Georgia Tech Procurement Assistance Center

Uncle Sam wants you — and your DFARS compliance

By

Following rules of engagement is a common concept, but knowing the rules — and whether they really apply to one’s own business — is not always a common condition.  The federal market can be especially confusing for smaller companies that may be delivering similar products or services to both civilian and military/defense/aerospace agencies.

If you know enough to ask about DFARS 252.204-7012 compliance, hold grants or contract awards subject to the provisions, or are contemplating entering the Department of Defense (DoD) market, you should at least be on the path to Defense Federal Acquisition Regulation Supplement (DFARS) compliance.  By September 2020, meeting the required security level contained in a DoD solicitation will be the basis for a go/no-go decision on further consideration of an offeror’s cost, schedule, and performance qualifications.

Announced changes to federal procurement practices, particularly for DoD-related contracts, put into play provisions for supply chain security and resiliency based, in part, on the 2018 “Deliver Uncompromised” study from MITRE Corporation.  Widely publicized leaks of government-funded intellectual property and other proprietary information have intensified concerns about the vulnerability of the defense industrial base (DIB), one of the 16 industry sectors defined by the Department of Homeland Security (DHS) as “critical infrastructure.”  The Office of the Under Secretary of Defense for Acquisition & Sustainment notes on its website that DoD is “planning a series of engagements across the United States in order to solicit inputs and feedback from the [DIB] sector.”

Continue reading at:  IndustryWeek

Will defense contractors be ready for CMMC?

By

Defense contractors will face big changes and tight timelines over the next year as the Department of Defense rolls out its new Cybersecurity Maturity Model Certification framework, experts say.

The framework, which aims to certify a company’s compliance with federal cybersecurity regulations around controlled unclassified information (CUI), was announced by DOD officials in June.  It will be used to evaluate and rate contractors’ ability to protect sensitive data on a 1-5 scale starting next year.

The initial version of the framework is scheduled to go public in January 2020.  By June 2020, its requirements will start appearing in requests for information, and will become a regular feature of defense procurement by September 2020.  That means defense contractors will have less than eight months to implement changes for compliance with the Defense Federal Acquisition Regulation Supplement and National Institute of Standards and Technology guidance on protecting CUI.

Continue reading at:  FCW

Cybersecurity: front and center for industry

By

“Deliver Uncompromised,” the “Fourth Pillar of Acquisition” or “Securing the DoD Supply Chain” — no matter what turn of phrase one uses to discuss protecting the defense industrial base and the equipment and support it provides warfighters from cyber threats, this issue stands front and center for the Pentagon and for the people and companies that provide its capabilities.

Experts estimate losses of about $600 billion per year in the transfer of wealth, expertise and trade secrets due to cyber crime.  Adversaries and bad actors specifically target the defense industrial base, using the pilfered data to close capability gaps with the United States, its allies and partners.

The National Defense Strategy and the National Cyber Strategy lay it bare, “Our competitors — including … foreign adversaries such as Russia and China — are also using cyber to try to steal our technology.”  Protecting U.S. advantages demands better government-industry collaboration.  Fortunately, that is happening with the end state an effective, holistic cyber defense.

Despite being the home of cyberspace and the innovative tech giants who used it to transform society and the economy, America — both its government and its traditional industries — has responded slowly to growing and increasingly adaptive cyber threats.  That said, stakeholders now recognize the challenge and have begun responding with concrete actions.  Called out in the series of 2018 strategy documents, the cyber hygiene of U.S. government contractors, especially those in the defense industrial base, will likely soon require third-party cybersecurity certification for contractors to participate in any Defense Department contract.

Continue reading at:  National Defense Magazine 

CBP reportedly suspends subcontractor over cyberattack

By

The US Customs and Border Protection has reportedly suspended a subcontractor following a “malicious cyberattack” in May that caused it to lose photos of travelers into and out of the country.  Perceptics, which makes license plate scanners and other surveillance equipment for CBP, has been suspended from contracting with the federal government, The Washington Post reported Tuesday.

