Georgia Tech Procurement Assistance Center

DoD testing secure cloud to help small contractors protect data

By

The Pentagon still has deep concerns about thefts of sensitive Defense data from contractor systems. But it’s concluded that simply using contract terms to order firms to improve their security isn’t going to do the job.

So the department is testing ways to extend its own cybersecurity expertise and infrastructure to small and medium-sized businesses who don’t have the wherewithal to adequately secure their systems against nation-state attackers. Specifically, it plans to build a secure cloud to house the Defense data companies need to perform their contracts, instead of requiring them to store it themselves.

DoD’s research and development budget for 2020 includes $15 million for a small project the department terms the Defense Industrial Base (DIB) Secure Cloud Managed Services Pilot. In the early going, the Pentagon plans to make the cloud service available to “a subset” of small and medium companies that “support prioritized, critical DoD missions and programs.”

In contract terms, the department would treat the secure cloud as Government Furnished Equipment (GFE), said Ellen Lord, the undersecretary for acquisition and sustainment.

Keep reading this article at: https://federalnewsnetwork.com/defense-news/2019/03/dod-will-test-secure-cloud/

 

Software review provisions proposed by Senate Armed Services Committee could have significant impact on DoD contractors

By

As the Senate approaches the end of its debate on the National Defense Authorization Act (NDAA) for Fiscal Year 2019, provisions of the bill regarding access to and review of information technology code deserve close attention.  These sections, if enacted, would significantly impact Department of Defense contractors and also would affect matters associated with investments subject to review by U.S. national security agencies.

As drafted, the provisions could expose current and prospective contractors to intrusive scrutiny and significant risks.  They lack clarity on key definitions, leaving the precise scope of those risks unclear.  We summarize major issues and concerns below.  We expect these provisions to receive scrutiny during the House-Senate conference on the NDAA over the summer.

Synopsis of the Proposed Legislation

Three sections of the Senate’s version of the NDAA, which passed the Senate Armed Services Committee in May, would establish new rules designed to mitigate “risks posed by providers of information technology with obligations to foreign governments.”  Those risks involve the access that foreign governments may have to code in products or services that are offered to the Department of Defense.  The provisions also impose new disclosure requirements on the efforts of a prospective vendor to obtain a license under the Export Administration Regulations (“EAR”) or the International Traffic in Arms Regulation (“ITAR”).

The pending legislation would require proactive disclosure of those matters, and would impose an ongoing duty to supplement those disclosures during the period of performance on the contract.  The Secretary of Defense would be authorized to assess and mitigate any resulting national security risks through contractual provisions or other performance requirements.

Keep reading this article at: https://www.insidegovernmentcontracts.com/2018/06/senate-armed-services-committee-proposes-expansive-unclear-software-review-provisions/

Why CDM vendors need more flexibility

By

The first two phases of the Department of Homeland Security’s Continuous Diagnostic and Mitigation (CDM) program have helped government agencies deploy foundational cybersecurity solutions for real-time visibility and continuous network monitoring to identify vulnerabilities, reduce risk, ensure compliance and respond to threats.

DHS and the General Services Administration (GSA) deserve tremendous credit for implementing a technical program of this size and complexity. However, the first two phases barely bring government to the starting line of the cybersecurity technology race. The private sector and U.S. adversaries are already well past that point.

The most important phase of the CDM program is yet to come, under which government tackles the data security problems of an increasingly mobile workforce and distributed cloud computing environment.

Keep reading this article at: https://fcw.com/articles/2018/03/19/cdm-vendor-flex-comment.aspx

Final rule beefs up mandates for contractor information systems security

By

Federal RegisterA new final rule four years in the making will amend the Federal Acquisition Regulations, or FAR, with new sections on the basic safeguarding of contractor information systems.

The rule, published on May 16, 2016 in the Federal Register and issued by the Defense Department, General Services Administration and NASA, will add a subpart and contract clause on contractor systems that process, store or transmit federal contract information, and calls on contractors to apply a minimum of 15 security control requirements.

This type of information is not intended for public release and excludes information that the government provides to the public or that is related to processing payments.

The focus of the rule is on a basic level of safeguarding, and contractors still have to comply with safeguarding requirements for protecting controlled unclassified information, or CUI. “Systems that contain classified information, or CUI, such as personally identifiable information, require more than the basic level of protection,” the rule stated.

Keep reading this article at: http://www.fiercegovernmentit.com/story/final-rule-beefs-mandates-contractor-information-systems-security/2016-05-17

Colorado DOT employee stole DBE contractors’ personal information

By

DBE certifiedPersonal information from hundreds of Colorado Department of Transportation (CDOT) contractors may have been compromised after a data breach involving a CDOT employee.

