Georgia Tech Procurement Assistance Center

DoD issues final guidance for assessing contractor compliance with NIST SP 800-171

By

The Department of Defense (DoD) recently issued final guidance for requiring activities to assess contractors’ System Security Plans (SSPs) and their implementation of the security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.

A draft of this guidance was made available for public comment in April 2018.  As noted in an earlier post on the draft guidance, DoD’s proposed approach raised significant questions as to what role offerors’ implementation of the security controls in NIST SP 800-171 would play in bid protests, contract performance, and post award audits.  In the memorandum accompanying the final guidance documents, DoD notes that it has incorporated comments it received from the public into the final guidance.  As discussed below, although the DoD has addressed some of the issues raised by the April draft, the final guidance adds some additional concerns and ambiguities.

The final guidance consists of two documents.  The first document is “Guidance for Assessing Compliance of and Enhancing Protections for a Contractor’s Internal Unclassified Information System,” which provides direction to requiring activities for including evaluation criteria in solicitations and in contracts for assessing contractor compliance with NIST SP 800-171.  The second document is “DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented,” which addresses how DoD should assess the impact and risk of NIST SP 800-171 security controls that a contractor has not yet implemented.

Keep reading this article at: https://www.insidegovernmentcontracts.com/2018/11/dod-issues-final-guidance-for-assessing-contractor-compliance-with-nist-sp-800-171/

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

GSA proposes new cybersecurity reporting rules for contractors

By

The General Services Administration (GSA) is proposing new rules shaping how contractors protect government information on the IT systems they manage.

Tucked in a Friday Federal Register post detailing the Unified Agenda of Federal Regulatory and Deregulatory Actions, two proposed rules — GSAR Case 2016-G511 and 2016-G515 — call for amending the General Services Administration Acquisition Regulation to include requirements for contractors to safeguard GSA information in a solicitation’s statement of work, as well as the procedures for they inform the agency of a potential breach.

GSAR Case 2016-G511 allows contracting officers to implement agency cyber requirements and standards into each solicitation, providing a centralized cybersecurity guidance across the enterprise for contractors to adhere to.

Keep reading this article at: https://www.fedscoop.com/gsa-proposes-2-new-cybersecurity-reporting-rules-contractors/

Resources for complying with DoD’s current contractor cybersecurity rules may be found here: https://gtpac.org/cybersecurity-training-video/

Revisions coming for NIST’s data protection guide, will address ‘advanced’ cyber threats

By

The National Institute of Standards and Technology (NIST) is planning to issue a draft second revision to its guidelines for controlled unclassified information handled by the Defense Department and government contractors, in order to better address “advanced persistent threats,” according to a key NIST official.

The upcoming draft revisions are based on recent assessments that information critical for national security requires “enhanced” protections, the NIST official said at a public meeting updating industry and government officials on the data requirements at NIST headquarters on Oct. 18, 2018.

NIST’s Ron Ross said a draft revision to NIST guideline 800-171 would be issued before the end of the year for public comment. The revisions are “just in the planning stages this week” and a formal announcement will be issued soon. Ross said the enhanced requirements would be proposed for comment as an appendix to the overall document to offer additional protections beyond “basic” controls outlined in chapter three of the guidelines.

The NIST guidelines are the basis for Defense Federal Acquisition Regulation Supplement, or DFARS, for cybersecurity risks issued in 2017 and still being implemented by DOD.

Keep reading this article at: https://insidedefense.com/insider/nist-official-revisions-coming-data-protection-guide-will-address-advanced-cyber-threats

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

Cybersecurity compliance: A key to future DoD contract awards

By

In a recent address at the Air Force Association’s Air, Space & Cyber Conference, Deputy Secretary of Defense Patrick Shanahan emphasized that cybersecurity will become a “critical measurement” for making contract awards as well as a significant consideration in holding a government contractor accountable for its performance.

Shanahan noted that while DoD acquisitions currently focus on three critical measurements—quality, cost and schedule—cybersecurity is “probably going to be what we call the . . . fourth critical measurement.” The DoD is “going to work with [its] industrial partners to help them be as accountable for security as they are for quality.”

