Georgia Tech Procurement Assistance Center

Pentagon to unveil new Cybersecurity Maturity Model Certification (CMMC) for defense contractors

By

The Department of Defense announced that it is developing a new cybersecurity standard and certification for defense contractors.  It is named the “Cybersecurity Maturity Model Certification” (CMMC).

Notably, the intent of the CMMC is to improve cybersecurity deficiencies in the defense industrial base and secure the supply chain.

The CMMC is expected to be based on NIST SP 800-171, as is the current Defense Federal Acquisition Regulation Supplement (DFARS) rule.  Specifically, DFARS Clause 252.204-7012 requires defense contractors handling sensitive, unclassified information to implement the 110 security controls of NIST SP 800-171.

However, the CMMC may incorporate or rely on frameworks in addition to NIST SP 800-171.

According to news reports, the CMMC will serve as the enforcement mechanism lacking in the current DFARS rule.

Although the draft CMMC has not yet been published, it’s been reported that there will be 5 levels of certification.  The levels will range from basic cyber hygiene to “State-of-the-Art.”  DoD contracts will require specific levels — and awards will be “go/no-go” based on the contractor’s certification status.

This is a fundamental change to how defense contracts are awarded today.

Read more at:  JD Supra

DHS would get more power to bar risky contractors under dueling proposals

By

Two House Republicans are working on legislation that would expand the Homeland Security Department’s authority to deny contracts to companies that pose cybersecurity supply chain threats while the Trump administration is pushing an even more expansive proposal.

The bill in the House will be modeled on authorities Congress gave the Defense Department in 2011 that were implemented in 2015, said Rep. Scott Perry, R-Pa., who is drafting the bill with Rep. Peter King, R-N.Y.

Under those rules, Pentagon contracting officers can bar vendors that pose a security risk from competing for contracts before they’re awarded and halt contractors from hiring risky subcontractors after an award.

Under current Homeland Security Department rules, contracting officers working on unclassified contracts can’t bar vendors before an award based on information provided by intelligence agencies, Soraya Correa, the department’s chief procurement officer, who testified before two House Homeland Security panels last Thursday.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2018/07/dhs-would-get-more-power-bar-risky-contractors-under-forthcoming-bill/149675/

Facing Chinese cyberthreat, Pentagon to bake better contractor security into buying decisions

By

In the wake of reports China hacked a Navy contractor for sensitive data on submarine warfare, Pentagon officials said they want to build better security into the military’s acquisitions process to better protect the defense industry from Beijing’s tampering.

But it’s unclear whether the defense industry has bought into the nascent effort.

“It is no longer sufficient to only consider cost, schedule and performance when acquiring defense capabilities,” Deputy Under Secretary of Defense for Intelligence Kari Bingen told lawmakers on June 21st.

“We must establish security as a fourth pillar in defense acquisition and also create incentives for industry to embrace security, not as a cost burden, but as a major factor in their competitiveness for U.S. government business.”

Keep reading this article at: https://www.fifthdomain.com/congress/2018/06/21/pentagon-to-bake-better-contractor-security-into-buying-decisions/

Just 5 percent of federal contractors are fully protecting against email spoofing

By

Government contractors still lag far behind on implementing an email security tool that’s now mandatory for government agencies, according to industry data released Thursday.

Among the top 98 government contractors by dollar value, only 45 have properly installed the tool known as DMARC and only five have set it up to quarantine or reject spoofed or phishing emails that might contain malware, according to an analysis by the company ValiMail.

That means 93 of those companies are more vulnerable to phishing and spoofed emails, which might endanger those contractors’ federal clients—even if those agencies have installed DMARC themselves.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2018/06/just-5-percent-federal-contractors-are-fully-protecting-against-email-spoofing/149165/

Faster detection, cleanup of network infections are goals of $12.8 million Georgia Tech project

By

Cybersecurity researchers at the Georgia Institute of Technology have been awarded a $12.8 million contract to develop fundamentally new techniques designed to dramatically accelerate the detection and remediation of infections in local and remote networks. Using novel machine learning techniques that take advantage of large datasets, the researchers will develop ways to detect network infections within 24 hours – before invaders can do serious damage.

