Georgia Tech Procurement Assistance Center

Keeping up with DoD cybersecurity compliance demands

By

On Jan. 21, 2019, Ellen Lord, the Under Secretary of Defense for Acquisition and Sustainment, issued a memorandum focused on assessing contractor compliance with the DFARS cyber clause via audits of a Contractor’s purchasing system.  One intent of this guidance is to have the Defense Contract Management Agency, or DCMA, “validate, for contracts for which they provide contract administration and oversight, contractor compliance with the requirements of DFARS clause 252.204-7012.”

This would be done as part of a review of a contractor’s purchasing system in accordance with DFARS 252.244-7001.  Pursuant to this DFARS clause, contractors are required to provide adequate security on their internal networks to protect Covered Defense Information (CDI) and are required to flow DFARS clause 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting” to subcontractors without alteration.

On Feb. 26, 2019, the DCMA updated its Contractor Purchasing System Review (CPSR) Guidebook to incorporate requirements from the January 2019 memorandum. In particular, the “Supply Chain Management Process” outlined in Appendix 24 states that “[p]rotecting Controlled Unclassified Information is a critical aspect” of supply chain management.

The guidebook assumes obligations that are beyond those imposed by the DFARS clause, presumably assuming that new requirements will be imposed contractually in the future.

Keep reading this article at: https://www.insidegovernmentcontracts.com/2019/03/keeping-up-with-dod-cybersecurity-compliance-demands/

Readying contractors’ security plans for evaluation

By

The Defense Department recently issued final guidance for requiring activities to assess contractors’ system security plans and their implementation of the security controls in National Institute of Standards and Technology Special Publication 800-171.

It includes a compliance guidance document, which explains how department entities will assess contractor implementation of its security controls, and an impact guidance document, which explains how the Pentagon will assess the risks of security controls not implemented.

The compliance guidance addresses three objectives pre-award: requiring a self-attestation of implementation of the special publication in all proposals; imposing enhanced security controls in certain situations; and providing alternatives for compliance as an evaluation factor.

Defense Federal Acquisition Regulation Supplement 252.204-7008, which is required in every noncommercial off-the-shelf solicitation, provides that “[b]y submission of this offer, the offeror represents that it will implement the security requirements specified by [NIST SP 800-171].” The Defense Department has interpreted “implementation” as having a completed security system plan and a plan of action and milestones for the relevant covered defense information.

If a requiring activity believes that enhanced security controls are required beyond those in NIST SP 800-171, the compliance guidance provides direction for adding the requirements to a solicitation.

The guidance does not define what constitutes “enhanced controls.” NIST is expected to issue a new appendix of enhanced controls in the first quarter of 2019.

Keep reading this article at: http://www.nationaldefensemagazine.org/articles/2019/1/30/readying-security-plans-for-evaluation

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

DoD continues to up the ante on cybersecurity compliance for contractors

By

Compliance with the security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 is only the beginning for contractors that receive controlled defense information (CDI) in performance of Department of Defense (DoD) contracts and subcontracts.

Faced with an evolving cyber threat, DoD contractors have experienced an increased emphasis on protecting DoD’s information and on confirming contractor compliance with DoD cybersecurity requirements.  This includes audits by the DoD Inspector General (IG) “to determine whether DoD contractors have security controls in place” to protect CDI and enhanced security controls for certain high risk contractor networks.

And on September 28, 2018, the Navy issued a policy memorandum calling for enhanced cybersecurity requirements, including some that have generated opposition within the defense community such as the installation of network sensors by the Naval Criminal Investigative Service on contractor systems.

Other requiring activities are reportedly requiring similar enhanced protections, and NIST is expected to issue a public draft of Revision 2 to NIST SP 800-171 by the end of February, with an appendix of additional enhanced controls.

Keep reading this article at: https://www.insidegovernmentcontracts.com/2019/01/dod-continues-ante-cybersecurity-compliance-contractors/

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

Cybersecurity compliance: A key to future DoD contract awards

By

In a recent address at the Air Force Association’s Air, Space & Cyber Conference, Deputy Secretary of Defense Patrick Shanahan emphasized that cybersecurity will become a “critical measurement” for making contract awards as well as a significant consideration in holding a government contractor accountable for its performance.

Shanahan noted that while DoD acquisitions currently focus on three critical measurements—quality, cost and schedule—cybersecurity is “probably going to be what we call the . . . fourth critical measurement.” The DoD is “going to work with [its] industrial partners to help them be as accountable for security as they are for quality.”

