Georgia Tech Procurement Assistance Center

Pentagon to unveil new Cybersecurity Maturity Model Certification (CMMC) for defense contractors

By

The Department of Defense announced that it is developing a new cybersecurity standard and certification for defense contractors.  It is named the “Cybersecurity Maturity Model Certification” (CMMC).

Notably, the intent of the CMMC is to improve cybersecurity deficiencies in the defense industrial base and secure the supply chain.

The CMMC is expected to be based on NIST SP 800-171, as is the current Defense Federal Acquisition Regulation Supplement (DFARS) rule.  Specifically, DFARS Clause 252.204-7012 requires defense contractors handling sensitive, unclassified information to implement the 110 security controls of NIST SP 800-171.

However, the CMMC may incorporate or rely on frameworks in addition to NIST SP 800-171.

According to news reports, the CMMC will serve as the enforcement mechanism lacking in the current DFARS rule.

Although the draft CMMC has not yet been published, it’s been reported that there will be 5 levels of certification.  The levels will range from basic cyber hygiene to “State-of-the-Art.”  DoD contracts will require specific levels — and awards will be “go/no-go” based on the contractor’s certification status.

This is a fundamental change to how defense contracts are awarded today.

Read more at:  JD Supra

Northrop Grumman to provide free cybersecurity training to small businesses June 4th

By

Northrop Grumman, in collaboration with the USC Center for Economic Development, is offering FREE cybersecurity training to small businesses.  The workshop is open to all small businesses, but advance registration is required.

The primary purpose of the one-day 8-hour workshop is to ensure that small businesses are aware of the cybersecurity requirements mandated under Defense Federal Acquisition Regulations Supplement (“DFARS”) Subpart 204.73 (Safeguarding Covered Defense Information and Cyber Incident Reporting).  The workshop will focus on understanding the risks associated with safeguarding controlled unclassified DoD information. 

The workshop will focus on the groups of controls from NIST SP 800-171, with examples highlighting what happens when these controls are not implemented.  By the end of the workshop, small businesses will become familiar with all 110 controls and be able to better identify the areas where you may need greater focus to meet the DoD’s cybersecurity expectations.

Here are the details about the event:

Date:  Tuesday, June 4, 2019

Time:  8 a.m. to 5 p.m. ET

Location:  Loudermilk Conference Center, 40 Courtland Street NE, Atlanta, GA 30303

The training will also be available online via webinar.

For registration, visit:  https://events.r20.constantcontact.com/register/eventReg?oeidk=a07eg5xonme7588be26&oseq=&c=&ch=

Regional banker says Augusta government contracting boom imminent

By

The Augusta metro area is sitting on a powder keg of cybersecurity investment, and the fuse is getting shorter by the day.

Ed Spenceley, a government contracting specialist for Bank of America Merrill Lynch, said the nation’s growing defense budget and Augusta’s burgeoning cyber industry puts the region on a collision course with companies looking for government contracts.

The retired U.S. Army intelligence specialist, speaking at the Invest Augusta conference Thursday, said he sees Augusta as an “epicenter” for cyber-based industries well beyond the arrival of Army Cyber Command to Fort Gordon next year.

Continue reading at:  The Augusta Chronicle

Weak links in the defense supply chain

By

Industry experts told Congress recently that poor awareness of federal cybersecurity contracting standards and a lack of visibility by contractors into their own supply chains are at the heart of problems that have led to widespread targeting and theft of U.S. economic and national security secrets by nation state hackers.

According to a survey of small and medium-sized defense contractors conducted by the National Defense Industrial Association, less than 60 percent of respondents said they read the Defense Federal Acquisition Regulation Supplement that lays out minimum security standards for contractor information systems, while nearly half of those who did said they found it hard to understand.

About 45 percent of respondents hadn’t read National Institute for Standards and Technology guidelines for protecting controlled unclassified information.

