Georgia Tech Procurement Assistance Center

DoD testing secure cloud to help small contractors protect data

By

The Pentagon still has deep concerns about thefts of sensitive Defense data from contractor systems. But it’s concluded that simply using contract terms to order firms to improve their security isn’t going to do the job.

So the department is testing ways to extend its own cybersecurity expertise and infrastructure to small and medium-sized businesses who don’t have the wherewithal to adequately secure their systems against nation-state attackers. Specifically, it plans to build a secure cloud to house the Defense data companies need to perform their contracts, instead of requiring them to store it themselves.

DoD’s research and development budget for 2020 includes $15 million for a small project the department terms the Defense Industrial Base (DIB) Secure Cloud Managed Services Pilot. In the early going, the Pentagon plans to make the cloud service available to “a subset” of small and medium companies that “support prioritized, critical DoD missions and programs.”

In contract terms, the department would treat the secure cloud as Government Furnished Equipment (GFE), said Ellen Lord, the undersecretary for acquisition and sustainment.

Keep reading this article at: https://federalnewsnetwork.com/defense-news/2019/03/dod-will-test-secure-cloud/

 

Chinese government hackers steal massive amounts of data from Navy contractor computers

By

Chinese government hackers have stolen large swaths of highly sensitive data on undersea warfare from a Navy contractor’s computers, The Washington Post reports.

The stolen information includes secret plans to develop a supersonic anti-ship missile to be used by submarines by 2020, American officials told the Post.

The incidents took place in January and February, but officials did not disclose the contractor that was targeted, the newspaper reported Friday.

Although the information was highly sensitive, it was housed on the contractor’s unclassified network, according to the Post.

“Per federal regulations, there are measures in place that require companies to notify the government when a ‘cyber incident’ has occurred that has actual or potential adverse effects on their networks that contain controlled unclassified information,” Navy Lt. Marycate Walsh said in a statement. “It would be inappropriate to discuss further details at this time.”

Keep reading this article at: http://wtkr.com/2018/06/08/wapo-chinese-government-hackers-steal-massive-amounts-of-data-from-navy-contractor-computers/

GSA tech office launches bug bounty program

By

The cybersecurity company that ran a bug bounty program for the Army and is running ongoing programs for the Pentagon and Air Force will run a similar program for the government’s technology user experience wing, that office announced Friday.

The program run by HackerOne will offer cash rewards ranging from $300 to $5,000 to security researchers who spot dangerous vulnerabilities in websites and applications run by the General Services Administration’s Technology Transformation Service.

TTS did not give a start date for the program.

Keep reading this article at: http://www.nextgov.com/cybersecurity/2017/05/gsa-tech-office-launches-bug-bounty-program/137817

Final federal rule issued on safeguarding contractor information systems

By

Federal Contract InformationAfter years of gestation, a final rule was promulgated May 16, 2016 to mandate minimum cyber defenses for companies that do government business. This Federal Acquisition Regulations rule – “Basic Safeguarding of Contractor Information Systems” 81 Fed. Reg. 30439 – seeks to protect the confidentiality and integrity of federal contract information (FCI) that resides in or transits through any contractor information system.

Why this rule?

Agencies are required by the Federal Information Security Modernization Act (FISMA) to protect federal information. The obligation extends to nonpublic information provided by the federal government to its contractors. Unauthorized cyber extraction of federal information has caused genuine injury to national interests. Using this new FAR provision, every federal agency now will require minimum cyber protection for FCI.

What is federal contract information?

FCI is defined as nonpublic information that is “provided for or generated for the government” under a contract to “develop or deliver a product or service to the government, but not including information provided to the public or simple transactional information. The new rule protects “information systems” rather than carefully defined information types, however. If a contractor processes stores or transmits any FCI, its information system becomes subject to minimum enumerated safeguards. Where a contractor information system hosts FCI and other, non-federal information, the rule applies to the whole system.

Keep reading this article at: http://www.federaltimes.com/story/government/solutions-ideas/2016/06/13/far-rule-federal-contractor-information/85825436/

DoD invites you (well, some of you) to “Hack the Pentagon” this month

By

Last Thursday (March 31, 2016) the U.S. Department of Defense (DoD) announced the launch of a pilot bug-bounty program for the DoD’s public-facing websites.  Called “Hack the Pentagon,” the bounty program will be managed by HackerOne, the disclosure-as-a-service company founded by Alex Rice and Michiel Prins.

Since Hack the Pentagon is a pilot, its budget and duration are fairly modest by DoD standards. The Pentagon has budgeted $150,000 for the month-long bug hunt, which will begin on Monday, April 18 and end by Thursday, May 12. Payouts for accepted bugs will come from HackerOne and will be doled out by June 10.

Hack the Pentagon

Pentagon Press Secretary Peter Cook did not specify which DoD sites would be considered fair game for Hack the Pentagon. “The program will target several DoD public websites which will be identified to the participants as the beginning of the challenge approaches,” he said. “Critical, mission-facing computer systems will not be involved in the program.”

The program is not open to everyone. HackerOne’s page sets out the conditions for those eligible for participation.

Keep reading this article at: http://arstechnica.com/security/2016/04/dod-invites-you-well-some-of-you-to-hack-the-pentagon-this-month/

Why small businesses should care about cybersecurity

By

When hacking stories hit the headlines, they’re usually about large companies — organizations that have millions of users. These companies invest huge amounts of money in keeping data secure, so any breach is a serious issue.

A real-time hack attack map can be seen at http://map.norsecorp.com
A real-time hack attack map can be seen at http://map.norsecorp.com

Small businesses and entrepreneurs often neglect cybersecurity, because they assume it’s someone else’s problem, or their data is not worth stealing. But there are lots of reasons why cybersecurity should be priority number one for entrepreneurs.

It’s not good enough to pretend it doesn’t affect you, or claim your operations are too small. And just because you aren’t aware of a hack, doesn’t mean it isn’t happening.

Keep reading this article at: http://www.entrepreneur.com/article/252138

Will the Government shred your contract after a hack?

By

Contractors are concerned they might lose government business for coming forward about suspected internal data breaches, after the unprecedented decision by two departments to halt contracts with a hacked background investigation firm.

It is believed the personal information of Department of Homeland Security (DHS) employees likely was compromised when a suspected nation state penetrated a USIS corporate network.  USIS conducts personnel investigations on behalf of many agencies, including the Office of Personnel Management (OPM).  DHS and OPM temporarily ceased some jobs with USIS after the incident.

OPM did not pause work as a punishment, but rather as a way to protect federal employees until more details about the intrusion are known, agency officials told Nextgov on Friday, August 8, 2014.  But officials said they do not host information with USIS on the same system DHS uses.

DHS has issued stop work orders to temporarily halt activities that involve personal information, until the department can assess the full scope of the potential intrusion and repairs, Homeland Security officials told Nextgov.

Keep reading this article at: http://www.nextgov.com/cybersecurity/2014/08/will-government-shred-your-contract-after-hack/91049

Contracting News

Read More

Contracting Tips

Read More

GTPAC News

Read More

Georgia Tech News

Read More