The technical goal for the new system, dubbed “Gnomon,” is to detect changes in individual computer systems by analyzing suspicious network traffic that appears weeks or months before any evidence of malicious software – or malware – can be identified. As a proof-of-concept, the researchers will work with two major U.S. telecommunication companies and several petabytes of data in basic research aimed at detecting signals of malicious activity on their networks.

Funded by the Defense Advanced Research Projects Agency (DARPA), the four-year award is part of the agency’s Harnessing Autonomy for Countering Cyberadversary Systems (HACCS) program. Beyond rapid detection of infections, the project will also accelerate the cleanup after such infections, creating a clearer pathway in a process known as remediation.

“A compromise becomes a breach only if the original infection remains undetected long enough for the adversaries to do damage,” said Manos Antonakakis, an assistant professor in Georgia Tech’s School of Electrical and Computer Engineering and the project’s co-principal investigator. “If you look at the major breaches that have occurred, you see that the adversaries were in the systems for months. We want to identify them in a matter of hours to contain the infection before any real damage can be done.”

The new techniques to be developed will address the realization that network attacks cannot be completely blocked by existing defenses and malware-based detection systems. Dynamic intelligence will be a key feature of the system, with the intent of creating a continuously-updated dossier of every address in IPv4 space.

“Gnomon will search for illicit behavior in computer systems and network signals that indicate the start of an infection,” said Michael Farrell, chief strategist at the Georgia Tech Research Institute (GTRI), and the principal investigator on the program. “We’ll use our experience with taking down botnets – networks of infected computers – to accelerate the detection and remediation process. It’s imperative to evolve our view of the internetwork infrastructure at the same pace that the threat evolves.”

To protect millions of computers on the networks of the two companies, the researchers must find ways to identify troubling behavior on individual IP addresses without endangering the privacy of individuals. Among the signs of trouble are communications with network locations known to house malicious activity. Such communication is necessary for malicious groups to control computers that have been compromised, and to move data stolen from them.

“If you know where the infecting groups are located, you can very easily exclude most of the benign activities occurring on the network,” Antonakakis said. “We need to be able to identify what has changed in computers throughout the network, understand why the change has happened, and determine whether that change can be attributed to benign or malicious activity. This is a groundbreaking new approach to network security that will require tremendous computing power and infrastructure.”

Ever since the first viruses hit computers in the 1980s, cybersecurity has seen rapid evolution of detection and attack tactics. The success of Gnomon will likely drive adversaries to new attack techniques that may be more complex – and expensive – than existing activities. Making cyberattacks more costly to launch may reduce the profit from such activities, making them less attractive.

“If we can clean up our networks faster and more efficiently, that will increase the cost of the attack, making the adversaries work harder,” Antonakakis said. “If you raise the cost of an attack, the return on investment becomes smaller, while the risk of getting identified becomes higher. We would like to make the business of an attack so unprofitable and so risky for the adversaries that it will not make sense for them to conduct major operations in our networks.”

Success in developing new techniques with the first two telecommunication companies could open the door for scaling up Gnomon to other large networks in industry – and to U.S. government systems.

“Not only will deployment have an obvious benefit of improved hygiene for a significant portion of the U.S. internet infrastructure, but the public-private partnership will allow us to provide valuable feedback throughout the HACCS program on the sort of prototypes that will be necessary to have true business and mission impact in the real world,” Farrell said. “The goals are very ambitious, but if we’re successful, we’ll be able to close the gap between an infection and remediation.”

This program is the latest interdisciplinary research collaboration in cybersecurity at Georgia Tech, orchestrated by the Institute for Information Security & Privacy (IISP). In addition to the School of Electrical and Computer Engineering and GTRI, the project will include Professor Brian Kennedy from Georgia Tech’s School of Physics.

Attribution of malicious cyber activity is an established research thrust at Georgia Tech, and this new contract builds on the early success of another Department of Defense (DoD) sponsored program to enhance attribution. The “Rhamnousia” program is now a $25.3 million contract being led by the same research team of Farrell and Antonakakis.

This material is based upon work supported by the Defense Advanced Research Projects Agency (DARPA) under contract number HR001118C0057. Any opinions, findings and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the Defense Advanced Research Projects Agency (DARPA).

