Georgia Tech Procurement Assistance Center

The Navy gets tough on DFARS cybersecurity compliance

By

Last year we told you about a 2018 Navy memo, known as the Geurts Memo, which required defense contractors to implement certain controls for NIST SP 800-171, some of them going beyond 171 requirements.  If you didn’t see our write-up, it can be found here: “Still Lagging on DFARS? The Navy Has A Memo For You”.

The Navy has now gone several steps beyond that 2018 memo and is requiring their contracting officers to implement a strict regime when it comes to their contractors’ compliance with NIST SP 800-171 and the Guerts Memo.

Continue reading at:  Sera-Brynn

DoD releases public draft of cybersecurity maturity model certification

By

On September 4, the Office of the Assistant Secretary of Defense for Acquisition released Version 0.4 of its draft Cybersecurity Maturity Model Certification (CMMC) for public comment.  The CMMC was created in response to growing concerns by Congress and within DoD over the increased presence of cyber threats and intrusions aimed at the Defense Industrial Base (DIB) and its supply chains.  In its overview briefing for the new model, DoD describes the draft CMMC framework as a “unified cybersecurity standard” for DoD acquisitions that is intended to build upon existing regulations, policy, and memoranda by adding a verification component to cybersecurity protections for safeguarding Controlled Unclassified Information (CUI) within the DIB.  As discussed in a prior post, the model describes the requirements that contractors must meet to qualify for certain maturity certifications, ranging from Level 1 (“Basic Cyber Hygiene” practices and “Performed” processes) through Level 5 (“Advanced / Progressive” practices and “Optimized” processes), with such certification determinations to generally be made by third-party auditors.

The CMMC establishes a new framework for defense contractors to become certified as cybersecurity compliant.  DoD has stated that it intends to release Version 1.0 of the CMMC framework in January 2020 and will begin using that version in new DoD solicitations starting in Fall 2020.  Notwithstanding the pendency of these deadlines, a large number of questions remain outstanding.  DoD is seeking feedback on the current version of the model by September 25, 2019.

Continue reading at:  Covington’s Inside Government Contracts

Bad bid: Malicious actors target government contractors

By

IT personnel working the trenches in the fight against malicious emails know that financial transactions — and the various documents that support and accompany those transactions — provide malicious actors seemingly endless fodder for clever phishing attacks designed to separate legitimate organizations from their money and reputations, as well as their customers, clients, and partners.

Indeed, fake invoices, RFQs, POs, ACH documents, and remittance forms collectively constitute the “social engineering” backbone of innumerable phishing campaigns.  And hapless employees keep falling for them, clicking through malicious links and opening malware-laden attachments — often with nary a thought to the potential consequences — bringing malicious actors and their sophisticated malware inside their employers’ networks.

Over the past few months we have observed the increasing use of yet another type of transaction-based social engineering scheme designed to hook companies dependent on government contracts: the invitation to bid.  In what follows, we’ll take a look at a number of actual phishing emails reported to us by customers using the Phish Alert Button (PAB).

Continue reading at:  SC Magazine

Prepare now to secure ‘controlled unclassified information’

By

Nowadays, many people are familiar with at least some types of protected information, whether in the form of personal health information or government-classified information. But, contractors working with the Department of Defense (“DoD”) must remember to protect another type of information: controlled unclassified information (“CUI”). Failure by government contractors to put processes in place that protect CUI could result in the loss of contracting opportunities or potential False Claims Act-related litigation.  For more information about the far-reaching implications of cybersecurity requirements on government contractors, please also see Matt Feinberg’s blog on the recent settlement of a cybersecurity False Claims Act (“FCA”) litigation; Isaias “Cy” Alba’s piece about cybersecurity, implied certifications, and the FCA; and Dave Shafer’s analysis of current cybersecurity standards and the DoD’s plans to remedy confusion.

Continue reading at:  Piliero Mazza

Contractors have questions about DOD’s cyber requirements

By

The Pentagon is making big moves in an effort to improve cybersecurity for its industrial base, but so far the department’s biggest roadblocks early on may be the same confusion, doubt and uneven compliance from contractors that led to the vulnerabilities in the first place.

Officials from the Department of Defense and the National Institute of Standards and Technology gave updates on two nascent programs at an Aug. 8 Information Security and Privacy Advisory Board meeting: NIST’s new draft cybersecurity guidance for contractor systems deemed high value assets and the Pentagon’s Cybersecurity Maturity Model Certification (CMMC) program.

Both are designed to shore up different aspects of DOD’s cybersecurity regime for contractors, and both are causing heartburn among companies who are still unclear about how best to comply.

The NIST draft guidance around high value assets recently went out for public comment earlier this year.  The more than 600 responses reflect confusion about the scope and application of the requirements.

Continue reading at:  FCW.com

Cybersecurity – The Times (and Standards) They Are A Changin’ – FAST!

By

As we reported last month, the Department of Defense (DoD) has been engaging in an unusual rollout of its new cybersecurity certification program by way of  road tours—led by Katie Arrington, the Special Assistant to the Assistant Secretary of Defense for Acquisition and Sustainment for Cyber—that address the tiered, five-level Cybersecurity Maturity Model Certification (CMMC).  At bottom, DoD intends for the CMMC to help streamline the acquisition process by providing acquiring agencies and consenting contractors with more exacting cybersecurity requirements for future acquisitions.  What’s unique about the CMMC rollout is the lack of written guidance on the program.  DoD representatives have orally provided a majority of publicly available information about CMMC only during various webinars and defense-industry events held over the past couple of months.  Indeed, a quick Google search for “CMMC” indicates that, at this time, hard facts about the program appear to be limited to FAQs on a DoD website.