Shanahan also noted that adequate cybersecurity protection is part of the standard baseline of government contracting security—it is not an optional feature. He commented, “And it shouldn’t be that being secure comes with a big bill. It’s just like we wouldn’t pay extra for quality.” Consequently, government contractors should recognize that the government “shouldn’t pay extra for security,” he added. Rather, “security is the standard. It’s the expectation. It’s not something that’s above and beyond what we’ve done before.”

Keep reading this article at: http://www.mondaq.com/article.asp?articleid=742094

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

Security assessments soon may be part of DoD government contracts acquisition process

By

Identifying threats and improving network and supply chain security has been an ongoing effort by Congress and the Department of Defense (DoD) for the past several years.

Congress has included multiple provisions in the annual National Defense Authorization Acts to spur action by the DoD to address weaknesses in contractor supply chains for electronic parts and vulnerabilities to cyber threats in contractor information technology systems. In turn, the DoD has amended the Defense Federal Acquisition Regulation Supplement (DFARS) to impose new performance requirements on contractors and subcontractors in DoD procurement contracts. This cascading effort of turning policy into contract performance has been steady but slow and of questionable efficacy.

A new initiative under consideration by the DoD could change that. In June testimony to Congress, the DoD said it has started a new initiative known as “Deliver Uncompromised” to “elevate the private sector’s focus on security.” The DoD’s goal is to establish security as a “fourth pillar” in acquisition, “on par with cost, schedule and performance.” The hope is to create incentives for industry to “embrace security, not as a ‘cost center,’ but as a key differentiator” in competitions for procurement contracts.

In August 2018, the nonprofit group Mitre Corporation (Mitre) released a report called “Deliver Uncompromised,” which describes how the DoD and the intelligence community face daily strategic attacks from foreign adversaries in the supply chain domain (e.g., software, hardware, and services) and cyber domain (e.g., informational technology and cyber-physical such as weapons systems). Mitre’s report calls for a unified focus of resources from both the DoD and government contractors to prioritize risk mitigation through enhanced infrastructure and better coordination.

While the DoD cannot require private companies to invest in specific security measures, the Mitre report recommends that the DoD use its purchasing power and regulatory authority to influence and shape the conduct of the DoD suppliers. For example, the DoD may begin defining procurement requirements with new security measures, or rewarding contractor proposals with superior security measures by elevating security as a primary metric for evaluation during the source selection process. The DoD could also include terms and conditions in its contracts that impose security requirements, and then use those contractual terms post-award to monitor contractor compliance.

Keep reading this article at: http://www.mondaq.com/article.asp?articleid=737662

GTPAC has created a video and a template to help businesses comply with DoD’s cybersecurity requirements.  These resources appear at: http://gtpac.org/cybersecurity-training-video/

Here’s a description of information security requirements for federal contractors

By

The federal government is requiring federal contractors to implement specific guidance in the form of NIST 800-171 in an effort to curb the trend of federal government data being exposed on contractor networks. This disturbing trend has occurred for a few reasons.

First, federal contracts often require the use of contractor-owned information systems to process federal information. These information systems historically do not meet the government’s requirements and, as a result, have led to information being exfiltrated by nation-state attackers.

An example of this lack of security in contractor information systems became known in May 2017 when federal contractor Booz Allen Hamilton left unencrypted Pentagon files on a publically accessible Amazon server. This resulted in 60,000 sensitive files — plenty of which referred to the U.S. National Geospatial-Intelligence Agency (NGA) — being exposed on the internet for anyone to access.

Keep reading this article at: https://www.forbes.com/sites/forbestechcouncil/2018/09/04/information-security-requirements-for-u-s-federal-contractors/#3daa7183451b

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

Strict security notification and disclosure requirements for government contractors

By

Businesses that seek to obtain and preserve contracts with the United States government, or to deal in certain enumerated defense articles and services, are subject to strict privacy regulations imposed by the U.S. government.

For those under contract (or subcontract) with the U.S. Department of Defense (DoD), the Defense Federal Acquisition Regulation Supplements (DFARS) place stringent minimum security requirements and reporting obligations that must be met, otherwise a business could face financial penalties or termination of its contract.