Source: http://www.news.gatech.edu/2018/05/14/faster-detection-cleanup-network-infections-are-goals-128-million-project

Security tips for choosing and using passwords

By

You probably use a number of personal identification numbers (PINs), passwords, and passphrases every day: from getting money from the ATM or using your debit card in a store, to logging in to your email or into an online retailer. Keeping track of all of the number, letter, and word combinations may be frustrating at times, but you’ve seen enough news coverage to know that hackers represent a real threat to your information. Often, an attack is not specifically about your account, but about using the access to your information to launch a larger attack.

One of the best ways to protect information or physical property is to ensure that only authorized people have access to it. Verifying that those requesting access are the people they claim to be is the next step. This authentication process is more important and more difficult in the cyber world. Passwords are the most common means of authentication, but only work if they are complex and confidential. Many systems and services have been successfully breached because of insecure and inadequate passwords. Once a system is compromised, it’s open to exploitation by other unwanted sources.

How to choose good passwords

Avoid common mistakes

Most people use passwords that are based on personal information and are easy to remember. However, that also makes it easier for an attacker to crack them. Consider a four-digit PIN. Is yours a combination of the month, day, or year of your birthday? Does it contain your address or phone number? Think about how easy it is to find someone’s birthday or similar information. What about your email password—is it a word that can be found in the dictionary? If so, it may be susceptible to dictionary attacks, which attempt to guess passwords based on common words or phrases.

Although intentionally misspelling a word (“daytt” instead of “date”) may offer some protection against dictionary attacks, an even better method is to rely on a series of words and use memory techniques, or mnemonics, to help you remember how to decode it. For example, instead of the password “hoops,” use “IlTpbb” for “[I] [l]ike [T]o [p]lay [b]asket[b]all.” Using both lowercase and capital letters adds another layer of obscurity. Changing the same example used above to “Il!2pBb.” creates a password very different from any dictionary word.

Length and complexity

The National Institute of Standards and Technology (NIST) has developed specific guidelines for strong passwords. According to NIST guidance, you should  consider using the longest password or passphrase permissible (16–64 characters) when you can. For example, “Pattern2baseball#4mYmiemale!” would be a strong password because it has 28 characters. It also includes the upper and lowercase letters, numbers, and special characters. You may need to try different variations of a passphrase—some applications limit the length of passwords, some do not accept spaces or certain special characters. Avoid common phrases, famous quotations, and song lyrics.

Dos and don’ts

Once you’ve come up with a strong, memorable password it’s tempting to reuse it ­– don’t! Reusing a password, even a strong one, endangers your accounts just as much as using a weak password. If attackers guess your password, they would have access to all of your accounts. Use the following techniques to develop unique passwords for each of your accounts:

  • Do use different passwords on different systems and accounts.
  • Don’t use passwords that are based on personal information that can be easily accessed or guessed.
  • Use the longest password or passphrase permissible by each password system
  • Don’t use words that can be found in any dictionary of any language.
  • Do develop mnemonics to remember complex passwords.
  • Do consider using a password manager program to keep track of your passwords. (See more information below.)

How to protect your passwords

Now that you’ve chosen a password that’s easy for your to remember, but difficult for others to guess, you have to make sure not to leave it someplace for people to find. Writing it down and leaving it in your desk, next to your computer, or, worse, taped to your computer, is just making it easy for someone who has physical access to your office. Don’t tell anyone your passwords, and watch for attackers trying to trick you through phone calls or email messages requesting that you reveal your passwords. (See Avoiding Social Engineering and Phishing Attacks for more information.)

Programs called password managers offer the option to create randomly generated passwords for all of your accounts. You then access those strong passwords with a master password. If you use a password manager, remember to use a strong master password.

Password problems can stem from your web browsers’ ability to save passwords and your online sessions in memory. Depending on your web browsers’ settings, anyone with access to your computer may be able to discover all of your passwords and gain access to your information. Always remember to log out when you are using a public computer (at the library, an Internet cafe, or even a shared computer at your office). Avoid using public computers and public Wi-Fi to access sensitive accounts such as banking and email.

There’s no guarantee that these techniques will prevent an attacker from learning your password, but they will make it more difficult.

For more information on passwords, multi-factor authentication, and related password topics, see Supplementing Passwords.