Keep reading this article at: https://fcw.com/articles/2019/03/31/defense-supply-chain-weak-links.aspx

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

Holding government contractors responsible for cybersecurity is trickier than it sounds

By

The federal government wants to hold defense contractors accountable for the cybersecurity of their supply chains but that’s no easy feat, experts said recently.

On March 26th, industry representatives told lawmakers on the Senate Armed Services Committee about attempting to tackle cyber threats as a federal contractor. Much of the hearing was focused on one specific issue: increasingly complex levels of supply chains make it difficult for prime contractor to ensure all subcontractors are upholding cybersecurity protections. And that ever-lengthening chain increases the possibility of compromised information or cyberattacks.

“I don’t know why we don’t hold the larger contractors who are responsible for the contract to make sure the subcontractors they are hiring have protections,” Sen. Joe Manchin, D-W.V., said. “Somebody has to be held accountable.”

Keep reading this article at: https://www.nextgov.com/cybersecurity/2019/03/holding-government-contractors-responsible-cybersecurity-trickier-it-sounds/155862/

Keeping up with DoD cybersecurity compliance demands

By

On Jan. 21, 2019, Ellen Lord, the Under Secretary of Defense for Acquisition and Sustainment, issued a memorandum focused on assessing contractor compliance with the DFARS cyber clause via audits of a Contractor’s purchasing system.  One intent of this guidance is to have the Defense Contract Management Agency, or DCMA, “validate, for contracts for which they provide contract administration and oversight, contractor compliance with the requirements of DFARS clause 252.204-7012.”

This would be done as part of a review of a contractor’s purchasing system in accordance with DFARS 252.244-7001.  Pursuant to this DFARS clause, contractors are required to provide adequate security on their internal networks to protect Covered Defense Information (CDI) and are required to flow DFARS clause 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting” to subcontractors without alteration.

On Feb. 26, 2019, the DCMA updated its Contractor Purchasing System Review (CPSR) Guidebook to incorporate requirements from the January 2019 memorandum. In particular, the “Supply Chain Management Process” outlined in Appendix 24 states that “[p]rotecting Controlled Unclassified Information is a critical aspect” of supply chain management.

The guidebook assumes obligations that are beyond those imposed by the DFARS clause, presumably assuming that new requirements will be imposed contractually in the future.

Keep reading this article at: https://www.insidegovernmentcontracts.com/2019/03/keeping-up-with-dod-cybersecurity-compliance-demands/

DoD testing secure cloud to help small contractors protect data

By

The Pentagon still has deep concerns about thefts of sensitive Defense data from contractor systems. But it’s concluded that simply using contract terms to order firms to improve their security isn’t going to do the job.

So the department is testing ways to extend its own cybersecurity expertise and infrastructure to small and medium-sized businesses who don’t have the wherewithal to adequately secure their systems against nation-state attackers. Specifically, it plans to build a secure cloud to house the Defense data companies need to perform their contracts, instead of requiring them to store it themselves.

DoD’s research and development budget for 2020 includes $15 million for a small project the department terms the Defense Industrial Base (DIB) Secure Cloud Managed Services Pilot. In the early going, the Pentagon plans to make the cloud service available to “a subset” of small and medium companies that “support prioritized, critical DoD missions and programs.”

In contract terms, the department would treat the secure cloud as Government Furnished Equipment (GFE), said Ellen Lord, the undersecretary for acquisition and sustainment.

Keep reading this article at: https://federalnewsnetwork.com/defense-news/2019/03/dod-will-test-secure-cloud/

 

Readying contractors’ security plans for evaluation

By

The Defense Department recently issued final guidance for requiring activities to assess contractors’ system security plans and their implementation of the security controls in National Institute of Standards and Technology Special Publication 800-171.

It includes a compliance guidance document, which explains how department entities will assess contractor implementation of its security controls, and an impact guidance document, which explains how the Pentagon will assess the risks of security controls not implemented.

The compliance guidance addresses three objectives pre-award: requiring a self-attestation of implementation of the special publication in all proposals; imposing enhanced security controls in certain situations; and providing alternatives for compliance as an evaluation factor.