On June 12, CBP had confirmed that in violation of its policies, a subcontractor had “transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network.”  The subcontractor’s network was then compromised by a cyberattack that affected under 100,000 people who entered and exited the US in a vehicle through several specific lanes at one land border during a 1.5-month period.

Continue reading at:  CNET News

DOD’s proposed cybersecurity maturity model certification requirements: what we know and how to prepare

By

The final DFARS cybersecurity rule promulgated in 2016, which included the latest changes to the DFARS clause at 252.204-7012, was a significant development for DoD contractors, in part because it mandates compliance with the 110 security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.  DoD has been working with the contracting community since that time with respect to the implementation of the final rule, but has concluded that further compliance steps are needed in the form of cybersecurity certification standards.

The anticipated new cybersecurity certification standards for DoD contractors are quickly taking shape.  Katie Arrington, former South Carolina legislator and current special assistant for Cybersecurity to Assistant Secretary of Defense for Acquisition, recently announced that DoD is partnering with the Carnegie Mellon University Software Engineering Institute and the Johns Hopkins University Applied Physics Laboratory in developing the new certification standard: the Cybersecurity Maturity Model Certification or “CMMC.”  This Alert outlines what has been revealed thus far about the CMMC, how the CMMC will affect DoD contractors, and steps you can take to be ready when the CMMC goes live.

Continue reading at:  Miles & Stockbridge

7 steps for getting right with NIST 800-171

By

The deadline for defense contractors and subcontractors to implement the information security requirements listed in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 has come and gone.  There are more than 100 information security requirements in NIST 800-171, and it is a good bet that many smaller companies without ample IT resources fall into the category of: “We missed the deadline… what now?”

If you want to continue working with the Department of Defense, the simple answer is you will have to be 800-171 compliant.  This includes secure file sharing and information exchange governance, namely how you store, access, exchange and govern sensitive (but unclassified) information with the agency.  And while the December 31, 2017, deadline was directed at DOD’s industry partners, NIST 800-171 applies to all non-federal organizations that work with U.S. government systems and data.  So the suggestions below are in no way limited to defense contractors!

Continue reading at:  Federal Computer Week

The importance of compliance with DFARS cybersecurity regulations

By

Clicking the “COMPLY” check box on the list of government requirement flow-downs may seem like a necessary evil of being a supplier to the defense market, but some regulations around information and cybersecurity provide the critical foundations of a trusted computing supply chain.

Cyber and information warfare are the hottest and possibly most contested battlefields in the race for military dominance. Case in point, the U.S. Navy recently changed the name of Space and Naval Warfare Systems Command (SPAWAR) to the Naval Information Warfare Systems Command (NAVWAR), in recognition of how important information warfare to defense strategy.

Similarly, earlier this year, the U.S. Army, announced the evolution of its Cyber Command into the Information Warfare Command, and the U.S. Air Force announced the merger of the 24th Air Force (Air Forces Cyber) and the 25th Air Force, to create a new information warfare focused command.

By all indicators, information currently sits near the top of the food chain of assets requiring protection.  To that end, the U.S. Department of Defense (DOD) upped the ante on regulations around what types of information need protection and how much suppliers must protect that information.

Continue reading here:  Military and Aerospace Electronics

NIST updates SP 800-171 to help defend sensitive information from cyberattack

By

An update to one of the National Institute of Standards and Technology’s (NIST) information security documents offers strategies to help protect sensitive information that is stored in computers supporting critical government programs and high value assets. 

The document, entitled Draft NIST Special Publication (SP) 800-171 Revision 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizationsnow has a new draft companion publication, NIST SP 800-171B, that offers additional recommendations for handling Controlled Unclassified Information (CUI) in situations where that information runs a higher than usual risk of exposure.  CUI includes a wide variety of information types, from individuals’ names or Social Security numbers to critical defense information. 

