cybersecurity | Georgia Tech Procurement Assistance Center

What is CUI – The devil is in the details

April 7, 2021 By Andrew Smith

Controlled unclassified information (CUI) is defined, in part, as “information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.”

Despite this seemingly straightforward definition, identifying CUI has been a challenge for the government and contractors. This challenge has become particularly evident as the Defense Department implements its interim rule to the Defense Federal Acquisition Regulation Supplement to protect CUI through a mandatory Defense Department assessment methodology and through a slow rollout of its Cybersecurity Maturity Model Certification program.

Continue reading at: National Defense Magazine

Let’s talk about “zero trust”

March 30, 2021 By Andrew Smith

Zero trust has taken the federal government by storm.

As more and more agencies move to the cloud — and especially as they sustain mass telework during the COVID-19 pandemic and beyond — the perimeters of their networks are becoming obsolete. Unable to place confidence in a traditional firewall in this new environment, agencies have no choice but to give “zero trust” to users and devices on their network, requiring them to validate and identify themselves anytime they move across the IT architecture.

In essence, this is the idea behind zero-trust security.

Listen to the podcast at FedScoop Radio: https://www.fedscoop.com/radio/lets-talk-ep-17-guide-zero-trust-featuring-cisas-sean-connelly/

Podcast: CMMC, and transitioning to the new requirements

March 30, 2021 By Andrew Smith

Everyone knows that DoD gets thousands of attacks every day. These attacks are getting more creative by attacking DoD’s trusted supply chain. The SolarWinds incident is an example of how a trusted software supplier was shown to have been compromised.

To control some of these creative attacks, DoD has created the Cybersecurity Maturity Model Certification (CMMC) that companies who do business with DoD may need to comply with to continue to do business with the DoD in the future.

The Federal News Network recently held a podcast with John Gilroy and FedHIVE CEO Michael Cardaci, who talked about ways to smooth the transition to the Cybersecurity Maturity Model Certification or CMMC.

Listen to the Podcast at: The Federal News Network

Agency hacks could accelerate push to “zero trust” security model

March 22, 2021 By Andrew Smith

Chris DeRusha, the federal chief information security officer, on Thursday in hearing with senators said the White House will push federal agencies to start moving toward a new “zero trust paradigm.”

“In this new model, real-time authentication tests users, blocks suspicious activity, and prevents adversaries from the kind of privilege escalation that was demonstrated in the SolarWinds incident,” he told lawmakers on the Homeland Security and Government Affairs Committee.

Continue reading at: FCW

SolarWinds hack proves contractors need to be prepared for APTs

March 15, 2021 By Andrew Smith

If you don’t know about SolarWinds, then you haven’t been reading the news for the past six months. Last October 2020, it was reported that a widely-used networking tool that helps companies in the public and private sectors manage their Information Technology (IT) portfolios – SolarWinds Orion product — had been compromised. Publicly, it has been reported that about 18,000 private and government users downloaded the tainted software update, and it provided Russian hackers access to their systems. The hack hit Federal agencies, including the Departments of Treasury, Commerce, and State, the Department of Homeland Security (DHS), National Security Agency, and parts of the Pentagon, as well as public and private sector companies. The breadth and depth of this hack are still being assessed.

Continue reading at: Government Contracting Matters

Final rule, formal training on CMMC could hit this summer

February 22, 2021 By Andrew Smith

A final rule on the Defense Department’s unified cybersecurity standard could debut as soon as this summer, defense officials said. But implementation hinges on standing up a formal training system.

Diane Knight, who is DOD’s lead for the Cybersecurity Maturity Model Certification program’s pathfinders and pilots, said a final rule could roll out as soon as April but wouldn’t confirm a concrete timeline.

“There will be a final rule and we have that identified on schedule coming up here too,” Knight said Jan. 26 during a virtual town hall hosted by the CMMC Accreditation Body (AB).

Knight also previewed a “notional” timeline for the pilots where requests for proposals would be released in April and awards coming in August. By April contractors seeking to participate in the pilots would be expected to have prepared for a CMMC assessment, reviewed requirements with subcontractors and to request an authorized third-party assessors (C3PAOs) assessment. Proposals would be due by July, according to the documents, and a certification would be needed when the contract is awarded.

Continue reading at: FCW

DOD’s cybersecurity certification requirements to appear in DHS contracts

February 22, 2021 By Andrew Smith

The Department of Defense is figuring out how to incorporate its Cybersecurity Maturity Model Certification program in contracts offered by the Department of Homeland Security, according to the official helming the initiative.

The CMMC program will ultimately require all defense contractors have their cybersecurity practices certified by a system of independent third-party auditors. As it is now, companies simply pledge their adherence to security controls detailed in standards issued by the National Institute of Standards and Technology.