Don’t forget security basics

  • Keep your operating system, browser, and other software up-to-date.
  • Use and maintain anti-virus software and a firewall.
  • Regularly scan your computer for spyware. (Some anti-virus programs incorporate spyware detection.)
  • Use caution with email attachments and untrusted links.
  • Watch for suspicious activity on your accounts.

Source: The National Cybersecurity and Communications Integration Center’s (NCCIC) – https://www.us-cert.gov/ncas

Cybersecurity training video and template released

By

The Georgia Tech Procurement Assistance Center (GTPAC) has produced a 20-minute instructional video designed to assist contractors comply with Defense Department (DoD) cybersecurity requirements.

Click image above to view video and access resource documents.

Accompanying the video is a 127-page template that can be used by contractors to create a Security Assessment Report, a System Security Plan, and a Plan of Action.

The video and template, along with related resources, can be found at: http://gtpac.org/cybersecurity-training-video.

Background

The Defense Federal Acquisition Regulation Supplement (DFARS) prescribes that DFARS clause 252.204-7012 (“Safeguarding Covered Defense Information and Cyber Incident Reporting”)  be inserted in many DoD contracts.

In general, the clause requires that contractors provide adequate security on all applicable contractor information systems – and investigate and report on any compromises of such systems.  The DFARS clause also requires contractors to:

  • isolate malicious software,
  • preserve and protect all media involved in a cyber incident,
  • provide DoD with access to information or equipment for purposes of forensic analysis,
  • assess damage as a result of a cyber incident, and
  • “flow down” the clause in any subcontracts involving information covered by the requirements.
Click on the graphic above to see the government’s complete list of Controlled Unclassified Information (CUI) covered by the regulation.
Impact

If you are a DoD contractor, it is very likely that your contract incorporates DFARS clause 252.204-7012.  The clause is required in all solicitations and contracts, including solicitations and contracts issued under Federal Acquisition Regulation (FAR) Part 12 procedures for the acquisition of commercial items.  (Note: The clause is not required for solicitations and contracts solely for the acquisition of Commercial Off the Shelf – or COTS – items.)

To provide adequate security, DoD contractors covered by the DFARS clause are expected, at a minimum and effective immediately, to implement the standards set forth in National Institute of Standards and Technology (NIST) Special Publication 800-171 (Revision 1).

In general terms, to meet the government’s cybersecurity standards, contractors must assess their information systems, develop a security plan, and create an action plan.  GTPAC’s template – available for download as a Word document on the same webpage where the video appears – provides a step-by-step process by which each of these tasks can be completed and documentation can be compiled.

Information and Assistance

The video and template were funded through a cooperative agreement with the Defense Logistics Agency, and created with the support of the Georgia Institute of Technology.  The content of the video presentation does not necessarily reflect the official views of or imply endorsement by the U.S. Department of Defense, the Defense Logistics Agency, or Georgia Tech.

For further assistance with complying with DoD’s contractual cybersecurity requirements, please feel free to contact a GTPAC Procurement Counselor.  A list of Counselors, their locations, and contact information can be found at: http://gtpac.org/team-directory.

Companies located outside the state of Georgia may contact their nearest Procurement Technical Assistance Center (PTAC) for assistance with government contracting matters.  PTACs are located in all 50 states, the District of Columbia, Guam, and Puerto Rico.  Find a directory of PTACs at: http://www.aptac-us.org/find-a-ptac.

GTPAC is a part of the Enterprise Innovation Institute (EI2), Georgia Tech’s business outreach organization which serves as the primary vehicle to achieve Georgia Tech’s goal of expanded local, regional, and global outreach.  EI2 is the nation’s largest and most comprehensive university-based program of business and industry assistance, technology commercialization, and economic development.

 

 

 

Want to do Defense Dept. contracting? You’ll benefit from Georgia Tech’s Aug. 9 briefing

By

At the end of this year — if you are a Department of Defense (DoD) contractor or hope to be one — there are new cybersecurity requirements that will be in your contract that will require you to limit access to your information systems, identify system users, and take measures to safeguard federal contract information (FCI).  Your compliance with these rules, among others, require documented processes and procedures.

There is some good news.  Now, you have the opportunity to learn the details of DoD’s new requirements — and prepare to address the requirements — by attending Georgia Tech’s free briefing on cybersecurity being held Wednesday, August 9, 2017.  The briefing will be held from 9:00 a.m. to noon.

