Georgia Tech Procurement Assistance Center

The Navy gets tough on DFARS cybersecurity compliance

By

Last year we told you about a 2018 Navy memo, known as the Geurts Memo, which required defense contractors to implement certain controls for NIST SP 800-171, some of them going beyond 171 requirements.  If you didn’t see our write-up, it can be found here: “Still Lagging on DFARS? The Navy Has A Memo For You”.

The Navy has now gone several steps beyond that 2018 memo and is requiring their contracting officers to implement a strict regime when it comes to their contractors’ compliance with NIST SP 800-171 and the Guerts Memo.

Continue reading at:  Sera-Brynn

Prepare now to secure ‘controlled unclassified information’

By

Nowadays, many people are familiar with at least some types of protected information, whether in the form of personal health information or government-classified information. But, contractors working with the Department of Defense (“DoD”) must remember to protect another type of information: controlled unclassified information (“CUI”). Failure by government contractors to put processes in place that protect CUI could result in the loss of contracting opportunities or potential False Claims Act-related litigation.  For more information about the far-reaching implications of cybersecurity requirements on government contractors, please also see Matt Feinberg’s blog on the recent settlement of a cybersecurity False Claims Act (“FCA”) litigation; Isaias “Cy” Alba’s piece about cybersecurity, implied certifications, and the FCA; and Dave Shafer’s analysis of current cybersecurity standards and the DoD’s plans to remedy confusion.

Continue reading at:  Piliero Mazza

Cybersecurity – The Times (and Standards) They Are A Changin’ – FAST!

By

As we reported last month, the Department of Defense (DoD) has been engaging in an unusual rollout of its new cybersecurity certification program by way of  road tours—led by Katie Arrington, the Special Assistant to the Assistant Secretary of Defense for Acquisition and Sustainment for Cyber—that address the tiered, five-level Cybersecurity Maturity Model Certification (CMMC).  At bottom, DoD intends for the CMMC to help streamline the acquisition process by providing acquiring agencies and consenting contractors with more exacting cybersecurity requirements for future acquisitions.  What’s unique about the CMMC rollout is the lack of written guidance on the program.  DoD representatives have orally provided a majority of publicly available information about CMMC only during various webinars and defense-industry events held over the past couple of months.  Indeed, a quick Google search for “CMMC” indicates that, at this time, hard facts about the program appear to be limited to FAQs on a DoD website.

That word of mouth rollout continued during a July 9 presentation at the National Defense Industrial Agency Procurement Division Meeting in Washington, D.C.  During this presentation, Ms. Arrington both reconfirmed some previously discussed details about the CMMC program and provided additional insight into program components that will be of interest to contractors doing business with DoD when the program comes to fruition.

Continue reading at:  McCarter & English

Will defense contractors be ready for CMMC?

By

Defense contractors will face big changes and tight timelines over the next year as the Department of Defense rolls out its new Cybersecurity Maturity Model Certification framework, experts say.

The framework, which aims to certify a company’s compliance with federal cybersecurity regulations around controlled unclassified information (CUI), was announced by DOD officials in June.  It will be used to evaluate and rate contractors’ ability to protect sensitive data on a 1-5 scale starting next year.

The initial version of the framework is scheduled to go public in January 2020.  By June 2020, its requirements will start appearing in requests for information, and will become a regular feature of defense procurement by September 2020.  That means defense contractors will have less than eight months to implement changes for compliance with the Defense Federal Acquisition Regulation Supplement and National Institute of Standards and Technology guidance on protecting CUI.

Continue reading at:  FCW

DOD’s proposed cybersecurity maturity model certification requirements: what we know and how to prepare

By

The final DFARS cybersecurity rule promulgated in 2016, which included the latest changes to the DFARS clause at 252.204-7012, was a significant development for DoD contractors, in part because it mandates compliance with the 110 security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.  DoD has been working with the contracting community since that time with respect to the implementation of the final rule, but has concluded that further compliance steps are needed in the form of cybersecurity certification standards.

The anticipated new cybersecurity certification standards for DoD contractors are quickly taking shape.  Katie Arrington, former South Carolina legislator and current special assistant for Cybersecurity to Assistant Secretary of Defense for Acquisition, recently announced that DoD is partnering with the Carnegie Mellon University Software Engineering Institute and the Johns Hopkins University Applied Physics Laboratory in developing the new certification standard: the Cybersecurity Maturity Model Certification or “CMMC.”  This Alert outlines what has been revealed thus far about the CMMC, how the CMMC will affect DoD contractors, and steps you can take to be ready when the CMMC goes live.

Continue reading at:  Miles & Stockbridge

7 steps for getting right with NIST 800-171

By

The deadline for defense contractors and subcontractors to implement the information security requirements listed in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 has come and gone.  There are more than 100 information security requirements in NIST 800-171, and it is a good bet that many smaller companies without ample IT resources fall into the category of: “We missed the deadline… what now?”