When CUI is part of a critical program or a high value asset — such as a weapons system — it can become a significant target for high-end, sophisticated adversaries.  In recent years, these programs and assets have been subjected to an ongoing barrage of serious cyberattacks, prompting the Department of Defense to request additional guidance from NIST. 

 “We need to provide safeguards and countermeasures that can stand up to these attacks,” said NIST’s Ron Ross, one of the publication’s authors.  “We are requesting comments on this initial public draft, which we hope will help organizations protect CUI against our most advanced and persistent adversaries.” 

NIST is accepting comments on both SP 800-171 Rev. 2, which received minor editorial updates, and SP 800-171B until July 19, 2019.  In the future, NIST plans to issue  final versions of both publications.  In addition, a previously available companion document, NIST SP 800-171A, will be updated with new assessment procedures for the enhanced security requirements. 

Continue reading at:  NIST website

DoD unveils proposed cybersecurity capability model certification standards

By

Cybersecurity.  It’s never over, is it?  In what can only be described as a “soft” release, the Department of Defense (DoD) has slowly and quietly begun to reveal its intent to provide federal contractors with a formal cybersecurity certification as early as next year.  The program, known as the Cybersecurity Capability Model Certification (CCMC), is an effort to streamline the acquisition process by providing acquiring agencies and consenting contractors with more exacting cybersecurity requirements for forthcoming acquisitions.

Moreover, as announced clearly and repeatedly by the Special Assistant to the Assistant Secretary of Defense for Acquisition and Sustainment for Cyber, Katie Arrington, during events on May 23, 2019, and June 12, 2019, certain cybersecurity costs will be allowable under certain circumstances.  This means that not only is DoD again in the process of facilitating the acquisition of cybersecurity capabilities throughout its entire supply chain, but now the DoD recognizes that it should actually pay for what it requires of contractors.

Continue reading at:  McCarter and English

The cost to comply with DoD’s new cybersecurity requirements to be reimbursable on cost contracts

By

Law360 published an article recently with the title, “DoD Official Says Cyber is an Allowable Contractor Cost.”  The article states that the U.S. Department of Defense (DoD) will allow defense contractors to treat the costs of bringing their cybersecurity programs in line with DoD requirements as an allowable cost and, therefore, reimbursable.  Specifically, at the June 14, 2019 Professional Services Council’s Federal Acquisition Conference, DoD special assistant for cybersecurity Katie Arrington said, “security is an allowable cost.”

Further, Law360 reported that in May, DoD said it was developing a “Cybersecurity Maturity Model Certification” (CMMC) program to build on the Defense Federal Acquisition Regulation Supplement regulation (DFARS § 252.204-7012(b)(2)) that requires defense contractors to implement the security controls in the National Institute of Standards and Technology’s Special Publication (NIST SP) 800-171.  The security controls are intended to protect covered defense information on nonfederal systems.  DoD said the CMMC will require defense contractors to get third-party audits of their compliance with the NIST SP 800-171 controls, down through their supply chains.

Arrington told the conference attendees that the CMMC will be developed by DoD working in conjunction with the Johns Hopkins University Applied Physics Lab and Carnegie Mellon University Software Engineering Institute.  The goal is to develop one unified standard for cybersecurity.  This standard will include five different levels of required cybersecurity protections, from a level one of “basic hygiene,” which will be cheap and straightforward enough that a small business could meet it, to level five for “state-of-the-art” protections.  Arrington said that DoD has planned 12 related industry days across the United States in July and August to work in a collaborative manner with defense contractors to improve cybersecurity practices in the CMMC plan.  Acknowledgments to Daniel Wilson and Law360 for reporting these developments.

Continue reading at:  Taft Stettinius & Hollister LLP

Contracting News

Read More

Contracting Tips

Read More

GTPAC News

Read More

Georgia Tech News

Read More