This is your opportunity to learn why and how businesses, particularly DoD contractors, are being targeted by cyber attackers — and the steps you can take to protect your company.

Here’s how you will benefit by attending the August 9 briefing:

  • Understand NIST 800-171 compliance issues for contractors to the federal government.
  • Learn how businesses are being targeted.
  • Learn about different types of cyber hackers.
  • Explore the root causes of attacks.
  • Understand how to identify your assets and risks, protect your assets, detect vulnerability, respond to malicious events, and recover successfully from such events.

Speakers include:

  • Dave Stieren, Program Manager, National Institute of Standards and Technology
  • Spencer Cobb, Cytellix Cyber Security Readiness for Manufacturing

Location: Centergy Building, 75 – 5th Street, NW, Hodges Room, 3rd Floor, Atlanta, GA 30308

Pre-Registration Required!   Register at: https://www.eventbrite.com/e/cybersecurity-for-manufacturers-atlanta-seminar-tickets-35607900188

This event is being sponsored by: Georgia Tech Procurement Assistance Center (GTPAC), Georgia Manufacturing Extension Partnership (GaMEP), National Institute of Standards and Technology (NIST), the Georgia Department of Economic Development, and the Georgia Centers for Innovation.

Georgia Tech sponsors cybersecurity briefing in August for manufacturers

By

If you are a Georgia manufacturer, here is your opportunity to learn why and how manufacturers are being targeted by cyber attackers — and the steps you can take to protect your company.

On Wednesday, August 9, 2017, Georgia Tech is holding a free briefing on cybersecurity for manufacturers.  The briefing is 9:00 a.m. to noon.

Here’s how attendees will benefit:

  • Understand NIST 800-171 compliance issues for contractors to the federal government.
  • Learn how manufacturers are being targeted.
  • Learn about different types of cyber hackers.
  • Explore the root causes of attacks.
  • Understand how to identify your assets and risks, protect your assets, detect vulnerability, respond to malicious events, and recover successfully from such events.

Speakers include:

  • Dave Stieren, Program Manager, National Institute of Standards and Technology
  • Spencer Cobb, Cytellix Cyber Security Readiness for Manufacturing

Location: Centergy Building, 75 – 5th Street, NW, Hodges Room, 3rd Floor, Atlanta, GA 30308

Pre-Registration Required!   Register at: https://www.eventbrite.com/e/cybersecurity-for-manufacturers-atlanta-seminar-tickets-35607900188

This event is being sponsored by: Georgia Tech Procurement Assistance Center (GTPAC), Georgia Manufacturing Extension Partnership (GaMEP), National Institute of Standards and Technology (NIST), the Georgia Department of Economic Development, and the Georgia Centers for Innovation.

 

Final federal rule issued on safeguarding contractor information systems

By

Federal Contract InformationAfter years of gestation, a final rule was promulgated May 16, 2016 to mandate minimum cyber defenses for companies that do government business. This Federal Acquisition Regulations rule – “Basic Safeguarding of Contractor Information Systems” 81 Fed. Reg. 30439 – seeks to protect the confidentiality and integrity of federal contract information (FCI) that resides in or transits through any contractor information system.

Why this rule?

Agencies are required by the Federal Information Security Modernization Act (FISMA) to protect federal information. The obligation extends to nonpublic information provided by the federal government to its contractors. Unauthorized cyber extraction of federal information has caused genuine injury to national interests. Using this new FAR provision, every federal agency now will require minimum cyber protection for FCI.

What is federal contract information?

FCI is defined as nonpublic information that is “provided for or generated for the government” under a contract to “develop or deliver a product or service to the government, but not including information provided to the public or simple transactional information. The new rule protects “information systems” rather than carefully defined information types, however. If a contractor processes stores or transmits any FCI, its information system becomes subject to minimum enumerated safeguards. Where a contractor information system hosts FCI and other, non-federal information, the rule applies to the whole system.

Keep reading this article at: http://www.federaltimes.com/story/government/solutions-ideas/2016/06/13/far-rule-federal-contractor-information/85825436/

Contracting News

Read More

Contracting Tips

Read More

GTPAC News

Read More

Georgia Tech News

Read More