Georgia Tech Procurement Assistance Center

Pentagon to unveil new Cybersecurity Maturity Model Certification (CMMC) for defense contractors

By

The Department of Defense announced that it is developing a new cybersecurity standard and certification for defense contractors.  It is named the “Cybersecurity Maturity Model Certification” (CMMC).

Notably, the intent of the CMMC is to improve cybersecurity deficiencies in the defense industrial base and secure the supply chain.

The CMMC is expected to be based on NIST SP 800-171, as is the current Defense Federal Acquisition Regulation Supplement (DFARS) rule.  Specifically, DFARS Clause 252.204-7012 requires defense contractors handling sensitive, unclassified information to implement the 110 security controls of NIST SP 800-171.

However, the CMMC may incorporate or rely on frameworks in addition to NIST SP 800-171.

According to news reports, the CMMC will serve as the enforcement mechanism lacking in the current DFARS rule.

Although the draft CMMC has not yet been published, it’s been reported that there will be 5 levels of certification.  The levels will range from basic cyber hygiene to “State-of-the-Art.”  DoD contracts will require specific levels — and awards will be “go/no-go” based on the contractor’s certification status.

This is a fundamental change to how defense contracts are awarded today.

Read more at:  JD Supra

Northrop Grumman to provide free cybersecurity training to small businesses June 4th

By

Northrop Grumman, in collaboration with the USC Center for Economic Development, is offering FREE cybersecurity training to small businesses.  The workshop is open to all small businesses, but advance registration is required.

The primary purpose of the one-day 8-hour workshop is to ensure that small businesses are aware of the cybersecurity requirements mandated under Defense Federal Acquisition Regulations Supplement (“DFARS”) Subpart 204.73 (Safeguarding Covered Defense Information and Cyber Incident Reporting).  The workshop will focus on understanding the risks associated with safeguarding controlled unclassified DoD information. 

The workshop will focus on the groups of controls from NIST SP 800-171, with examples highlighting what happens when these controls are not implemented.  By the end of the workshop, small businesses will become familiar with all 110 controls and be able to better identify the areas where you may need greater focus to meet the DoD’s cybersecurity expectations.

Here are the details about the event:

Date:  Tuesday, June 4, 2019

Time:  8 a.m. to 5 p.m. ET

Location:  Loudermilk Conference Center, 40 Courtland Street NE, Atlanta, GA 30303

The training will also be available online via webinar.

For registration, visit:  https://events.r20.constantcontact.com/register/eventReg?oeidk=a07eg5xonme7588be26&oseq=&c=&ch=

DoD proposes new rule on performance-based contract payments

By

According to a report by the Federal News Network, the Department of Defense (“DoD”) is proposing a new rule which would change how it pays some defense contractors.  DoD is looking to require, whenever practicable, that fixed price contracts be paid out through performance-based contractual payments.  Performance-based payments are a method of contract financing where payments are made on the basis of the contractor’s achievement of objective, quantifiably measurable events, results, or accomplishments that are defined and valued in the contract prior to performance.  Some within the government consider it a preferred method of contracting and claim that it reduces the government’s oversight and compliance costs.  It also may have benefits for contractors, as it should help cash flow, reduce the cost of oversight and compliance, and allow the contractor to focus on technical and schedule progress.  Comments on the proposed rule are due by July 1.

Read the new rule at the Federal Register.

Weak links in the defense supply chain

By

Industry experts told Congress recently that poor awareness of federal cybersecurity contracting standards and a lack of visibility by contractors into their own supply chains are at the heart of problems that have led to widespread targeting and theft of U.S. economic and national security secrets by nation state hackers.

According to a survey of small and medium-sized defense contractors conducted by the National Defense Industrial Association, less than 60 percent of respondents said they read the Defense Federal Acquisition Regulation Supplement that lays out minimum security standards for contractor information systems, while nearly half of those who did said they found it hard to understand.

About 45 percent of respondents hadn’t read National Institute for Standards and Technology guidelines for protecting controlled unclassified information.

Keep reading this article at: https://fcw.com/articles/2019/03/31/defense-supply-chain-weak-links.aspx

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

Keeping up with DoD cybersecurity compliance demands

By

On Jan. 21, 2019, Ellen Lord, the Under Secretary of Defense for Acquisition and Sustainment, issued a memorandum focused on assessing contractor compliance with the DFARS cyber clause via audits of a Contractor’s purchasing system.  One intent of this guidance is to have the Defense Contract Management Agency, or DCMA, “validate, for contracts for which they provide contract administration and oversight, contractor compliance with the requirements of DFARS clause 252.204-7012.”

This would be done as part of a review of a contractor’s purchasing system in accordance with DFARS 252.244-7001.  Pursuant to this DFARS clause, contractors are required to provide adequate security on their internal networks to protect Covered Defense Information (CDI) and are required to flow DFARS clause 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting” to subcontractors without alteration.

On Feb. 26, 2019, the DCMA updated its Contractor Purchasing System Review (CPSR) Guidebook to incorporate requirements from the January 2019 memorandum. In particular, the “Supply Chain Management Process” outlined in Appendix 24 states that “[p]rotecting Controlled Unclassified Information is a critical aspect” of supply chain management.

The guidebook assumes obligations that are beyond those imposed by the DFARS clause, presumably assuming that new requirements will be imposed contractually in the future.

Keep reading this article at: https://www.insidegovernmentcontracts.com/2019/03/keeping-up-with-dod-cybersecurity-compliance-demands/

Readying contractors’ security plans for evaluation

By

The Defense Department recently issued final guidance for requiring activities to assess contractors’ system security plans and their implementation of the security controls in National Institute of Standards and Technology Special Publication 800-171.

