Georgia Tech Procurement Assistance Center

DOD’s proposed cybersecurity maturity model certification requirements: what we know and how to prepare

By

The final DFARS cybersecurity rule promulgated in 2016, which included the latest changes to the DFARS clause at 252.204-7012, was a significant development for DoD contractors, in part because it mandates compliance with the 110 security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.  DoD has been working with the contracting community since that time with respect to the implementation of the final rule, but has concluded that further compliance steps are needed in the form of cybersecurity certification standards.

The anticipated new cybersecurity certification standards for DoD contractors are quickly taking shape.  Katie Arrington, former South Carolina legislator and current special assistant for Cybersecurity to Assistant Secretary of Defense for Acquisition, recently announced that DoD is partnering with the Carnegie Mellon University Software Engineering Institute and the Johns Hopkins University Applied Physics Laboratory in developing the new certification standard: the Cybersecurity Maturity Model Certification or “CMMC.”  This Alert outlines what has been revealed thus far about the CMMC, how the CMMC will affect DoD contractors, and steps you can take to be ready when the CMMC goes live.

Continue reading at:  Miles & Stockbridge

7 steps for getting right with NIST 800-171

By

The deadline for defense contractors and subcontractors to implement the information security requirements listed in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 has come and gone.  There are more than 100 information security requirements in NIST 800-171, and it is a good bet that many smaller companies without ample IT resources fall into the category of: “We missed the deadline… what now?”

If you want to continue working with the Department of Defense, the simple answer is you will have to be 800-171 compliant.  This includes secure file sharing and information exchange governance, namely how you store, access, exchange and govern sensitive (but unclassified) information with the agency.  And while the December 31, 2017, deadline was directed at DOD’s industry partners, NIST 800-171 applies to all non-federal organizations that work with U.S. government systems and data.  So the suggestions below are in no way limited to defense contractors!

Continue reading at:  Federal Computer Week

The importance of compliance with DFARS cybersecurity regulations

By

Clicking the “COMPLY” check box on the list of government requirement flow-downs may seem like a necessary evil of being a supplier to the defense market, but some regulations around information and cybersecurity provide the critical foundations of a trusted computing supply chain.

Cyber and information warfare are the hottest and possibly most contested battlefields in the race for military dominance. Case in point, the U.S. Navy recently changed the name of Space and Naval Warfare Systems Command (SPAWAR) to the Naval Information Warfare Systems Command (NAVWAR), in recognition of how important information warfare to defense strategy.

Similarly, earlier this year, the U.S. Army, announced the evolution of its Cyber Command into the Information Warfare Command, and the U.S. Air Force announced the merger of the 24th Air Force (Air Forces Cyber) and the 25th Air Force, to create a new information warfare focused command.

By all indicators, information currently sits near the top of the food chain of assets requiring protection.  To that end, the U.S. Department of Defense (DOD) upped the ante on regulations around what types of information need protection and how much suppliers must protect that information.

Continue reading here:  Military and Aerospace Electronics

NIST updates SP 800-171 to help defend sensitive information from cyberattack

By

An update to one of the National Institute of Standards and Technology’s (NIST) information security documents offers strategies to help protect sensitive information that is stored in computers supporting critical government programs and high value assets. 

The document, entitled Draft NIST Special Publication (SP) 800-171 Revision 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizationsnow has a new draft companion publication, NIST SP 800-171B, that offers additional recommendations for handling Controlled Unclassified Information (CUI) in situations where that information runs a higher than usual risk of exposure.  CUI includes a wide variety of information types, from individuals’ names or Social Security numbers to critical defense information. 

When CUI is part of a critical program or a high value asset — such as a weapons system — it can become a significant target for high-end, sophisticated adversaries.  In recent years, these programs and assets have been subjected to an ongoing barrage of serious cyberattacks, prompting the Department of Defense to request additional guidance from NIST. 

 “We need to provide safeguards and countermeasures that can stand up to these attacks,” said NIST’s Ron Ross, one of the publication’s authors.  “We are requesting comments on this initial public draft, which we hope will help organizations protect CUI against our most advanced and persistent adversaries.” 

NIST is accepting comments on both SP 800-171 Rev. 2, which received minor editorial updates, and SP 800-171B until July 19, 2019.  In the future, NIST plans to issue  final versions of both publications.  In addition, a previously available companion document, NIST SP 800-171A, will be updated with new assessment procedures for the enhanced security requirements. 

Continue reading at:  NIST website

Pentagon to unveil new Cybersecurity Maturity Model Certification (CMMC) for defense contractors

By

The Department of Defense announced that it is developing a new cybersecurity standard and certification for defense contractors.  It is named the “Cybersecurity Maturity Model Certification” (CMMC).

Notably, the intent of the CMMC is to improve cybersecurity deficiencies in the defense industrial base and secure the supply chain.

The CMMC is expected to be based on NIST SP 800-171, as is the current Defense Federal Acquisition Regulation Supplement (DFARS) rule.  Specifically, DFARS Clause 252.204-7012 requires defense contractors handling sensitive, unclassified information to implement the 110 security controls of NIST SP 800-171.

However, the CMMC may incorporate or rely on frameworks in addition to NIST SP 800-171.

According to news reports, the CMMC will serve as the enforcement mechanism lacking in the current DFARS rule.

Although the draft CMMC has not yet been published, it’s been reported that there will be 5 levels of certification.  The levels will range from basic cyber hygiene to “State-of-the-Art.”  DoD contracts will require specific levels — and awards will be “go/no-go” based on the contractor’s certification status.

This is a fundamental change to how defense contracts are awarded today.

Read more at:  JD Supra

Strict notification and disclosure requirements apply to defense contractors

By

Businesses that seek to obtain and preserve contracts with the United States government, or to deal in certain enumerated defense articles and services, are subject to strict privacy regulations imposed by the U.S. government.

For those under contract (or subcontract) with the U.S. Department of Defense (DoD), the Defense Federal Acquisition Regulation Supplements (DFARS) place stringent minimum security requirements and reporting obligations that must be met, otherwise a business could face financial penalties or termination of its contract.

Businesses that export and import defense articles or services and related technical data must comply with the International Traffic in Arms Regulations (ITAR), which comprise approval, registration and records maintenance requirements. If a violation of ITAR is voluntarily reported, the penalties imposed by the U.S. Department of State’s Directorate of Defense Trade Controls (DDTC) can be reduced.

Businesses subject to DFARS and ITAR should have a compliance program in place that includes an appropriate response to any security incident.

Keep reading this article at: https://www.lexology.com/library/detail.aspx?g=d5fda8c7-68e4-4a1c-a4f5-7e387e51741d

Contracting News

Read More

Contracting Tips

Read More

GTPAC News

Read More

Georgia Tech News

Read More