The employee, who is no longer working for CDOT, had access to a database for several hundred disadvantaged and emerging small businesses. The database for Emerging Small Business (ESB) and Disadvantaged Business Enterprise (DBE) firms contained confidential information — including tax returns.

“We believe that there is a data breach on the database itself where an employee accessed information and may be using that and selling that information externally,” CDOT spokeswoman Amy Ford said.

The businesses potentially affected by the data breach submitted information to CDOT in order to qualify for ESB and DBE programs, Ford said. The programs are designed to give small, disadvantaged businesses an opportunity to contract with CDOT on construction, professional service, research and more.

Keep reading this article at: http://www.9news.com/mb/news/cdot-employee-stole-contractors-personal-information/175000302\

See letter send by CDOT to affected contractors at: https://www.scribd.com/doc/311660836/Letter-about-CDOT-data-breach

Pentagon unveils new rules requiring contractors to disclose data breaches

By

New sweeping defense contractor rules on hack notifications took effect August 26, 2015, adding to a flurry of Pentagon IT security policies issued in recent years.

ombThe Office of Management and Budget proposed guidelines to homogenize the way vendors secure data government-wide. The Defense Department had already released three other policies that dictate how military vendors are supposed to handle sensitive IT.

Now, industry, which is already concerned about overlapping and burdensome cyber rules, worries the Pentagon will go back and retroactively change contracts, after the White House draft is finalized.

pentagon-sealThe new Pentagon regulations for “Network Penetration Reporting and Contracting for Cloud Services” cover more types of incidents and more kinds of information than past policies. The guidelines also apply to a broader swath of the contracting community.

Keep reading this article at: http://www.nextgov.com/cybersecurity/2015/08/pentagon-tries-harmonize-contractor-data-breach-rules/119498

Actions foreshadow uniform cybersecurity regulations for federal contractors

By

Two recent Executive Agency actions lay the groundwork for a FAR cybersecurity clause in 2016.

  • Government contractors should expect an amendment to the Federal Acquisition Regulation in 2016 that mandates cybersecurity clauses and standards.
  • Companies can prepare now by comparing new government standards to their existing system protections.
  • As part of this process, companies should not just be reviewing the capabilities of their information systems, but also their written information assurance policies, training materials, and employment and third-party agreements.

cyber securityFederal government contractors handling Controlled Unclassified Information (CUI) should take notice of two recent executive agency actions. Combined, they lay the groundwork for a new cybersecurity clause to be added to the Federal Acquisition Regulation (FAR) in 2016.

Keep reading this article at: http://www.jdsupra.com/legalnews/actions-foreshadow-uniform-45314/

For more information on this topic, see: www.gtpac.org/tag/controlled-unclassified-information

Securing federal data on nonfederal systems

By

The National Institute of Standards and Technology (NIST) has issued new guidance aimed at protecting federal data that’s stored on information systems outside the federal government.

NISTSpecial Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, applies to information systems and organizations outside of the federal government that process, store or transmit federal controlled unclassified information, or CUI.

CUI is any information that the federal government requires to be safeguarded by security and/or privacy controls, excluding information that is deemed classified, which is protected under a different set of regulations.

Keep reading this article at: http://www.govinfosecurity.com/securing-federal-data-on-nonfederal-systems-a-8328/op-1

Doing business with the government? What you should know about cybersecurity

By

Government contractors are in a difficult position when it comes to cybersecurity. Not only do they need to worry about cybersecurity issues that affect almost every company, but they also often house sensitive government data that can carry additional obligations.

cyber securityFurther, the very fact that they have access to this information, and their relationship to the U.S. government, makes them an attractive target for malicious efforts. Escalating these concerns, not only are contractors with sensitive information prime targets for standard hackers trying to prove their worth, but they are also in the cross-hairs for attacks sponsored by countries hostile to the United States or interested in obtaining technology otherwise prohibited to them.

The U.S. government recognizes this threat and has responded in two major ways. The first is to impose additional cybersecurity responsibilities on contractors who have access to sensitive data. While the goal of these additional obligations is to harden security to protect data, their parameters are not always apparent and can be easily misunderstood. Just identifying what a contractor is expected to do can be a challenge. The second element of the government’s approach is to assist in combating cyber attacks by offering to work with companies, including contractors, who find themselves victims. This help can be invaluable, especially for sophisticated and persistent state-sponsored cyber threats. It also raises additional issues, however, and many companies are justifiably suspicious of opening their information technology systems to the government.

In this Commentary, we highlight the aligned and competing priorities of the government and companies in this space. We discuss some of the main requirements imposed on contractors that go above and beyond those required of standard companies. We also delve into practical considerations for government contractors in this area and developing trends.

Keep reading this article at: http://www.mondaq.com/article.asp?articleid=402096

Contracting News

Read More

Contracting Tips

Read More

GTPAC News

Read More

Georgia Tech News

Read More