Businesses that export and import defense articles or services and related technical data must comply with the International Traffic in Arms Regulations (ITAR), which comprise approval, registration and records maintenance requirements. If a violation of ITAR is voluntarily reported, the penalties imposed by the U.S. Department of State’s Directorate of Defense Trade Controls (DDTC) can be reduced.

Businesses subject to DFARS and ITAR should have a compliance program in place that includes an appropriate response to any security incident.

Keep reading this article at: http://www.mondaq.com/article.asp?articleid=733388

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

Pentagon cyber shortfalls leave data at risk, key senators warn

By

The Pentagon isn’t taking strong enough action to ensure that defense contractors are protecting highly technical but unclassified information from hacking, according to the top lawmakers on the Senate Armed Services Committee.

The Senate panel “has gathered information that suggests DoD is simply not doing enough to protect controlled, unclassified information,” the lawmakers, including ailing Republican Chairman John McCain and Jack Reed, the panel’s top Democrat, wrote to Defense Secretary Jim Mattis in a previously undisclosed letter obtained by Bloomberg News.

“We are concerned with existing regulations and best practices” not being followed in matters such as contracts lacking appropriate cybersecurity clauses, computer networks operating without multifactor authentication for access, strong remote user policies and “insufficient third-party verification of compliance with cybersecurity standards,” the lawmakers wrote last month.

The vulnerability of U.S. systems to hacking has been highlighted in recent years by incidents including attacks on banks and energy infrastructure, as well as efforts to infiltrate state election systems in 2016 and this year. Earlier this year, five pipeline operators in the U.S. said their third-party electronic communications systems were shut down by hackers. The U.S. says the biggest foreign hacking threats come from Russia, China and Iran.

Keep reading this article at: https://www.bloomberg.com/news/articles/2018-08-23/pentagon-cyber-shortfalls-leave-data-at-risk-key-senators-warn

The Georgia Tech Procurement Assistance Center (GTPAC) has produced a video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules.  These resources are available  at: http://gtpac.org/cybersecurity-training-video/

Software companies push Senate to weaken lowest price contracting rule

By

Lawmakers are once again looking at ways to peel back the use of lowest price technically acceptable, or LPTA, contracting decisions to enable federal agencies to spend a little more for better products and services.

As part of the Federal Acquisition Regulation, LPTA requires agencies to choose the lowest priced option that meets the requirements set forth in a given solicitation. Abiding by the letter of the law has led to poor contracting decisions for the sake of saving some money.

“LPTA contracting is a useful source selection method for acquisitions with simple, well-defined requirements when cost is the sole objective differentiating factor,” BSA | The Software Alliance Vice President Craig Albright wrote in a letter to the Senate Armed Services Committee. “However, when it comes to more complex acquisitions involving multiple technical variable or functions … LPTA’s priority of price over value leads to acquisition outcomes that actually prevent the government from getting the most for its money.”

Keep reading this article at: https://www.nextgov.com/policy/2018/07/software-companies-push-senate-weaken-lowest-price-contracting-rule/149878/

NIST to host CUI information security workshop on Oct. 18th

By

The National Institute of Standards and Technology (NIST), in coordination with the Department of Defense (DoD) and the National Archives and Records Administration (NARA), will host a Workshop providing an overview of Controlled Unclassified Information (CUI) on October 18, 2018.

The agenda for the Workshop shows a full day of panels, including those addressing DoD’s “Safeguarding Covered Defense Information and Cyber Incident Reporting” Clause (DFARS Cyber Rule), overviews of NIST Special Publications (SPs) 800-171 and 800-171A, and Government expectations when evaluating contractor implementation of the 800-171 security controls.

In addition to the panels described in the agenda, the Workshop may provide an opportunity to address questions about DoD’s April 2018 draft guidance for the Department’s assessment of contractors’ System Security Plans (SSPs) and implementation of the security controls in NIST SP 800-171.

The NIST Workshop is open to all interested stakeholders and is free to attend. Registration for in-person attendance can be made at the NIST website and is required by October 11, 2018. NIST has stated that the Workshop also will be available via webcast.  Advanced registration is not required for the webcast.

More information available at: https://www.insidegovernmentcontracts.com/2018/07/cui-workshop/

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

Contracting News

Read More

Contracting Tips

Read More

GTPAC News

Read More

Georgia Tech News

Read More