Georgia Tech Procurement Assistance Center

Strict notification and disclosure requirements apply to defense contractors

By

Businesses that seek to obtain and preserve contracts with the United States government, or to deal in certain enumerated defense articles and services, are subject to strict privacy regulations imposed by the U.S. government.

For those under contract (or subcontract) with the U.S. Department of Defense (DoD), the Defense Federal Acquisition Regulation Supplements (DFARS) place stringent minimum security requirements and reporting obligations that must be met, otherwise a business could face financial penalties or termination of its contract.

Businesses that export and import defense articles or services and related technical data must comply with the International Traffic in Arms Regulations (ITAR), which comprise approval, registration and records maintenance requirements. If a violation of ITAR is voluntarily reported, the penalties imposed by the U.S. Department of State’s Directorate of Defense Trade Controls (DDTC) can be reduced.

Businesses subject to DFARS and ITAR should have a compliance program in place that includes an appropriate response to any security incident.

Keep reading this article at: https://www.lexology.com/library/detail.aspx?g=d5fda8c7-68e4-4a1c-a4f5-7e387e51741d

Pentagon cyber shortfalls leave data at risk, key senators warn

By

The Pentagon isn’t taking strong enough action to ensure that defense contractors are protecting highly technical but unclassified information from hacking, according to the top lawmakers on the Senate Armed Services Committee.

The Senate panel “has gathered information that suggests DoD is simply not doing enough to protect controlled, unclassified information,” the lawmakers, including ailing Republican Chairman John McCain and Jack Reed, the panel’s top Democrat, wrote to Defense Secretary Jim Mattis in a previously undisclosed letter obtained by Bloomberg News.

“We are concerned with existing regulations and best practices” not being followed in matters such as contracts lacking appropriate cybersecurity clauses, computer networks operating without multifactor authentication for access, strong remote user policies and “insufficient third-party verification of compliance with cybersecurity standards,” the lawmakers wrote last month.

The vulnerability of U.S. systems to hacking has been highlighted in recent years by incidents including attacks on banks and energy infrastructure, as well as efforts to infiltrate state election systems in 2016 and this year. Earlier this year, five pipeline operators in the U.S. said their third-party electronic communications systems were shut down by hackers. The U.S. says the biggest foreign hacking threats come from Russia, China and Iran.

Keep reading this article at: https://www.bloomberg.com/news/articles/2018-08-23/pentagon-cyber-shortfalls-leave-data-at-risk-key-senators-warn

The Georgia Tech Procurement Assistance Center (GTPAC) has produced a video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules.  These resources are available  at: http://gtpac.org/cybersecurity-training-video/

NIST to host CUI information security workshop on Oct. 18th

By

The National Institute of Standards and Technology (NIST), in coordination with the Department of Defense (DoD) and the National Archives and Records Administration (NARA), will host a Workshop providing an overview of Controlled Unclassified Information (CUI) on October 18, 2018.

The agenda for the Workshop shows a full day of panels, including those addressing DoD’s “Safeguarding Covered Defense Information and Cyber Incident Reporting” Clause (DFARS Cyber Rule), overviews of NIST Special Publications (SPs) 800-171 and 800-171A, and Government expectations when evaluating contractor implementation of the 800-171 security controls.

In addition to the panels described in the agenda, the Workshop may provide an opportunity to address questions about DoD’s April 2018 draft guidance for the Department’s assessment of contractors’ System Security Plans (SSPs) and implementation of the security controls in NIST SP 800-171.

The NIST Workshop is open to all interested stakeholders and is free to attend. Registration for in-person attendance can be made at the NIST website and is required by October 11, 2018. NIST has stated that the Workshop also will be available via webcast.  Advanced registration is not required for the webcast.

More information available at: https://www.insidegovernmentcontracts.com/2018/07/cui-workshop/

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

How multifactor authentication can help DoD contractors achieve DFARS compliance

By

To say that organizations today are concerned about cybersecurity would be a gross understatement.