If you want to continue working with the Department of Defense, the simple answer is you will have to be 800-171 compliant.  This includes secure file sharing and information exchange governance, namely how you store, access, exchange and govern sensitive (but unclassified) information with the agency.  And while the December 31, 2017, deadline was directed at DOD’s industry partners, NIST 800-171 applies to all non-federal organizations that work with U.S. government systems and data.  So the suggestions below are in no way limited to defense contractors!

Continue reading at:  Federal Computer Week

The importance of compliance with DFARS cybersecurity regulations

By

Clicking the “COMPLY” check box on the list of government requirement flow-downs may seem like a necessary evil of being a supplier to the defense market, but some regulations around information and cybersecurity provide the critical foundations of a trusted computing supply chain.

Cyber and information warfare are the hottest and possibly most contested battlefields in the race for military dominance. Case in point, the U.S. Navy recently changed the name of Space and Naval Warfare Systems Command (SPAWAR) to the Naval Information Warfare Systems Command (NAVWAR), in recognition of how important information warfare to defense strategy.

Similarly, earlier this year, the U.S. Army, announced the evolution of its Cyber Command into the Information Warfare Command, and the U.S. Air Force announced the merger of the 24th Air Force (Air Forces Cyber) and the 25th Air Force, to create a new information warfare focused command.

By all indicators, information currently sits near the top of the food chain of assets requiring protection.  To that end, the U.S. Department of Defense (DOD) upped the ante on regulations around what types of information need protection and how much suppliers must protect that information.

Continue reading here:  Military and Aerospace Electronics

NIST updates SP 800-171 to help defend sensitive information from cyberattack

By

An update to one of the National Institute of Standards and Technology’s (NIST) information security documents offers strategies to help protect sensitive information that is stored in computers supporting critical government programs and high value assets. 

The document, entitled Draft NIST Special Publication (SP) 800-171 Revision 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizationsnow has a new draft companion publication, NIST SP 800-171B, that offers additional recommendations for handling Controlled Unclassified Information (CUI) in situations where that information runs a higher than usual risk of exposure.  CUI includes a wide variety of information types, from individuals’ names or Social Security numbers to critical defense information. 

When CUI is part of a critical program or a high value asset — such as a weapons system — it can become a significant target for high-end, sophisticated adversaries.  In recent years, these programs and assets have been subjected to an ongoing barrage of serious cyberattacks, prompting the Department of Defense to request additional guidance from NIST. 

 “We need to provide safeguards and countermeasures that can stand up to these attacks,” said NIST’s Ron Ross, one of the publication’s authors.  “We are requesting comments on this initial public draft, which we hope will help organizations protect CUI against our most advanced and persistent adversaries.” 

NIST is accepting comments on both SP 800-171 Rev. 2, which received minor editorial updates, and SP 800-171B until July 19, 2019.  In the future, NIST plans to issue  final versions of both publications.  In addition, a previously available companion document, NIST SP 800-171A, will be updated with new assessment procedures for the enhanced security requirements. 

Continue reading at:  NIST website

DoD unveils proposed cybersecurity capability model certification standards

By

Cybersecurity.  It’s never over, is it?  In what can only be described as a “soft” release, the Department of Defense (DoD) has slowly and quietly begun to reveal its intent to provide federal contractors with a formal cybersecurity certification as early as next year.  The program, known as the Cybersecurity Capability Model Certification (CCMC), is an effort to streamline the acquisition process by providing acquiring agencies and consenting contractors with more exacting cybersecurity requirements for forthcoming acquisitions.

Moreover, as announced clearly and repeatedly by the Special Assistant to the Assistant Secretary of Defense for Acquisition and Sustainment for Cyber, Katie Arrington, during events on May 23, 2019, and June 12, 2019, certain cybersecurity costs will be allowable under certain circumstances.  This means that not only is DoD again in the process of facilitating the acquisition of cybersecurity capabilities throughout its entire supply chain, but now the DoD recognizes that it should actually pay for what it requires of contractors.

Continue reading at:  McCarter and English

Pentagon to unveil new Cybersecurity Maturity Model Certification (CMMC) for defense contractors

By

The Department of Defense announced that it is developing a new cybersecurity standard and certification for defense contractors.  It is named the “Cybersecurity Maturity Model Certification” (CMMC).

Notably, the intent of the CMMC is to improve cybersecurity deficiencies in the defense industrial base and secure the supply chain.

The CMMC is expected to be based on NIST SP 800-171, as is the current Defense Federal Acquisition Regulation Supplement (DFARS) rule.  Specifically, DFARS Clause 252.204-7012 requires defense contractors handling sensitive, unclassified information to implement the 110 security controls of NIST SP 800-171.

However, the CMMC may incorporate or rely on frameworks in addition to NIST SP 800-171.

According to news reports, the CMMC will serve as the enforcement mechanism lacking in the current DFARS rule.

Although the draft CMMC has not yet been published, it’s been reported that there will be 5 levels of certification.  The levels will range from basic cyber hygiene to “State-of-the-Art.”  DoD contracts will require specific levels — and awards will be “go/no-go” based on the contractor’s certification status.

This is a fundamental change to how defense contracts are awarded today.

Read more at:  JD Supra

Contracting News

Read More

Contracting Tips

Read More

GTPAC News

Read More

Georgia Tech News

Read More