That word of mouth rollout continued during a July 9 presentation at the National Defense Industrial Agency Procurement Division Meeting in Washington, D.C.  During this presentation, Ms. Arrington both reconfirmed some previously discussed details about the CMMC program and provided additional insight into program components that will be of interest to contractors doing business with DoD when the program comes to fruition.

Continue reading at:  McCarter & English

Industry wants to know exactly what Huawei ban means for contractors

By

Due to concerns of espionage and infiltration, federal agencies can no longer contract with companies that use technologies from two Chinese companies: Huawei and ZTE.  But exactly how that ban will impact the federal contracting community is still up in the air.

A provision in the 2019 National Defense Authorization Act prevents agency heads from signing contracts “with an entity that uses any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.”

As federal agencies grapple with how to meet this directive, the Defense Department, General Services Administration and NASA held a forum Friday to hear from industry stakeholders and allow members of the Federal Acquisition Regulatory Council to ask questions.

Comments varied from nonplused to strongly concerned over how the legislation will affect ongoing federal business, including federal grants used for local public safety improvements.  Despite differences in perspective, all speakers agreed on one thing: The current language is ambiguous.

Continue reading at:  Nextgov

Uncle Sam wants you — and your DFARS compliance

By

Following rules of engagement is a common concept, but knowing the rules — and whether they really apply to one’s own business — is not always a common condition.  The federal market can be especially confusing for smaller companies that may be delivering similar products or services to both civilian and military/defense/aerospace agencies.

If you know enough to ask about DFARS 252.204-7012 compliance, hold grants or contract awards subject to the provisions, or are contemplating entering the Department of Defense (DoD) market, you should at least be on the path to Defense Federal Acquisition Regulation Supplement (DFARS) compliance.  By September 2020, meeting the required security level contained in a DoD solicitation will be the basis for a go/no-go decision on further consideration of an offeror’s cost, schedule, and performance qualifications.

Announced changes to federal procurement practices, particularly for DoD-related contracts, put into play provisions for supply chain security and resiliency based, in part, on the 2018 “Deliver Uncompromised” study from MITRE Corporation.  Widely publicized leaks of government-funded intellectual property and other proprietary information have intensified concerns about the vulnerability of the defense industrial base (DIB), one of the 16 industry sectors defined by the Department of Homeland Security (DHS) as “critical infrastructure.”  The Office of the Under Secretary of Defense for Acquisition & Sustainment notes on its website that DoD is “planning a series of engagements across the United States in order to solicit inputs and feedback from the [DIB] sector.”

Continue reading at:  IndustryWeek

Will defense contractors be ready for CMMC?

By

Defense contractors will face big changes and tight timelines over the next year as the Department of Defense rolls out its new Cybersecurity Maturity Model Certification framework, experts say.

The framework, which aims to certify a company’s compliance with federal cybersecurity regulations around controlled unclassified information (CUI), was announced by DOD officials in June.  It will be used to evaluate and rate contractors’ ability to protect sensitive data on a 1-5 scale starting next year.

The initial version of the framework is scheduled to go public in January 2020.  By June 2020, its requirements will start appearing in requests for information, and will become a regular feature of defense procurement by September 2020.  That means defense contractors will have less than eight months to implement changes for compliance with the Defense Federal Acquisition Regulation Supplement and National Institute of Standards and Technology guidance on protecting CUI.

Continue reading at:  FCW

Cybersecurity: front and center for industry

By

“Deliver Uncompromised,” the “Fourth Pillar of Acquisition” or “Securing the DoD Supply Chain” — no matter what turn of phrase one uses to discuss protecting the defense industrial base and the equipment and support it provides warfighters from cyber threats, this issue stands front and center for the Pentagon and for the people and companies that provide its capabilities.

Experts estimate losses of about $600 billion per year in the transfer of wealth, expertise and trade secrets due to cyber crime.  Adversaries and bad actors specifically target the defense industrial base, using the pilfered data to close capability gaps with the United States, its allies and partners.

The National Defense Strategy and the National Cyber Strategy lay it bare, “Our competitors — including … foreign adversaries such as Russia and China — are also using cyber to try to steal our technology.”  Protecting U.S. advantages demands better government-industry collaboration.  Fortunately, that is happening with the end state an effective, holistic cyber defense.

Despite being the home of cyberspace and the innovative tech giants who used it to transform society and the economy, America — both its government and its traditional industries — has responded slowly to growing and increasingly adaptive cyber threats.  That said, stakeholders now recognize the challenge and have begun responding with concrete actions.  Called out in the series of 2018 strategy documents, the cyber hygiene of U.S. government contractors, especially those in the defense industrial base, will likely soon require third-party cybersecurity certification for contractors to participate in any Defense Department contract.

Continue reading at:  National Defense Magazine 

Contracting News

Read More

Contracting Tips

Read More

GTPAC News

Read More

Georgia Tech News

Read More