Georgia Tech Procurement Assistance Center

CMMC 2.0 simplifies requirements but raises risks for government contractors

By

With the announcement of a revamped Cybersecurity Maturity Model Certification (known as CMMC 2.0), for the third time in five years, the U.S. Department of Defense (DOD) announced new, comprehensive cybersecurity standards for government contractors and subcontractors to ensure the protection of sensitive unclassified information, that is, Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).  By referring to the new cybersecurity standard as CMMC 2.0, the DOD implicitly recognizes the likelihood of future versions at an unknown cost to the Defense Industrial Base (DIB).

Nevertheless, version 2.0, which was released after a seven-month review by the Biden Administration, reflects the DOD’s assessment of the DIB’s concerns and reflects the DOD’s efforts to streamline and improve upon its earlier version after criticisms aimed at its cost and complexity.  Specifically, CMMC 2.0 collapses CMMC 1.0’s five tiers to three simplified tiers that are based on the cybersecurity framework implemented and that are devoid of additional CMMC-unique practices and processes.  CMMC 2.0 also will allow “annual self-assessment with an annual affirmation by DIB company leadership” for Level 1 and part of the new bifurcated Level 2 (formerly Level 3).  Otherwise, an independent third-party assessment or government-led assessment will be required.

Besides CMMC 2.0, contractors with CUI are also required to comply with Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7019 and 252.204-7020.  Collectively, these clauses require contractors to enter their compliance with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 into DOD’s Supplier Performance Risk System (SPRS).  DOD will identify medium- and high-risk contracts and perform independent assessments of contractor compliance with NIST SP 800-171 and whether a contractor’s compliance matches what it inputted into SPRS.  Contractors should also be mindful as to whether these disclosures match their prior acceptance of contracts with DFARS 252.204-7012, which required full compliance with NIST SP 800-171.

The return of self-assessment, which was the bedrock of the first DOD cybersecurity standards set out in DFARS 252.204-7012 and whose failure led to the development of CMMC 1.0., creates substantial risks to DIB companies and their leadership.  The U.S. Department of Justice (DOJ) recently announced a new Civil Cyber-Fraud Initiative that emphasized the use of the False Claims Act (FCA), 31 U.S.C. § 3729 et. seq., to bring civil action against government contractors who knowingly misrepresented their cybersecurity practices and protocols.  The FCA allows the government to recover treble damages and permits qui tam suits, which allow whistleblowers to receive a portion of the monies recovered by the government.  In addition, other regulatory agencies have brought enforcement actions for alleged false certifications concerning compliance with agency-required cybersecurity standards.  Thus, the risk of a DOJ investigation or a qui tam suit connected with a DIB company’s self-assessment affirmation is very real, and this announcement – coupled with self-certification options in CMMC 2.0 – should not been seen as a coincidence. Nevertheless, companies can reduce such risks with appropriate cybersecurity policies and a culture of compliance.

Continue reading at:  JD Supra

Navy OSBP hosting cybersecurity “ask me anything” event Dec. 16th

By

The Department of the Navy Office of Small Business Programs is hosting a “Ask Me Anything” cybersecurity event with DAF SBIR/STTR Chief Technology Officer, Ms. Kelley Kiernan.

The event is being held online (virtual) Dec. 16th at 1:00 PM ET.

You can register for the event at the DON OSBP website at this link:  https://www.secnav.navy.mil/smallbusiness/Lists/PastEvents/DispForm.aspx?ID=71

Georgia Defense Industrial Base Task Force hosting CMMC summit May 18th

By

No matter where you’re at on the CMMC journey, there are resources to support you.  Join the Georgia Defense Industrial Base Task Force (GDIBT) – a partnership between the Georgia Department of Economic Development (GDEcD), Georgia Cyber Center, and the Technology Association of Georgia (TAG) on May 18 from 9 a.m. – 12: 30 p.m. to map out your path forward.

Join local businesses as they share their experiences with CMMC and answer your questions.  CMMC-AB Marketplace providers and cyber professionals explain how their tools and ‘turn-key’ services support your CMMC journey.  Chart your course further with a training session focused on NIST 800-171 and more.

PRICE: FREE

FORMAT: VIRTUAL

Event Contact:
Heather Maxfield
(404) 920-2022
Send Email

Date and Time:  Tuesday, May 18, 2021 (9:00 AM – 12:30 PM) (EDT)

Registration Link:  https://members.tagonline.org/calendar/Details/cmmc-summit-337318?sourceTypeId=Hub

AGENDA

9:00 – 9:05 AM                     Larry Williams, President and CEO, TAG 

9:05 – 9:10 AM                     Eric Toler, Executive Director, Georgia Cyber Center

9:10 – 9:20 AM                     Keynote – Dr. Joye Purser, Regional Director—Region 4, Cybersecurity and Infrastructure Security Agency (CISA)

9:20 – 10:20 AM                   Peer Panel, Moderated by Roy Hadley, Adams and Reese, LLP

  • Allison Giddens, Co-President, Win-Tech
  • Allison Stewart, Compliance Analyst & Training, Top Flight
  • Miguel Garcia, AMRAAM Project Manager / Business Development, Collins Manufacturing