Every time we turn around, there are reports of incidents where cybercriminals have either gamed a global social media tool or compromised a corporate customer database.

Needless to say, the U.S. government has also been extremely focused on cybersecurity — as evidenced by its recent directive, the Defense Federal Acquisition Regulation Supplement (DFARS), which aims to help government agencies protect their own data and that of organizations with which they do business.

What Does the DFARS Require?

The regulation requires any Department of Defense (DOD) contractor or subcontractor who handles controlled unclassified information (CUI) to comply with the data-protection standards outlined in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. According to NIST, CUI consists of “any sensitive federal government information routinely processed, stored or transmitted by a contractor in the course of its work providing essential products and services to federal agencies.”

DFARS is part of a worldwide trend of increasingly stringent data security standards. In May 2018, for example, the European Union (EU) enacted its General Data Protection Regulation (GDPR) to enhance user privacy and provide legal recourse when refuting algorithm-based decisions. Also, the Payment Card Industry Data Security Standard (PCI DSS) requires companies that accept credit card payments to host customer data securely with a PCI-compliant hosting provider. These and countless other standards show that data security is top of mind for industry leaders around the world.

Keep reading this article at: https://securityintelligence.com/how-multifactor-authentication-can-help-u-s-government-contractors-achieve-dfars-compliance/

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

Some FAQs answered about DoD’s new cybersecurity rule

By

The majority of Defense Department contractors no doubt by now have drafted and populated a system security plan in accordance with Defense Federal Acquisition Regulation Supplement cybersecurity provisions, which require implementation of the security controls in National Institute of Standards and Technology (NIST) Special Publication 800-171.

The Defense Department clarified last year that the requirement to implement the security controls by the Dec. 31 deadline was satisfied by the creation of a system security plan with plans of action for controls not yet met.

While establishing a system security plan means the contractor is initially compliant, understanding the contractor’s remaining obligations under the defense cybersecurity provisions will help ensure the contractor avoids potentially unforeseen pitfalls and liability.

The “frequently asked questions” updated on April 2 by the Defense Department regarding the provisions, discussed below, provide helpful insight into contractor obligations as well as best practices.

For example, when does a company need to update its system security plan?

Keep reading this article at: http://www.nationaldefensemagazine.org/articles/2018/7/3/viewpoint-some-faqs-answered-about-the-new-cybersecurity-rule

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

What GAO said and did not say about soliciting data rights in recent protest ruling

By

The Government Accountability Office (GAO) issued a decision on May 22, denying in part and dismissing in part Sikorsky Aircraft Corporation’s much-watched protest of the Air Force’s solicitation to replace the UH-1N helicopter.  The decison deals an early (if light) blow to contractors in their fight against the Air Force’s recent data rights grab.

The GAO, in Sikorsky Aircraft Corp., B-416027; B-416027.2, May 22, 2018, ultimately endorsed one provision requiring broad delivery of both technical data and software necessary for operations, maintenance, installation, and training activities (defined in the solicitation as “OMIT Data”), but Sikorsky’s protest did not go down without first getting an important concession from the Air Force. This concession, and the GAO’s discussion of whether OMIT Data includes source code, are the key takeaways from Sikorsky, and we will discuss them in some length here. Before we do, some stage-setting is appropriate, in particular because the clauses at issue are confusing.

For more than 20 years, contractors and government personnel have used “OMIT data” as a familiar shorthand for the data called out in DFARS 252.227-7013(b)(1)(v) as “Necessary for installation, operation, maintenance, or training purposes (other than detailed manufacturing or process data),” and, importantly, in which the Government is entitled to unlimited rights. In this parlance, OMIT data by definition include neither “detailed manufacturing or process data” (DMPD) nor computer software. Unsurprisingly, the Air Force caused some consternation recently when it bucked this convention and began including in its solicitations for major weapons systems a provision defining “OMIT Data” to include all types of computer software and, in some cases, DMPD. (We distinguish this OMIT Data, specially defined by the Air Force, and the colloquial OMIT data.) Sikorsky was the first to file a formal challenge.