Defense Federal Acquisition Regulation Supplement 252.204-7008, which is required in every noncommercial off-the-shelf solicitation, provides that “[b]y submission of this offer, the offeror represents that it will implement the security requirements specified by [NIST SP 800-171].” The Defense Department has interpreted “implementation” as having a completed security system plan and a plan of action and milestones for the relevant covered defense information.

If a requiring activity believes that enhanced security controls are required beyond those in NIST SP 800-171, the compliance guidance provides direction for adding the requirements to a solicitation.

The guidance does not define what constitutes “enhanced controls.” NIST is expected to issue a new appendix of enhanced controls in the first quarter of 2019.

Keep reading this article at: http://www.nationaldefensemagazine.org/articles/2019/1/30/readying-security-plans-for-evaluation

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

Agencies spent record $64.7 billion on IT contracts in 2018

By

Federal agencies spent a record $64.7 billion on IT contracts in fiscal 2018, according to research released last week by Bloomberg Government.

The nearly $65 billion spent represents a 9.5 percent increase over fiscal 2017 levels, and includes higher levels of spending in cybersecurity ($6.4 billion), cloud computing ($4.1 billion) and almost a doubling of other transaction authority spending, to $4.2 billion from $2.3 billion.

IT spending jumped in both civilian and defense agencies. Across the Defense Department, IT contract spending grew by about 12 percent to $33.8 billion — the highest nominal spending figure ever for the Defense Department, and highest adjusted for inflation IT contract spending since 2012.

Keep reading this article at: https://www.nextgov.com/cio-briefing/2019/01/agencies-spent-record-647b-it-contracts-2018/154510/

‘Supply Chain Cybersecurity Academy’ hosted by Lockheed Martin on Feb. 27

By

The Lockheed Martin Corporation and the National Center for American Indian Procurement Technical Assistance Center (PTAC) are inviting interested vendors to participate in the Lockheed Martin Supply Chain Cybersecurity Academy to be held:

  • Date: Wednesday, February 27, 2019
  • Time: 8:15 a.m. Registration – (9:00 a.m. to 12:00 p.m. cybersecurity training, plus lunch with Lockheed Martin procurement personnel from 12:00 p.m. to 1:00 p.m.)
  • Location: Lockheed Martin Aeronautics, 86 South Cobb Drive, Marietta, GA

A featured part of this event is a special round table discussion for all Woman Owned Small Business owners to meet and greet Lockheed Martin Aero’s WOSB Advocate.  WOSBs with the potential to fulfill Lockheed Martin’s supply needs are encouraged to attend.

The Lockheed Martin Supply Chain Cybersecurity Academy is designed to be a two-way forum offering small businesses the opportunity to learn about the importance of Cybersecurity in today’s Defense Department environment, and the opportunity to meet with various Lockheed Martin personnel.  Training topics within the area of cybersecurity will include legislation and policy, Defense Federal Acquisition Regulation Supplement (DFARS), National Institute of Standards and Technology (NIST), safeguarding covered defense information, cyber incident reporting, best practices, and other key areas.

Space Is Extremely Limited.  No more than two people per company may attend.  If you wish to attend, please complete the  Supplier Registration Form linked not later than February 15, 2019 and send to  orysia.d.buchan@lmco.com with a copy to  george@ncaied.org.

Important Security Requirements.  It’s important that you use the legal name that matches your photo identification.  Only U.S. citizens will be allowed to enter the Lockheed Martin Marietta property.  Also, consult the Visitor Packet linked below.  Once registration is completed, you will receive a follow-up email from Lockheed Martin Security, requesting additional information needed to clear you for visit to the Lockheed Martin facility.  Once completed, returned and accepted, a confirmation email will be sent along with directions to the facility. You will need to bring a photo identification (i.e., driver’s license).

Space is limited, and registrations will be accepted on a first received basis, so please register as soon as possible.

Contracting News

Read More

Contracting Tips

Read More

GTPAC News

Read More

Georgia Tech News

Read More