10:20 – 10:35 AM                 Break 

10:35 – 11:35 AM                 UGA SBDC “NIST 800-171 + Beyond” Training

  • Mark Lupo, UGA SBDC

11:35 –12:25 PM                  ‘Solutions’ Provider Panel, Moderated by Roy Hadley, Adams and Reese, LLP

  • Horacio Maysonet, President & CEO, Cyber Security Solutions
  • Chris Silvers, Founder and Principal Consultant, CG Silvers
  • Chris Hallenbeck, Chief Information Security Officer, Americas Tanium

12:30 PM                               Closing, Cassia Baker, Georgia Department of Economic Development Center of Innovation for Aerospace 

Mandatory breach notification requirements are coming for government contractors

By

The Biden Administration is imminently expected to release an executive order that will require government contractors to notify the government in the event of a cybersecurity breach.  Despite the relatively steady rise in cyberattacks and breaches over the years and the enactment of consumer data breach disclosure laws in all 50 states, there is currently no standardized reporting requirement for government contractors.  However, the Biden administration has promised executive action on the issue, largely in response to a cyberattack by a suspected nation-state against multiple software companies, including the SolarWinds software company.

Continue reading at:  Husch Blackwell

CMMC is coming: How government contractors can prepare

By

People like to say that cybersecurity threats are constantly evolving.  So perhaps it’s fitting that cybersecurity compliance is undergoing a significant evolution of its own this year, too.

That evolution is the arrival of the Cybersecurity Maturity Model Certification, more commonly abbreviated as CMMC.  CMMC is a new standard for cybersecurity that the U.S. Defense Department is rolling out to defense contractors, requiring companies to enforce new oversight across their operations and down their supply chains.

The Defense Department’s goal is to make CMMC a standard clause for all defense contracts by 2026, including higher education institutions that do government-sponsored defense research; and professional services firms that provide consulting to the Defense Department.

Even if you are not a prime defense contractor, CMMC is still likely to join your list of compliance obligations sometime soon.

Continue reading at:  Risk & Compliance Matters

What is CUI – The devil is in the details

By

Controlled unclassified information (CUI) is defined, in part, as “information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.”

Despite this seemingly straightforward definition, identifying CUI has been a challenge for the government and contractors.  This challenge has become particularly evident as the Defense Department implements its interim rule to the Defense Federal Acquisition Regulation Supplement to protect CUI through a mandatory Defense Department assessment methodology and through a slow rollout of its Cybersecurity Maturity Model Certification program.

Continue reading at:  National Defense Magazine

Let’s talk about “zero trust”

By

Zero trust has taken the federal government by storm.

As more and more agencies move to the cloud — and especially as they sustain mass telework during the COVID-19 pandemic and beyond — the perimeters of their networks are becoming obsolete.  Unable to place confidence in a traditional firewall in this new environment, agencies have no choice but to give “zero trust” to users and devices on their network, requiring them to validate and identify themselves anytime they move across the IT architecture.

In essence, this is the idea behind zero-trust security.

Listen to the podcast at FedScoop Radio:  https://www.fedscoop.com/radio/lets-talk-ep-17-guide-zero-trust-featuring-cisas-sean-connelly/  

Podcast: CMMC, and transitioning to the new requirements

By

Everyone knows that DoD gets thousands of attacks every day.  These attacks are getting more creative by attacking DoD’s trusted supply chain.  The SolarWinds incident is an example of how a trusted software supplier was shown to have been compromised.

To control some of these creative attacks, DoD has created the Cybersecurity Maturity Model Certification (CMMC) that companies who do business with DoD may need to comply with to continue to do business with the DoD in the future.

The Federal News Network recently held a podcast with John Gilroy and FedHIVE CEO Michael Cardaci, who talked about ways to smooth the transition to the Cybersecurity Maturity Model Certification or CMMC.

Listen to the Podcast at:  The Federal News Network

Agency hacks could accelerate push to “zero trust” security model

By

Chris DeRusha, the federal chief information security officer, on Thursday in hearing with senators said the White House will push federal agencies to start moving toward a new “zero trust paradigm.”

“In this new model, real-time authentication tests users, blocks suspicious activity, and prevents adversaries from the kind of privilege escalation that was demonstrated in the SolarWinds incident,” he told lawmakers on the Homeland Security and Government Affairs Committee.

Continue reading at:  FCW

SolarWinds hack proves contractors need to be prepared for APTs

By

If you don’t know about SolarWinds, then you haven’t been reading the news for the past six months.  Last October 2020, it was reported that a widely-used networking tool that helps companies in the public and private sectors manage their Information Technology (IT) portfolios – SolarWinds Orion product — had been compromised.  Publicly, it has been reported that about 18,000 private and government users downloaded the tainted software update, and it provided Russian hackers access to their systems.  The hack hit Federal agencies, including the Departments of Treasury, Commerce, and State, the Department of Homeland Security (DHS), National Security Agency, and parts of the Pentagon, as well as public and private sector companies.  The breadth and depth of this hack are still being assessed.

Continue reading at:  Government Contracting Matters

Contracting News

Read More

Contracting Tips

Read More

GTPAC News

Read More

Georgia Tech News

Read More