Georgia Tech Procurement Assistance Center

Readying contractors’ security plans for evaluation

By

The Defense Department recently issued final guidance for requiring activities to assess contractors’ system security plans and their implementation of the security controls in National Institute of Standards and Technology Special Publication 800-171.

It includes a compliance guidance document, which explains how department entities will assess contractor implementation of its security controls, and an impact guidance document, which explains how the Pentagon will assess the risks of security controls not implemented.

The compliance guidance addresses three objectives pre-award: requiring a self-attestation of implementation of the special publication in all proposals; imposing enhanced security controls in certain situations; and providing alternatives for compliance as an evaluation factor.

Defense Federal Acquisition Regulation Supplement 252.204-7008, which is required in every noncommercial off-the-shelf solicitation, provides that “[b]y submission of this offer, the offeror represents that it will implement the security requirements specified by [NIST SP 800-171].” The Defense Department has interpreted “implementation” as having a completed security system plan and a plan of action and milestones for the relevant covered defense information.

If a requiring activity believes that enhanced security controls are required beyond those in NIST SP 800-171, the compliance guidance provides direction for adding the requirements to a solicitation.

The guidance does not define what constitutes “enhanced controls.” NIST is expected to issue a new appendix of enhanced controls in the first quarter of 2019.

Keep reading this article at: http://www.nationaldefensemagazine.org/articles/2019/1/30/readying-security-plans-for-evaluation

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

DoD makes immediate change to limitations on subcontracting rule; FAR Council issues proposed rule

By

The Department of Defense (DoD) has issued a class deviation that resolves the inconsistency between the Small Business Administration (SBA) regulations and the clause at Federal Acquisition Regulation (FAR) 52.219-14 related to the Limitations on Subcontracting Rule (LOSR).

The FAR Council has also issued a proposed rule to amend FAR 52.219-14 to fully resolve this issue for all small businesses. Government contractors should be aware of these new changes and proposed changes.

Generally, the LOSR prevents small business prime contractors from subcontracting the majority of the work under a prime contract to large businesses. The LOSR is intended to ensure that small businesses get the benefit of the set-aside prime contract. The government does not want a small business to get an award, perform only a small portion of the work, and then subcontract out everything else to large businesses.

Since 2016, SBA small businesses have struggled to comply with the LOSR because the regulations at 13 C.F.R. § 125.6 are inconsistent with the contract clause at FAR 52.219-14.

Keep reading this article at: http://www.mondaq.com/article.asp?articleid=777544

See DoD’s Jan. 8, 2019 Class Deviation 2019-O0003 on this subject at: https://www.acq.osd.mil/dpap/policy/policyvault/USA000039-19-DPC_Class_Deviation_2019-O0003.pdf

See the proposed rule here: https://www.govinfo.gov/content/pkg/FR-2018-12-04/pdf/2018-25506.pdf

DoD continues to up the ante on cybersecurity compliance for contractors

By

Compliance with the security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 is only the beginning for contractors that receive controlled defense information (CDI) in performance of Department of Defense (DoD) contracts and subcontracts.

Faced with an evolving cyber threat, DoD contractors have experienced an increased emphasis on protecting DoD’s information and on confirming contractor compliance with DoD cybersecurity requirements.  This includes audits by the DoD Inspector General (IG) “to determine whether DoD contractors have security controls in place” to protect CDI and enhanced security controls for certain high risk contractor networks.

And on September 28, 2018, the Navy issued a policy memorandum calling for enhanced cybersecurity requirements, including some that have generated opposition within the defense community such as the installation of network sensors by the Naval Criminal Investigative Service on contractor systems.

Other requiring activities are reportedly requiring similar enhanced protections, and NIST is expected to issue a public draft of Revision 2 to NIST SP 800-171 by the end of February, with an appendix of additional enhanced controls.

Keep reading this article at: https://www.insidegovernmentcontracts.com/2019/01/dod-continues-ante-cybersecurity-compliance-contractors/

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

The new rules of cybersecurity

By

At this very moment someone, somewhere in the world may be plotting to hack into an organization’s critical network infrastructure.

Creativity, time and investment are never in short supply when determined attackers are intent on gaining access to networks. It’s created an environment whereby solutions to prevent attacks are being developed just after new hacking tactics are deployed. To solve this divergence, we need to focus on “cyber at machine speed” — implementing new tools simultaneously with or even before hackers.

In short, getting the basics right is no longer enough. Adversaries now have the tools, the motivation and certainly the persistence to overcome current standards and compliance protocols.

Simply put, adequacy is no longer adequate.

Keep reading this article at: https://www.nextgov.com/ideas/2018/12/new-rules-cybersecurity/153714/

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

LPTA solicitations no longer acceptable? Reviewing DoD’s proposed changes to the DFARS

By

In a proposed rule issued last month, the Department of Defense (DoD) seeks to incorporate into the Defense Federal Acquisition Regulations Supplement (DFARS) restrictions on the use of the lowest price technically acceptable (LPTA) source selection method from the National Defense Authorization Act (NDAA) for Fiscal Years 2017 and 2018.  This proposed rule makes clear that these NDAA-imposed restrictions are not going away any time soon, and that DoD contracting officers need to engage in a thorough and reasoned analysis before conducting an LPTA procurement.

Just as its name suggests, the LPTA source selection process prioritizes cost or price over technical capability — the agency will make award to the lowest-priced offeror that presents a technically acceptable proposal.  Typically, agencies use the LPTA process to procure straightforward goods and services such as routine maintenance work or office equipment.  In recent years, however, contractors have complained that agencies employ LPTA selection processes in inappropriate circumstances where qualitative differences really matter and technical superiority is worth a price premium.

