Georgia Tech Procurement Assistance Center

DOD’s proposed cybersecurity maturity model certification requirements: what we know and how to prepare

By

The final DFARS cybersecurity rule promulgated in 2016, which included the latest changes to the DFARS clause at 252.204-7012, was a significant development for DoD contractors, in part because it mandates compliance with the 110 security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.  DoD has been working with the contracting community since that time with respect to the implementation of the final rule, but has concluded that further compliance steps are needed in the form of cybersecurity certification standards.

The anticipated new cybersecurity certification standards for DoD contractors are quickly taking shape.  Katie Arrington, former South Carolina legislator and current special assistant for Cybersecurity to Assistant Secretary of Defense for Acquisition, recently announced that DoD is partnering with the Carnegie Mellon University Software Engineering Institute and the Johns Hopkins University Applied Physics Laboratory in developing the new certification standard: the Cybersecurity Maturity Model Certification or “CMMC.”  This Alert outlines what has been revealed thus far about the CMMC, how the CMMC will affect DoD contractors, and steps you can take to be ready when the CMMC goes live.

Continue reading at:  Miles & Stockbridge

7 steps for getting right with NIST 800-171

By

The deadline for defense contractors and subcontractors to implement the information security requirements listed in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 has come and gone.  There are more than 100 information security requirements in NIST 800-171, and it is a good bet that many smaller companies without ample IT resources fall into the category of: “We missed the deadline… what now?”

If you want to continue working with the Department of Defense, the simple answer is you will have to be 800-171 compliant.  This includes secure file sharing and information exchange governance, namely how you store, access, exchange and govern sensitive (but unclassified) information with the agency.  And while the December 31, 2017, deadline was directed at DOD’s industry partners, NIST 800-171 applies to all non-federal organizations that work with U.S. government systems and data.  So the suggestions below are in no way limited to defense contractors!

Continue reading at:  Federal Computer Week

OTA agreements exploding in popularity

By

The Defense Department is ramping up spending on other transaction authority agreements, according to a recent report by big data analytics firm Govini.

The agreements are a contracting mechanism intended to cut through bureaucratic red tape associated with the Pentagon’s standard acquisition practices, and help the department tap into innovation from nontraditional suppliers.  The 2016 National Defense Authorization Act expanded their application.  OTAs are now available for basic, applied and advanced research projects and for prototype projects and follow-on production, noted the Govini report titled, “Evaluating the Innovative Potential of Other Transaction Authority Investments.”

“To ensure U.S. military advantage, it is imperative for DoD to partner with businesses and academia to incorporate innovative technological advancements into military capability,” the study said.  “DoD is increasingly using OTAs to leverage commercial technology for research and prototyping.”

Following the change in the NDAA, obligation totals grew by 122 percent, eventually reaching a total of $3.4 billion in fiscal year 2018, according to the report.

Continue reading at:  National Defense Magazine 

Defense Security Service (DSS) renamed Defense Counterintelligence and Security Agency (DCSA)

By

If you hold a personal security clearance, or your business maintains a U.S. facility security clearance, then you need to be aware that the Defense Security Service (DSS) has recently been re-named, re-aligned and re-organized – with new leadership and broader responsibilities.

Pursuant to Executive Order 13869, “Transferring Responsibility for Background Investigations to the Department of Defense,” the Acting Secretary of Defense has renamed the former DSS to the Defense Counterintelligence and Security Agency (DCSA).

Continue reading at:  Bradley

Small launch vehicle companies seek improvements in government contracting

By

As Rocket Lab prepares the next launch of its Electron rocket, it and other small launch vehicle developers say the U.S. government can be a better and smarter customer for their services.

A Rocket Lab Electron is scheduled to lift off from the company’s launch site on New Zealand’s Mahia Peninsula during a two-hour window that opens at 12:30 a.m. Eastern June 27.  The mission, dubbed “Make It Rain,” is a dedicated rideshare mission for Spaceflight Industries carrying several small satellites, including BlackSky’s Global-3 imaging satellite, with a total payload mass of 80 kilograms.

Rocket Lab’s last two launches, though, were directly for U.S. military customers.  A May 5 launch placed three technology demonstration satellites into orbit for the U.S. Air Force, while a March 28 launch placed DARPA’s Radio Frequency Risk Reduction Deployment Demonstration (R3D2) into orbit.

Despite the success in winning business from U.S. government customers, the company says it’s much easier dealing with commercial customers for its launches.  Those customers often email the company asking if they can accommodate a particular satellite, said Lars Hoffman, senior vice president of global launch services at Rocket Lab, during a June 6 panel discussion at the National Space Society’s International Space Development Conference.

The company can then provide a quote to that customer within days, he said.  “We can be on contract within a matter of a week or two weeks.”

If a government customer seeks a similar launch, though, the contracting process takes longer.  “It can take months, and that’s on a streamlined” or rapid acquisition approach, he said.  That can stretch out to more than a year for a more traditional acquisition.

Continue reading at:  Space News

The importance of compliance with DFARS cybersecurity regulations

By

Clicking the “COMPLY” check box on the list of government requirement flow-downs may seem like a necessary evil of being a supplier to the defense market, but some regulations around information and cybersecurity provide the critical foundations of a trusted computing supply chain.

Cyber and information warfare are the hottest and possibly most contested battlefields in the race for military dominance. Case in point, the U.S. Navy recently changed the name of Space and Naval Warfare Systems Command (SPAWAR) to the Naval Information Warfare Systems Command (NAVWAR), in recognition of how important information warfare to defense strategy.