Keep reading this article at: http://www.mondaq.com/article.asp?articleid=706316

Draft DoD guidance reveals how cyber readiness will impact contract evaluations

By

Editor’s Note: This post was created by Jon Williams who is a partner with PilieroMazza and a member of the firm’s Government Contracts Group. 

We have been blogging and giving webinars since last year about the DoD requirements around cybersecurity for contractors that are subject to DFARS 252.204-7012. Please view our past blogs and webinars here and here to get more of the backstory.

In a nutshell, DoD contractors operating nonfederal IT systems and subject to DFARS 252.204-7012 were required to have a system security plan (“SSP”) in place by December 31, 2017, to demonstrate compliance with the recommended security controls in NIST SP 800-171. Although the DFARS requirements were black-and-white, there was a fair amount of uncertainty late last year and continuing into this year about what contractors needed to do to comply and if/how DoD would enforce the requirements.

DoD has taken some of the mystery out of these cyber requirements in a recently-released draft guidance.

Keep reading this blog post at: http://www.pilieromazza.com/the-protests-are-coming-draft-dod-guidance-reveals-how-cyber-readiness-will-impact-contract-evaluations

See GTPAC’s instructional video on achieving compliance with DFARS 252.204-7012 and NIST guidance at: http://gtpac.org/cybersecurity-training-video/

New cyber rule requires critical documents

By

Contractors and their supply chain with active Defense Department contracts, or those that plan on doing business with it, must assure that any of their data systems that transmit, process or store controlled unclassified information are compliant with National Institute of Standards and Technology Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations.”

It’s clear that meeting the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 mandate to comply to the special publication is a required priority for defense contractors, subcontractors and suppliers.

Making a system security plan and plan of actions and mitigations is crucial to winning new business and keeping existing contracts this year and moving forward. Here are some tips on how to approach creating and utilizing these complex compliance documents.

Keep reading this article at: http://www.nationaldefensemagazine.org/articles/2018/3/30/new-cyber-rule-requires-critical-documents

The Georgia Tech Procurement Assistance Center (GTPAC) has developed an instructional video and a template to help contractors comply with DoD’s cybersecurity requirements.  You can view and download these resources at: http://gtpac.org/cybersecurity-training-video/

 

GTPAC’s cybersecurity initiative recognized with national ‘Outstanding Project Award’

By

GTPAC received the Outstanding Project Award at APTAC’s annual training conference on Mar. 7, 2018.

The Georgia Tech Procurement Assistance Center (GTPAC) was honored this week by the Association of Procurement Assistance Centers (APTAC), the organization which represents 98 procurement technical assistance centers (PTACs) across the United States, Guam and Puerto Rico.

GTPAC was presented with APTAC’s Outstanding Project Award which annually recognizes an accomplishment that stands out from the day-to-day activities that all PTACs organize and undertake.

The project recognized by APTAC is GTPAC’s instructional video that provides step-by-step guidance to government contractors on how they can achieve compliance with Department of Defense (DoD) cybersecurity requirements  designed to safeguard DoD information and report on cyber incidents.

GTPAC’s video and accompanying resources – including a template which contractors may use – are made available free of charge on the GTPAC web site at: http://gtpac.org/cybersecurity-training-video.

The video and template have been heralded both by PTACs, who counsel businesses, and by businesses themselves as valuable one-stop resources for existing contractors and aspiring DoD contractors alike.  Since the launch of these training tools at the end of last year, 1,284 persons have viewed the video and downloaded the template 1,508 times.

Specifically, the video explains Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, including its key definitions and cyber obligations, including its primary requirement that defense contractors which process, store or transmit “covered defense information” must address 110 individual cybersecurity controls outlined in National Institute of Standards and Technology (NIST) Special Publication 800-171.

