks like easy money, it’s probably bogus.
  3. Whenever you are in doubt, contact GTPAC for advice.  We’ll be happy to check things out for you and provide you with our opinion.  It’s as simple as forwarding anything suspicious to us at: gtpacatl@innovate.gatech.edu.

Remember, the GTPAC team is here to help you succeed in the government marketplace!

P.S.:  If your business is located outside the state of Georgia, you can find a procurement technical assistance center (PTAC) by clicking here.

 

DHS would get more power to bar risky contractors under dueling proposals

By

Two House Republicans are working on legislation that would expand the Homeland Security Department’s authority to deny contracts to companies that pose cybersecurity supply chain threats while the Trump administration is pushing an even more expansive proposal.

The bill in the House will be modeled on authorities Congress gave the Defense Department in 2011 that were implemented in 2015, said Rep. Scott Perry, R-Pa., who is drafting the bill with Rep. Peter King, R-N.Y.

Under those rules, Pentagon contracting officers can bar vendors that pose a security risk from competing for contracts before they’re awarded and halt contractors from hiring risky subcontractors after an award.

Under current Homeland Security Department rules, contracting officers working on unclassified contracts can’t bar vendors before an award based on information provided by intelligence agencies, Soraya Correa, the department’s chief procurement officer, who testified before two House Homeland Security panels last Thursday.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2018/07/dhs-would-get-more-power-bar-risky-contractors-under-forthcoming-bill/149675/

 

Some FAQs answered about DoD’s new cybersecurity rule

By

The majority of Defense Department contractors no doubt by now have drafted and populated a system security plan in accordance with Defense Federal Acquisition Regulation Supplement cybersecurity provisions, which require implementation of the security controls in National Institute of Standards and Technology (NIST) Special Publication 800-171.

The Defense Department clarified last year that the requirement to implement the security controls by the Dec. 31 deadline was satisfied by the creation of a system security plan with plans of action for controls not yet met.

While establishing a system security plan means the contractor is initially compliant, understanding the contractor’s remaining obligations under the defense cybersecurity provisions will help ensure the contractor avoids potentially unforeseen pitfalls and liability.

The “frequently asked questions” updated on April 2 by the Defense Department regarding the provisions, discussed below, provide helpful insight into contractor obligations as well as best practices.

For example, when does a company need to update its system security plan?

Keep reading this article at: http://www.nationaldefensemagazine.org/articles/2018/7/3/viewpoint-some-faqs-answered-about-the-new-cybersecurity-rule

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

Facing Chinese cyberthreat, Pentagon to bake better contractor security into buying decisions

By

In the wake of reports China hacked a Navy contractor for sensitive data on submarine warfare, Pentagon officials said they want to build better security into the military’s acquisitions process to better protect the defense industry from Beijing’s tampering.

But it’s unclear whether the defense industry has bought into the nascent effort.

“It is no longer sufficient to only consider cost, schedule and performance when acquiring defense capabilities,” Deputy Under Secretary of Defense for Intelligence Kari Bingen told lawmakers on June 21st.

“We must establish security as a fourth pillar in defense acquisition and also create incentives for industry to embrace security, not as a cost burden, but as a major factor in their competitiveness for U.S. government business.”

Keep reading this article at: https://www.fifthdomain.com/congress/2018/06/21/pentagon-to-bake-better-contractor-security-into-buying-decisions/

Software review provisions proposed by Senate Armed Services Committee could have significant impact on DoD contractors

By

As the Senate approaches the end of its debate on the National Defense Authorization Act (NDAA) for Fiscal Year 2019, provisions of the bill regarding access to and review of information technology code deserve close attention.  These sections, if enacted, would significantly impact Department of Defense contractors and also would affect matters associated with investments subject to review by U.S. national security agencies.

As drafted, the provisions could expose current and prospective contractors to intrusive scrutiny and significant risks.  They lack clarity on key definitions, leaving the precise scope of those risks unclear.  We summarize major issues and concerns below.  We expect these provisions to receive scrutiny during the House-Senate conference on the NDAA over the summer.

Synopsis of the Proposed Legislation

Three sections of the Senate’s version of the NDAA, which passed the Senate Armed Services Committee in May, would establish new rules designed to mitigate “risks posed by providers of information technology with obligations to foreign governments.”  Those risks involve the access that foreign governments may have to code in products or services that are offered to the Department of Defense.  The provisions also impose new disclosure requirements on the efforts of a prospective vendor to obtain a license under the Export Administration Regulations (“EAR”) or the International Traffic in Arms Regulation (“ITAR”).

The pending legislation would require proactive disclosure of those matters, and would impose an ongoing duty to supplement those disclosures during the period of performance on the contract.  The Secretary of Defense would be authorized to assess and mitigate any resulting national security risks through contractual provisions or other performance requirements.

Keep reading this article at: https://www.insidegovernmentcontracts.com/2018/06/senate-armed-services-committee-proposes-expansive-unclear-software-review-provisions/

Contracting News

Read More

Contracting Tips

Read More

GTPAC News

Read More

Georgia Tech News

Read More