Georgia Tech Procurement Assistance Center

DoD makes supply chain risk management a permanent performance metric

By

On Sept. 19, 2018, the U.S. Department of Defense (DoD) issued a corrected Class Deviation 2018-O0020, to remove the sunset provision in DFARS 239.73, “Requirements for Information Relating to Supply Chain Risk,” that was due to expire on Sept. 30, 2018. The deviation is effective immediately.

This new deviation implements Section 881 of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2019. Section 881 made the requirements for supply chain risk management under DFARS 239.73 permanent by placing its authority under a statute (10 U.S.C. § 2239a). This reauthorization reflects the continual efforts by Congress and the DoD to increase oversight on contractors supply chain and use risk management as a metric for contract performance.

DFARS Subpart 239.73, along with its contract clauses DFARS 252.239-7017 and DFARS 252.239-7018, places a significant onus on contractors to investigate its own supply chain to minimize and mitigate any perceived security risks. Failure to meet the requirements of the regulations creates significant risk to a contractor.

  • First, there is an explicit requirement in DFARS 252.239-7018 requiring contractors to actively mitigate supply chain risk during performance of the contract. However, the clause provides no additional information or standard to what is considered adequate mitigation.
  • Second, there is an implicit incentive for contractors to ensure that their supply chain is risk-free because the contractor is not the only entity to investigate risks in its supply chain. DFARS 252.239-7018 provides the government with an incredible oversight capability by permitting it to consult both public and non-public information, including all-source intelligence, to determine whether a contractor’s supply chain creates a risk.

Keep reading this article at: http://www.mondaq.com/article.asp?articleid=743224

Cybersecurity compliance: A key to future DoD contract awards

By

In a recent address at the Air Force Association’s Air, Space & Cyber Conference, Deputy Secretary of Defense Patrick Shanahan emphasized that cybersecurity will become a “critical measurement” for making contract awards as well as a significant consideration in holding a government contractor accountable for its performance.

Shanahan noted that while DoD acquisitions currently focus on three critical measurements—quality, cost and schedule—cybersecurity is “probably going to be what we call the . . . fourth critical measurement.” The DoD is “going to work with [its] industrial partners to help them be as accountable for security as they are for quality.”

Shanahan also noted that adequate cybersecurity protection is part of the standard baseline of government contracting security—it is not an optional feature. He commented, “And it shouldn’t be that being secure comes with a big bill. It’s just like we wouldn’t pay extra for quality.” Consequently, government contractors should recognize that the government “shouldn’t pay extra for security,” he added. Rather, “security is the standard. It’s the expectation. It’s not something that’s above and beyond what we’ve done before.”

Keep reading this article at: http://www.mondaq.com/article.asp?articleid=742094

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

Security assessments soon may be part of DoD government contracts acquisition process

By

Identifying threats and improving network and supply chain security has been an ongoing effort by Congress and the Department of Defense (DoD) for the past several years.

Congress has included multiple provisions in the annual National Defense Authorization Acts to spur action by the DoD to address weaknesses in contractor supply chains for electronic parts and vulnerabilities to cyber threats in contractor information technology systems. In turn, the DoD has amended the Defense Federal Acquisition Regulation Supplement (DFARS) to impose new performance requirements on contractors and subcontractors in DoD procurement contracts. This cascading effort of turning policy into contract performance has been steady but slow and of questionable efficacy.

A new initiative under consideration by the DoD could change that. In June testimony to Congress, the DoD said it has started a new initiative known as “Deliver Uncompromised” to “elevate the private sector’s focus on security.” The DoD’s goal is to establish security as a “fourth pillar” in acquisition, “on par with cost, schedule and performance.” The hope is to create incentives for industry to “embrace security, not as a ‘cost center,’ but as a key differentiator” in competitions for procurement contracts.

In August 2018, the nonprofit group Mitre Corporation (Mitre) released a report called “Deliver Uncompromised,” which describes how the DoD and the intelligence community face daily strategic attacks from foreign adversaries in the supply chain domain (e.g., software, hardware, and services) and cyber domain (e.g., informational technology and cyber-physical such as weapons systems). Mitre’s report calls for a unified focus of resources from both the DoD and government contractors to prioritize risk mitigation through enhanced infrastructure and better coordination.