It includes a compliance guidance document, which explains how department entities will assess contractor implementation of its security controls, and an impact guidance document, which explains how the Pentagon will assess the risks of security controls not implemented.

The compliance guidance addresses three objectives pre-award: requiring a self-attestation of implementation of the special publication in all proposals; imposing enhanced security controls in certain situations; and providing alternatives for compliance as an evaluation factor.

Defense Federal Acquisition Regulation Supplement 252.204-7008, which is required in every noncommercial off-the-shelf solicitation, provides that “[b]y submission of this offer, the offeror represents that it will implement the security requirements specified by [NIST SP 800-171].” The Defense Department has interpreted “implementation” as having a completed security system plan and a plan of action and milestones for the relevant covered defense information.

If a requiring activity believes that enhanced security controls are required beyond those in NIST SP 800-171, the compliance guidance provides direction for adding the requirements to a solicitation.

The guidance does not define what constitutes “enhanced controls.” NIST is expected to issue a new appendix of enhanced controls in the first quarter of 2019.

Keep reading this article at: http://www.nationaldefensemagazine.org/articles/2019/1/30/readying-security-plans-for-evaluation

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

DoD makes immediate change to limitations on subcontracting rule; FAR Council issues proposed rule

By

The Department of Defense (DoD) has issued a class deviation that resolves the inconsistency between the Small Business Administration (SBA) regulations and the clause at Federal Acquisition Regulation (FAR) 52.219-14 related to the Limitations on Subcontracting Rule (LOSR).

The FAR Council has also issued a proposed rule to amend FAR 52.219-14 to fully resolve this issue for all small businesses. Government contractors should be aware of these new changes and proposed changes.

Generally, the LOSR prevents small business prime contractors from subcontracting the majority of the work under a prime contract to large businesses. The LOSR is intended to ensure that small businesses get the benefit of the set-aside prime contract. The government does not want a small business to get an award, perform only a small portion of the work, and then subcontract out everything else to large businesses.

Since 2016, SBA small businesses have struggled to comply with the LOSR because the regulations at 13 C.F.R. § 125.6 are inconsistent with the contract clause at FAR 52.219-14.

Keep reading this article at: http://www.mondaq.com/article.asp?articleid=777544

See DoD’s Jan. 8, 2019 Class Deviation 2019-O0003 on this subject at: https://www.acq.osd.mil/dpap/policy/policyvault/USA000039-19-DPC_Class_Deviation_2019-O0003.pdf

See the proposed rule here: https://www.govinfo.gov/content/pkg/FR-2018-12-04/pdf/2018-25506.pdf

DoD continues to up the ante on cybersecurity compliance for contractors

By

Compliance with the security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 is only the beginning for contractors that receive controlled defense information (CDI) in performance of Department of Defense (DoD) contracts and subcontracts.

Faced with an evolving cyber threat, DoD contractors have experienced an increased emphasis on protecting DoD’s information and on confirming contractor compliance with DoD cybersecurity requirements.  This includes audits by the DoD Inspector General (IG) “to determine whether DoD contractors have security controls in place” to protect CDI and enhanced security controls for certain high risk contractor networks.

And on September 28, 2018, the Navy issued a policy memorandum calling for enhanced cybersecurity requirements, including some that have generated opposition within the defense community such as the installation of network sensors by the Naval Criminal Investigative Service on contractor systems.

Other requiring activities are reportedly requiring similar enhanced protections, and NIST is expected to issue a public draft of Revision 2 to NIST SP 800-171 by the end of February, with an appendix of additional enhanced controls.

Keep reading this article at: https://www.insidegovernmentcontracts.com/2019/01/dod-continues-ante-cybersecurity-compliance-contractors/

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

The new rules of cybersecurity

By

At this very moment someone, somewhere in the world may be plotting to hack into an organization’s critical network infrastructure.

Creativity, time and investment are never in short supply when determined attackers are intent on gaining access to networks. It’s created an environment whereby solutions to prevent attacks are being developed just after new hacking tactics are deployed. To solve this divergence, we need to focus on “cyber at machine speed” — implementing new tools simultaneously with or even before hackers.

In short, getting the basics right is no longer enough. Adversaries now have the tools, the motivation and certainly the persistence to overcome current standards and compliance protocols.

Simply put, adequacy is no longer adequate.

Keep reading this article at: https://www.nextgov.com/ideas/2018/12/new-rules-cybersecurity/153714/

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

LPTA solicitations no longer acceptable? Reviewing DoD’s proposed changes to the DFARS

By

In a proposed rule issued last month, the Department of Defense (DoD) seeks to incorporate into the Defense Federal Acquisition Regulations Supplement (DFARS) restrictions on the use of the lowest price technically acceptable (LPTA) source selection method from the National Defense Authorization Act (NDAA) for Fiscal Years 2017 and 2018.  This proposed rule makes clear that these NDAA-imposed restrictions are not going away any time soon, and that DoD contracting officers need to engage in a thorough and reasoned analysis before conducting an LPTA procurement.

Just as its name suggests, the LPTA source selection process prioritizes cost or price over technical capability — the agency will make award to the lowest-priced offeror that presents a technically acceptable proposal.  Typically, agencies use the LPTA process to procure straightforward goods and services such as routine maintenance work or office equipment.  In recent years, however, contractors have complained that agencies employ LPTA selection processes in inappropriate circumstances where qualitative differences really matter and technical superiority is worth a price premium.

Keep reading this article at: https://www.insidegovernmentcontracts.com/2018/12/lowest-price-technically-acceptable-solicitations-no-longer-acceptable-reviewing-department-defenses-proposed-changes-dfars/

Contracting News

Read More

Contracting Tips

Read More

GTPAC News

Read More

Georgia Tech News

Read More