Rules to implement the program are expected to be finalized as early as next month and have caused some heartburn within the contracting community. But the program is being rolled out in phases—15 prime contractors, and all their subcontractors, are being selected to undergo assessments this year—and won’t be fully applicable until 2025.

Continue reading at: Nextgov

Arrington forecasts CMMC in every DoD contract by FY2026

February 22, 2021 By Andrew Smith

By Fiscal Year 2026, every contractor seeking to do business with the Department of Defense (DoD) will be required to have at least a Level 1 Cybersecurity Maturity Model Certification (CMMC), Katie Arrington, the Pentagon’s CISO for acquisition and sustainment, said Feb. 3.

DoD plans on rolling out 15 prime contracts including the CMMC requirement this year and scales up gradually, topping at 479 contracts in both Fiscal Year 2024 and 2025. Those plans take into account up to around 100 unique sub-contractors on each prime contract, meaning the plan is to have 1,500 CMMC accredited contractors by the end of Fiscal Year 2021, which ends Sept. 30.

“CMMC is coming to a company or a program near you,” Arrington said at Washington Technology’s CMMC webinar Feb. 3. “This is not a checklist…Technology is something that is really great, but you need to understand the risk-reduction strategies associated with it.”

Continue reading at: MeriTalk

You can find GTPAC guidance on CMMC here: https://gtpac.org/cybersecurity-training-video/

GTPAC updates cybersecurity resource page to include CMMC guidance

February 16, 2021 By Andrew Smith

GTPAC has now updated its cybersecurity resource page to include guidance on CMMC.

CMMC stands for “Cybersecurity Maturity Model Certification.” CMMC, which was created by the U.S. Department of Defense (“DoD”), is a unified cybersecurity standard and framework that includes a comprehensive and scalable certification element to verify contractor implementation of required cybersecurity processes and practices.

CMMC is designed to provide assurance to DoD that defense contractors can adequately protect sensitive unclassified information. CMMC is important because if a DoD contract has a CMMC requirement, a contractor will need to obtain a CMMC certification at the required level to win and perform that contract (or subcontract). It is anticipated that eventually, most DoD contracts will require at least some level of CMMC certification.

So if you want to be a DoD contractor, it’s important to learn about CMMC. You can find more detailed information on CMMC and other cybersecurity standards, such as NIST 800-171, on our cybersecurity resource page.

NIST finalizes enhanced security requirements for combating advanced cyber threats

February 16, 2021 By Andrew Smith

The National Institute of Standards and Technology (NIST) recently released the final version of NIST Special Publication (SP) 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information. Designed to supplement the requirements in NIST SP 800-171—the applicable standard under DFARS 252.204-7012—800-172 provides 35 enhanced security requirements to protect controlled unclassified information (CUI) associated with critical programs and high-value assets from sophisticated adversaries referred to as advanced persistent threats (APTs).

Continue reading at: Crowell

What is CUI – The devil is in the details

Let’s talk about “zero trust”

Podcast: CMMC, and transitioning to the new requirements

Agency hacks could accelerate push to “zero trust” security model

SolarWinds hack proves contractors need to be prepared for APTs

Final rule, formal training on CMMC could hit this summer

DOD’s cybersecurity certification requirements to appear in DHS contracts

Arrington forecasts CMMC in every DoD contract by FY2026

GTPAC updates cybersecurity resource page to include CMMC guidance

NIST finalizes enhanced security requirements for combating advanced cyber threats

Contracting News

Federal contractor indicted for stealing over $1.2 million from the U.S. Postal Service

CMMC announces new advisory council to collect industry feedback

EEOC announces April 26 opening date for the collection of 2019 and 2020 EEO-1 component 1 data

Contractors line up to rebuild MARTA’s Five Points Station

GDOT announces $828.8 million in projects to transform Ga. 316

Contracting Tips

A whole new marketplace: GSA’s “commercial platforms” initiative

CRS Reports: Mentor-Protégé programs and small business size standards

CRS Report: Small businesses and COVID-19, relief and assistance resources

How do I find out what the government is buying?

Past performance isn’t always a required evaluation factor, says GAO

GTPAC News

SBA hosting “Contract Bonds and Surety Bond Guarantee” webinar April 20th

GSA hosting “Getting on the GSA Schedule” webinar April 13th

NIH hosting 2021 small business program conference April 26-30th

Defense Counterintelligence and Security Agency hosting industry day and matchmaking May 6th and 20th

Missile Defense Agency hosting virtual conference May 11-13th

Georgia Tech News

Georgia Tech creates new Office of Corporate Engagement

Delta Jacket wins 2021 Georgia Tech InVenture prize

Future of 5G is under the microscope at Georgia incubator

Collective worm and robot “blobs” protect individuals, swarm together

The Partnership for Inclusive Innovation is now accepting applications for pilot programs