While the DoD cannot require private companies to invest in specific security measures, the Mitre report recommends that the DoD use its purchasing power and regulatory authority to influence and shape the conduct of the DoD suppliers. For example, the DoD may begin defining procurement requirements with new security measures, or rewarding contractor proposals with superior security measures by elevating security as a primary metric for evaluation during the source selection process. The DoD could also include terms and conditions in its contracts that impose security requirements, and then use those contractual terms post-award to monitor contractor compliance.

Keep reading this article at: http://www.mondaq.com/article.asp?articleid=737662

GTPAC has created a video and a template to help businesses comply with DoD’s cybersecurity requirements.  These resources appear at: http://gtpac.org/cybersecurity-training-video/

Here’s a description of information security requirements for federal contractors

By

The federal government is requiring federal contractors to implement specific guidance in the form of NIST 800-171 in an effort to curb the trend of federal government data being exposed on contractor networks. This disturbing trend has occurred for a few reasons.

First, federal contracts often require the use of contractor-owned information systems to process federal information. These information systems historically do not meet the government’s requirements and, as a result, have led to information being exfiltrated by nation-state attackers.

An example of this lack of security in contractor information systems became known in May 2017 when federal contractor Booz Allen Hamilton left unencrypted Pentagon files on a publically accessible Amazon server. This resulted in 60,000 sensitive files — plenty of which referred to the U.S. National Geospatial-Intelligence Agency (NGA) — being exposed on the internet for anyone to access.

Keep reading this article at: https://www.forbes.com/sites/forbestechcouncil/2018/09/04/information-security-requirements-for-u-s-federal-contractors/#3daa7183451b

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

Strict security notification and disclosure requirements for government contractors

By

Businesses that seek to obtain and preserve contracts with the United States government, or to deal in certain enumerated defense articles and services, are subject to strict privacy regulations imposed by the U.S. government.

For those under contract (or subcontract) with the U.S. Department of Defense (DoD), the Defense Federal Acquisition Regulation Supplements (DFARS) place stringent minimum security requirements and reporting obligations that must be met, otherwise a business could face financial penalties or termination of its contract.

Businesses that export and import defense articles or services and related technical data must comply with the International Traffic in Arms Regulations (ITAR), which comprise approval, registration and records maintenance requirements. If a violation of ITAR is voluntarily reported, the penalties imposed by the U.S. Department of State’s Directorate of Defense Trade Controls (DDTC) can be reduced.

Businesses subject to DFARS and ITAR should have a compliance program in place that includes an appropriate response to any security incident.

Keep reading this article at: http://www.mondaq.com/article.asp?articleid=733388

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

Strict notification and disclosure requirements apply to defense contractors

By

Businesses that seek to obtain and preserve contracts with the United States government, or to deal in certain enumerated defense articles and services, are subject to strict privacy regulations imposed by the U.S. government.

For those under contract (or subcontract) with the U.S. Department of Defense (DoD), the Defense Federal Acquisition Regulation Supplements (DFARS) place stringent minimum security requirements and reporting obligations that must be met, otherwise a business could face financial penalties or termination of its contract.

Businesses that export and import defense articles or services and related technical data must comply with the International Traffic in Arms Regulations (ITAR), which comprise approval, registration and records maintenance requirements. If a violation of ITAR is voluntarily reported, the penalties imposed by the U.S. Department of State’s Directorate of Defense Trade Controls (DDTC) can be reduced.

Businesses subject to DFARS and ITAR should have a compliance program in place that includes an appropriate response to any security incident.

Keep reading this article at: https://www.lexology.com/library/detail.aspx?g=d5fda8c7-68e4-4a1c-a4f5-7e387e51741d

Pentagon cyber shortfalls leave data at risk, key senators warn

By

The Pentagon isn’t taking strong enough action to ensure that defense contractors are protecting highly technical but unclassified information from hacking, according to the top lawmakers on the Senate Armed Services Committee.

The Senate panel “has gathered information that suggests DoD is simply not doing enough to protect controlled, unclassified information,” the lawmakers, including ailing Republican Chairman John McCain and Jack Reed, the panel’s top Democrat, wrote to Defense Secretary Jim Mattis in a previously undisclosed letter obtained by Bloomberg News.

“We are concerned with existing regulations and best practices” not being followed in matters such as contracts lacking appropriate cybersecurity clauses, computer networks operating without multifactor authentication for access, strong remote user policies and “insufficient third-party verification of compliance with cybersecurity standards,” the lawmakers wrote last month.