Similarly, earlier this year, the U.S. Army, announced the evolution of its Cyber Command into the Information Warfare Command, and the U.S. Air Force announced the merger of the 24th Air Force (Air Forces Cyber) and the 25th Air Force, to create a new information warfare focused command.

By all indicators, information currently sits near the top of the food chain of assets requiring protection.  To that end, the U.S. Department of Defense (DOD) upped the ante on regulations around what types of information need protection and how much suppliers must protect that information.

Continue reading here:  Military and Aerospace Electronics

DoD unveils proposed cybersecurity capability model certification standards

By

Cybersecurity.  It’s never over, is it?  In what can only be described as a “soft” release, the Department of Defense (DoD) has slowly and quietly begun to reveal its intent to provide federal contractors with a formal cybersecurity certification as early as next year.  The program, known as the Cybersecurity Capability Model Certification (CCMC), is an effort to streamline the acquisition process by providing acquiring agencies and consenting contractors with more exacting cybersecurity requirements for forthcoming acquisitions.

Moreover, as announced clearly and repeatedly by the Special Assistant to the Assistant Secretary of Defense for Acquisition and Sustainment for Cyber, Katie Arrington, during events on May 23, 2019, and June 12, 2019, certain cybersecurity costs will be allowable under certain circumstances.  This means that not only is DoD again in the process of facilitating the acquisition of cybersecurity capabilities throughout its entire supply chain, but now the DoD recognizes that it should actually pay for what it requires of contractors.

Continue reading at:  McCarter and English

Doing business with the U.S. Government in an era of cybersecurity, espionage and executive orders

By

In an era of trade wars, espionage, and executive orders, how can companies who wish to dive into government procurement or are already involved in procurement abide by Federal laws and data security regulations and increase the likelihood of proper procurement?

Recently, the D.C. law firm Sheppard Mullin hosted a podcast discussing various government contracting requirements, including those related to cybersecurity.  Topics discussed include:

What does the legal landscape look like for doing business with the U.S. government?

What various layers of laws apply to government contracting?

When it comes to cybersecurity, what new developments have emerged that affect government contracts?

What type of security controls should contractors implement to protect data?

What are security control “families”?

What security rules are specific to government contractors and why are they important for companies of all types to be familiar with them?

Why is it important to be open to checking where your sensitive data and documenting your plan to protect that data?

The “Plan of Action” the Department of Defense requires.

What is the National Defense Authorization Act and what does it establish?

How has the 2019 Executive Order affected information and telecommunications technologies?

How are the Federal Acquisition Regulations playing a role in the trade war with China?

You can listen to the podcast at:  The Sheppard Mullin website

False Claims Act case based on DoD’s cybersecurity regulations survives motion to dismiss

By

In the summer of 2015, we cautioned that the Department of Defense’s (DoD’s) new cybersecurity regulations could be used offensively to support False Claims Act (FCA) cases and bid protests.  Four years later, those premonitions have unfortunately come true.  Recently, a federal court refused to dismiss a relator’s implied certification FCA case in which he alleged that his employer “misrepresented … to the government the extent to which it had equipment required by the regulations, instituted required security controls, and possessed necessary firewalls” in violation of DoD’s cybersecurity regulations.  United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., No. 2:15-cv-2245, 2019 WL 2024595, *3 (E.D. Cal. May 8, 2019).

By way of background, the False Claims Act imposes civil and potentially criminal liability on anyone who knowingly presents a false or fraudulent claim for payment to the federal Government, or knowingly makes, uses or causes to be made or used, a false record or statement material to a false or fraudulent claim.  31 U.S.C. § 3729(a)(1)(A) & (B).  The FCA permits a private person, known as a relator, to bring a qui tam civil lawsuit in the name of Government against anyone who violates the Act.  Civil remedies can include up to three times the actual damages suffered by the Government as a result of the false claim along with a civil penalty between $5,000 and $10,000 for each violation.  The relator receives a share of any proceeds from the action—generally 15 to 25 percent if the Government intervenes, and 25 to 30 percent if it does not, plus attorneys’ fees and costs.  The FCA also has a lengthy statute of limitations of either six years from when the fraud is committed or three years after the Government knows or should know about the material facts giving rise to the claim, whichever is later, as long as the action is filed within ten years of the alleged fraud.  31 U.S.C. § 3731(b); Cochise Consultancy, Inc. v. United States ex rel. Hunt, 587 U.S. __ (May 13, 2019) (noting “if the Government discovers the fraud on the day it occurred, it would have 6 years to bring suit, but if a relator instead discovers the fraud on the day it occurred and the Government does not discover it, the relator could have as many as 10 years to bring suit”).

Read more at:  Privacy and Data Security Insight

Defense contracting fraud remains ongoing issue

By

In April Oben Cabalceta pleaded guilty to defrauding the U.S. Department of Defense (DoD) out of $1.8 million by providing the wrong or incorrect military equipment parts.  The New Jersey resident also admitted to illegally accessing sensitive, technical information despite not even being an American citizen.

Cabalceta, who is a native and citizen of the Republic of Costa Rica and was not lawfully in the United States, pleaded guilty to one count of wire fraud and one count of conspiracy for violating the Arms Control Act.

Continue reading at:  Clearance Jobs

Contracting News

Read More

Contracting Tips

Read More

GTPAC News

Read More

Georgia Tech News

Read More