Shanahan also noted that adequate cybersecurity protection is part of the standard baseline of government contracting security—it is not an optional feature. He commented, “And it shouldn’t be that being secure comes with a big bill. It’s just like we wouldn’t pay extra for quality.” Consequently, government contractors should recognize that the government “shouldn’t pay extra for security,” he added. Rather, “security is the standard. It’s the expectation. It’s not something that’s above and beyond what we’ve done before.”

Keep reading this article at: http://www.mondaq.com/article.asp?articleid=742094

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

Security assessments soon may be part of DoD government contracts acquisition process

By

Identifying threats and improving network and supply chain security has been an ongoing effort by Congress and the Department of Defense (DoD) for the past several years.

Congress has included multiple provisions in the annual National Defense Authorization Acts to spur action by the DoD to address weaknesses in contractor supply chains for electronic parts and vulnerabilities to cyber threats in contractor information technology systems. In turn, the DoD has amended the Defense Federal Acquisition Regulation Supplement (DFARS) to impose new performance requirements on contractors and subcontractors in DoD procurement contracts. This cascading effort of turning policy into contract performance has been steady but slow and of questionable efficacy.

A new initiative under consideration by the DoD could change that. In June testimony to Congress, the DoD said it has started a new initiative known as “Deliver Uncompromised” to “elevate the private sector’s focus on security.” The DoD’s goal is to establish security as a “fourth pillar” in acquisition, “on par with cost, schedule and performance.” The hope is to create incentives for industry to “embrace security, not as a ‘cost center,’ but as a key differentiator” in competitions for procurement contracts.

In August 2018, the nonprofit group Mitre Corporation (Mitre) released a report called “Deliver Uncompromised,” which describes how the DoD and the intelligence community face daily strategic attacks from foreign adversaries in the supply chain domain (e.g., software, hardware, and services) and cyber domain (e.g., informational technology and cyber-physical such as weapons systems). Mitre’s report calls for a unified focus of resources from both the DoD and government contractors to prioritize risk mitigation through enhanced infrastructure and better coordination.

While the DoD cannot require private companies to invest in specific security measures, the Mitre report recommends that the DoD use its purchasing power and regulatory authority to influence and shape the conduct of the DoD suppliers. For example, the DoD may begin defining procurement requirements with new security measures, or rewarding contractor proposals with superior security measures by elevating security as a primary metric for evaluation during the source selection process. The DoD could also include terms and conditions in its contracts that impose security requirements, and then use those contractual terms post-award to monitor contractor compliance.

Keep reading this article at: http://www.mondaq.com/article.asp?articleid=737662

GTPAC has created a video and a template to help businesses comply with DoD’s cybersecurity requirements.  These resources appear at: http://gtpac.org/cybersecurity-training-video/

Here’s a description of information security requirements for federal contractors

By

The federal government is requiring federal contractors to implement specific guidance in the form of NIST 800-171 in an effort to curb the trend of federal government data being exposed on contractor networks. This disturbing trend has occurred for a few reasons.

First, federal contracts often require the use of contractor-owned information systems to process federal information. These information systems historically do not meet the government’s requirements and, as a result, have led to information being exfiltrated by nation-state attackers.

An example of this lack of security in contractor information systems became known in May 2017 when federal contractor Booz Allen Hamilton left unencrypted Pentagon files on a publically accessible Amazon server. This resulted in 60,000 sensitive files — plenty of which referred to the U.S. National Geospatial-Intelligence Agency (NGA) — being exposed on the internet for anyone to access.

Keep reading this article at: https://www.forbes.com/sites/forbestechcouncil/2018/09/04/information-security-requirements-for-u-s-federal-contractors/#3daa7183451b

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

Strict security notification and disclosure requirements for government contractors

By

Businesses that seek to obtain and preserve contracts with the United States government, or to deal in certain enumerated defense articles and services, are subject to strict privacy regulations imposed by the U.S. government.

For those under contract (or subcontract) with the U.S. Department of Defense (DoD), the Defense Federal Acquisition Regulation Supplements (DFARS) place stringent minimum security requirements and reporting obligations that must be met, otherwise a business could face financial penalties or termination of its contract.

Businesses that export and import defense articles or services and related technical data must comply with the International Traffic in Arms Regulations (ITAR), which comprise approval, registration and records maintenance requirements. If a violation of ITAR is voluntarily reported, the penalties imposed by the U.S. Department of State’s Directorate of Defense Trade Controls (DDTC) can be reduced.