Keep reading this article at: https://www.insidegovernmentcontracts.com/2018/12/lowest-price-technically-acceptable-solicitations-no-longer-acceptable-reviewing-department-defenses-proposed-changes-dfars/

DoD and other agencies seek to enhance contractors’ cyber and supply chain security

By

The Department of Defense (DoD) and its component services and agencies are taking several independent steps to assess and enhance their cyber and supply chain security that will directly or indirectly affect DoD contractors and subcontractors.

Other federal agencies, including the Department of Homeland Security (DHS), Commerce, and General Services Administration (GSA), are also considering or implementing measures to enhance cyber and supply chain security that will directly or indirectly affect government contractors and their supply chains.

These initiatives will intensify scrutiny of government contractors and subcontractors, increase their cyber and supply chain security compliance requirements, and affect their ability to compete for, and win, government contracts. This article summarizes these initiatives and states our view that, despite the proposal and likely adoption of a comprehensive new Federal Acquisition Regulation (FAR) cybersecurity clause next year, federal government contractors and subcontractors are likely to face multiple, overlapping, and possibly conflicting cybersecurity and supply chain requirements for some time to come.

Keep reading this article at: http://www.mondaq.com/article.asp?articleid=767144

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

Contractors are a bull’s-eye for hackers

By

The U.S. defense industrial supply chain is vast, complex and vulnerable. Organic components, large-scale integrators, myriad commercial service providers, and tens of thousands of private companies sustain the Defense Department. According to the SANS Institute, the percentage of cyber breaches that originate in the supply chain could be as high as 80 percent.

Some progress has undoubtedly been made with regard to securing the supply chain. The Defense Federal Acquisition Regulation Supplement (DFARS) NIST SP 800-171 supply chain program, for instance, introduced 109 stringent requirements for Defense Department suppliers dealing with sensitive government data—53 related to technology and 56 related to security policy.

But while DFARS applies to all contractors and suppliers regardless of size, it has not yet been fully implemented and it is not bulletproof.  Still, it is a big step toward securing the supply chain at all levels.

Keep reading this article at: https://www.afcea.org/content/contractors-are-bulls-eye-hackers

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

Pentagon considers cybersecurity certification for its contractors

By

In cybersecurity, you’re only as strong as your weakest link.

For the Defense Department, the area with the fewest cyber protections are the defense contractors the department works with, particularly the small businesses that don’t have the expertise or resources to build a robust security posture.

The Pentagon put together a task force to assess whether small businesses within the defense industrial base are complying with the cybersecurity framework published by the National Institute of Standards and Technology and provide assistance to companies that need help.

The department issued a new rule last year requiring vendors to show that they are in compliance with NIST standards or have a plan to get there quickly. Those plans were due Jan. 1.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2018/12/pentagon-considers-cybersecurity-certification-its-contractors/153330/

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

DoD issues final guidance for assessing contractor compliance with NIST SP 800-171

By

The Department of Defense (DoD) recently issued final guidance for requiring activities to assess contractors’ System Security Plans (SSPs) and their implementation of the security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.

A draft of this guidance was made available for public comment in April 2018.  As noted in an earlier post on the draft guidance, DoD’s proposed approach raised significant questions as to what role offerors’ implementation of the security controls in NIST SP 800-171 would play in bid protests, contract performance, and post award audits.  In the memorandum accompanying the final guidance documents, DoD notes that it has incorporated comments it received from the public into the final guidance.  As discussed below, although the DoD has addressed some of the issues raised by the April draft, the final guidance adds some additional concerns and ambiguities.

The final guidance consists of two documents.  The first document is “Guidance for Assessing Compliance of and Enhancing Protections for a Contractor’s Internal Unclassified Information System,” which provides direction to requiring activities for including evaluation criteria in solicitations and in contracts for assessing contractor compliance with NIST SP 800-171.  The second document is “DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented,” which addresses how DoD should assess the impact and risk of NIST SP 800-171 security controls that a contractor has not yet implemented.

Keep reading this article at: https://www.insidegovernmentcontracts.com/2018/11/dod-issues-final-guidance-for-assessing-contractor-compliance-with-nist-sp-800-171/

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

DoD to limit use of ‘Brand Name or Equal’ contract competitions

By

The Department of Defense (DoD) has proposed a new rule limiting the use of “brand name or equal” contract competitions, calling on contracting officers to publicly justify their need for a brand name-type product before issuing a solicitation.  The rule would implement Section 888(a) of the National Defense Authorization Act of 2017, which directed the Secretary of Defense to “ensure that competition in [DoD] contracts is not limited” by brand name references without a justification under 10 U.S.C. § 2304(f).

Background

Federal procurement law requires agencies to draft competitive solicitations that describe the Government’s needs generally, rather than referencing a specific type of product.  However, “under certain circumstances,” agencies may request a specific brand name product or its equal.  An off-brand product is “equal” if it shares the same the same salient characteristics as the brand name product. 

Contractors have at times challenged, through pre-award bid protests, agency decisions to reference a brand name product as unfair and unduly restrictive of competition, contrary to the Competition in Contracting Act of 1984’s (CICA) requirement for full and open competition.

Keep reading this article at: https://www.insidegovernmentcontracts.com/2018/11/whats-in-a-brand-name-dod-to-limit-use-of-brand-name-or-equal-contract-competitions/

Contracting News

Read More

Contracting Tips

Read More

GTPAC News

Read More

Georgia Tech News

Read More