The vulnerability of U.S. systems to hacking has been highlighted in recent years by incidents including attacks on banks and energy infrastructure, as well as efforts to infiltrate state election systems in 2016 and this year. Earlier this year, five pipeline operators in the U.S. said their third-party electronic communications systems were shut down by hackers. The U.S. says the biggest foreign hacking threats come from Russia, China and Iran.

Keep reading this article at: https://www.bloomberg.com/news/articles/2018-08-23/pentagon-cyber-shortfalls-leave-data-at-risk-key-senators-warn

The Georgia Tech Procurement Assistance Center (GTPAC) has produced a video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules.  These resources are available  at: http://gtpac.org/cybersecurity-training-video/

NIST to host CUI information security workshop on Oct. 18th

By

The National Institute of Standards and Technology (NIST), in coordination with the Department of Defense (DoD) and the National Archives and Records Administration (NARA), will host a Workshop providing an overview of Controlled Unclassified Information (CUI) on October 18, 2018.

The agenda for the Workshop shows a full day of panels, including those addressing DoD’s “Safeguarding Covered Defense Information and Cyber Incident Reporting” Clause (DFARS Cyber Rule), overviews of NIST Special Publications (SPs) 800-171 and 800-171A, and Government expectations when evaluating contractor implementation of the 800-171 security controls.

In addition to the panels described in the agenda, the Workshop may provide an opportunity to address questions about DoD’s April 2018 draft guidance for the Department’s assessment of contractors’ System Security Plans (SSPs) and implementation of the security controls in NIST SP 800-171.

The NIST Workshop is open to all interested stakeholders and is free to attend. Registration for in-person attendance can be made at the NIST website and is required by October 11, 2018. NIST has stated that the Workshop also will be available via webcast.  Advanced registration is not required for the webcast.

More information available at: https://www.insidegovernmentcontracts.com/2018/07/cui-workshop/

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

How multifactor authentication can help DoD contractors achieve DFARS compliance

By

To say that organizations today are concerned about cybersecurity would be a gross understatement.

Every time we turn around, there are reports of incidents where cybercriminals have either gamed a global social media tool or compromised a corporate customer database.

Needless to say, the U.S. government has also been extremely focused on cybersecurity — as evidenced by its recent directive, the Defense Federal Acquisition Regulation Supplement (DFARS), which aims to help government agencies protect their own data and that of organizations with which they do business.

What Does the DFARS Require?

The regulation requires any Department of Defense (DOD) contractor or subcontractor who handles controlled unclassified information (CUI) to comply with the data-protection standards outlined in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. According to NIST, CUI consists of “any sensitive federal government information routinely processed, stored or transmitted by a contractor in the course of its work providing essential products and services to federal agencies.”

DFARS is part of a worldwide trend of increasingly stringent data security standards. In May 2018, for example, the European Union (EU) enacted its General Data Protection Regulation (GDPR) to enhance user privacy and provide legal recourse when refuting algorithm-based decisions. Also, the Payment Card Industry Data Security Standard (PCI DSS) requires companies that accept credit card payments to host customer data securely with a PCI-compliant hosting provider. These and countless other standards show that data security is top of mind for industry leaders around the world.

Keep reading this article at: https://securityintelligence.com/how-multifactor-authentication-can-help-u-s-government-contractors-achieve-dfars-compliance/

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

Some FAQs answered about DoD’s new cybersecurity rule

By

The majority of Defense Department contractors no doubt by now have drafted and populated a system security plan in accordance with Defense Federal Acquisition Regulation Supplement cybersecurity provisions, which require implementation of the security controls in National Institute of Standards and Technology (NIST) Special Publication 800-171.

The Defense Department clarified last year that the requirement to implement the security controls by the Dec. 31 deadline was satisfied by the creation of a system security plan with plans of action for controls not yet met.

While establishing a system security plan means the contractor is initially compliant, understanding the contractor’s remaining obligations under the defense cybersecurity provisions will help ensure the contractor avoids potentially unforeseen pitfalls and liability.

The “frequently asked questions” updated on April 2 by the Defense Department regarding the provisions, discussed below, provide helpful insight into contractor obligations as well as best practices.

For example, when does a company need to update its system security plan?

Keep reading this article at: http://www.nationaldefensemagazine.org/articles/2018/7/3/viewpoint-some-faqs-answered-about-the-new-cybersecurity-rule

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

Contracting News

Read More

Contracting Tips

Read More

GTPAC News

Read More

Georgia Tech News

Read More