Businesses subject to DFARS and ITAR should have a compliance program in place that includes an appropriate response to any security incident.

Keep reading this article at: http://www.mondaq.com/article.asp?articleid=733388

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

Pentagon cyber shortfalls leave data at risk, key senators warn

By

The Pentagon isn’t taking strong enough action to ensure that defense contractors are protecting highly technical but unclassified information from hacking, according to the top lawmakers on the Senate Armed Services Committee.

The Senate panel “has gathered information that suggests DoD is simply not doing enough to protect controlled, unclassified information,” the lawmakers, including ailing Republican Chairman John McCain and Jack Reed, the panel’s top Democrat, wrote to Defense Secretary Jim Mattis in a previously undisclosed letter obtained by Bloomberg News.

“We are concerned with existing regulations and best practices” not being followed in matters such as contracts lacking appropriate cybersecurity clauses, computer networks operating without multifactor authentication for access, strong remote user policies and “insufficient third-party verification of compliance with cybersecurity standards,” the lawmakers wrote last month.

The vulnerability of U.S. systems to hacking has been highlighted in recent years by incidents including attacks on banks and energy infrastructure, as well as efforts to infiltrate state election systems in 2016 and this year. Earlier this year, five pipeline operators in the U.S. said their third-party electronic communications systems were shut down by hackers. The U.S. says the biggest foreign hacking threats come from Russia, China and Iran.

Keep reading this article at: https://www.bloomberg.com/news/articles/2018-08-23/pentagon-cyber-shortfalls-leave-data-at-risk-key-senators-warn

The Georgia Tech Procurement Assistance Center (GTPAC) has produced a video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules.  These resources are available  at: http://gtpac.org/cybersecurity-training-video/

NIST to host CUI information security workshop on Oct. 18th

By

The National Institute of Standards and Technology (NIST), in coordination with the Department of Defense (DoD) and the National Archives and Records Administration (NARA), will host a Workshop providing an overview of Controlled Unclassified Information (CUI) on October 18, 2018.

The agenda for the Workshop shows a full day of panels, including those addressing DoD’s “Safeguarding Covered Defense Information and Cyber Incident Reporting” Clause (DFARS Cyber Rule), overviews of NIST Special Publications (SPs) 800-171 and 800-171A, and Government expectations when evaluating contractor implementation of the 800-171 security controls.

In addition to the panels described in the agenda, the Workshop may provide an opportunity to address questions about DoD’s April 2018 draft guidance for the Department’s assessment of contractors’ System Security Plans (SSPs) and implementation of the security controls in NIST SP 800-171.

The NIST Workshop is open to all interested stakeholders and is free to attend. Registration for in-person attendance can be made at the NIST website and is required by October 11, 2018. NIST has stated that the Workshop also will be available via webcast.  Advanced registration is not required for the webcast.

More information available at: https://www.insidegovernmentcontracts.com/2018/07/cui-workshop/

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

How multifactor authentication can help DoD contractors achieve DFARS compliance

By

To say that organizations today are concerned about cybersecurity would be a gross understatement.

Every time we turn around, there are reports of incidents where cybercriminals have either gamed a global social media tool or compromised a corporate customer database.

Needless to say, the U.S. government has also been extremely focused on cybersecurity — as evidenced by its recent directive, the Defense Federal Acquisition Regulation Supplement (DFARS), which aims to help government agencies protect their own data and that of organizations with which they do business.

What Does the DFARS Require?

The regulation requires any Department of Defense (DOD) contractor or subcontractor who handles controlled unclassified information (CUI) to comply with the data-protection standards outlined in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. According to NIST, CUI consists of “any sensitive federal government information routinely processed, stored or transmitted by a contractor in the course of its work providing essential products and services to federal agencies.”

DFARS is part of a worldwide trend of increasingly stringent data security standards. In May 2018, for example, the European Union (EU) enacted its General Data Protection Regulation (GDPR) to enhance user privacy and provide legal recourse when refuting algorithm-based decisions. Also, the Payment Card Industry Data Security Standard (PCI DSS) requires companies that accept credit card payments to host customer data securely with a PCI-compliant hosting provider. These and countless other standards show that data security is top of mind for industry leaders around the world.

Keep reading this article at: https://securityintelligence.com/how-multifactor-authentication-can-help-u-s-government-contractors-achieve-dfars-compliance/

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

Contracting News

Read More

Contracting Tips

Read More

GTPAC News

Read More

Georgia Tech News

Read More