The 20-minute video not only provides information on these requirements, but also provides specific guidance on how government contractors can achieve compliance with the DFARS clause and the NIST standards.  The video guides government contractors on how they can perform a “self-assessment” of their information system using NIST’s Manufacturing Extension Partnership (MEP) Cybersecurity Self-Assessment Handbook.

One of the most creative and innovative aspects of the project is the 127-page cybersecurity template GTPAC created in conjunction with the video.  The template provides step-by-step instructions on how government contractors can create a “Systems Security Plan” and “Plan of Action” – documentation necessary to achieve compliance.

The resources GTPAC created are very timely in light of recent warnings from DoD that it plans to request and evaluate cyber plans from businesses as a part of the contract award decision-making process.   If the video is carefully reviewed and the template is fully completed and properly filled out, contractors will be in a position to document their compliance with the DFARS cybersecurity requirements.

Members of the GTPAC team proudly show off the national award they received.

GTPAC program manager Joe Beaulieu points out that “by providing the video and cybersecurity template, GTPAC’s objective is to make the process of achieving compliance much easier, especially for small defense contractors who may not have the resources necessary to develop such plans from scratch.”  Indeed, the template makes the process of drafting the required documentation easier, as contractors merely have to fill in the blanks and answer specific questions, rather than work from a blank slate.  While it is ultimately up to the contractor to meet the requirements and to provide accurate information, GTPAC’s video and template provide contractors with an excellent starting point for assessing, achieving and documenting compliance.

In honoring GTPAC with the Outstanding Project Award, APTAC encouraged other PTACs to make use of the video, template, and resource materials posted at http://gtpac.org/cybersecurity-training-video.  NIST recently provided similar encouragement to their nationwide network of MEPs in their work with U.S. manufacturers.  GTPAC coordinated the creation of the cybersecurity materials with the Georgia MEP (GaMEP) which, like GTPAC, is a part of the Georgia Institute of Technology’s Enterprise Innovation Institute (EI2).

EI2 is Georgia Tech’s business outreach organization which serves as the primary vehicle to achieve Georgia Tech’s goal of expanded local, regional, and global outreach.  EI2 is the nation’s largest and most comprehensive university-based program of business and industry assistance, technology commercialization, and economic development.

GTPAC is a state-wide program operated by EI2 under a cooperative agreement with the Defense Logistics Agency (DLA).   In 2017, Georgia businesses won more than 5,000 government contracts – worth more than $1 billion – with GTPAC’s help.  All totalled, GTPAC provided counseling, instruction, and bid opportunities to 2,548 Georgia businesses during the past year.

New debriefing rules in effect for DOD contractors

By

As discussed in an earlier post about the NDAA for FY 2018, one of the most significant changes with respect to procurement issues may be related to the DoD’s conduct of debriefings.

Perhaps missed in the discussions of a potential new protest regime going into effect in a couple years is the fact that one of the most significant debriefing changes is effective immediately without the need for a new regulation.

Specifically, Section 818 of the NDAA required that DoD agencies provide disappointed offerors with an opportunity to ask follow-up questions “within two business days after receiving a post award debriefing” and provided that the “5-day period” associated with the timeline for a CICA stay “does not commence until the day the Government delivers to a disappointed offeror the written responses to any questions submitted” pursuant to the new rule. Because these provisions of the NDAA amended the underlying statutes (10 U.S.C. § 2305 and 31 U.S.C. § 3553) instead of requiring the Secretary to amend the DFARS, these rules went into effect upon the signing of the NDAA. In fact, in a few cases since the NDAA went into effect, we have seen DoD agencies agree that the new rules are in effect.

So, what do contractors need to know?

Keep reading this article at: http://www.mondaq.com/article.asp?articleid=674748

Contracting News

Read More

Contracting Tips

Read More

GTPAC News

Read More

Georgia Tech News

Read More