Georgia Tech Procurement Assistance Center

  • Home
  • About Us
  • Training
    • Class Registration
    • On-demand Training
  • Useful Links
  • Team Directory
    • Albany Counselor
    • Atlanta Counselors
    • Augusta Counselor
    • Carrollton Counselor
    • Columbus Counselor
    • Gainesville Counselor
    • Savannah Counselor
    • Warner Robins Counselor
  • Directions
    • Atlanta – Training Facility
    • Atlanta – Office
    • Albany
    • Augusta
    • Carrollton
    • Columbus
    • Gainesville
    • Savannah
    • Warner Robins
  • New Client Application
  • Contact Us

Contractors have questions about DOD’s cyber requirements

August 14, 2019 By Nancy Cleveland

The Pentagon is making big moves in an effort to improve cybersecurity for its industrial base, but so far the department’s biggest roadblocks early on may be the same confusion, doubt and uneven compliance from contractors that led to the vulnerabilities in the first place.

Officials from the Department of Defense and the National Institute of Standards and Technology gave updates on two nascent programs at an Aug. 8 Information Security and Privacy Advisory Board meeting: NIST’s new draft cybersecurity guidance for contractor systems deemed high value assets and the Pentagon’s Cybersecurity Maturity Model Certification (CMMC) program.

Both are designed to shore up different aspects of DOD’s cybersecurity regime for contractors, and both are causing heartburn among companies who are still unclear about how best to comply.

The NIST draft guidance around high value assets recently went out for public comment earlier this year.  The more than 600 responses reflect confusion about the scope and application of the requirements.

Continue reading at:  FCW.com

Filed Under: Contracting News Tagged With: CMMC, cybersecurity, DoD, NIST

7 steps for getting right with NIST 800-171

July 10, 2019 By Nancy Cleveland

The deadline for defense contractors and subcontractors to implement the information security requirements listed in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 has come and gone.  There are more than 100 information security requirements in NIST 800-171, and it is a good bet that many smaller companies without ample IT resources fall into the category of: “We missed the deadline… what now?”

If you want to continue working with the Department of Defense, the simple answer is you will have to be 800-171 compliant.  This includes secure file sharing and information exchange governance, namely how you store, access, exchange and govern sensitive (but unclassified) information with the agency.  And while the December 31, 2017, deadline was directed at DOD’s industry partners, NIST 800-171 applies to all non-federal organizations that work with U.S. government systems and data.  So the suggestions below are in no way limited to defense contractors!

Continue reading at:  Federal Computer Week

Filed Under: Contracting Tips Tagged With: cybersecurity, DoD, NIST, NIST 800-171, NIST SP 800-171

Weak links in the defense supply chain

April 19, 2019 By Nancy Cleveland

Industry experts told Congress recently that poor awareness of federal cybersecurity contracting standards and a lack of visibility by contractors into their own supply chains are at the heart of problems that have led to widespread targeting and theft of U.S. economic and national security secrets by nation state hackers.

According to a survey of small and medium-sized defense contractors conducted by the National Defense Industrial Association, less than 60 percent of respondents said they read the Defense Federal Acquisition Regulation Supplement that lays out minimum security standards for contractor information systems, while nearly half of those who did said they found it hard to understand.

About 45 percent of respondents hadn’t read National Institute for Standards and Technology guidelines for protecting controlled unclassified information.

Keep reading this article at: https://fcw.com/articles/2019/03/31/defense-supply-chain-weak-links.aspx

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

Filed Under: Contracting News Tagged With: controlled defense information, cyber, cyber incident, cybersecurity, DFARS, DoD, NIST, NIST 800-171 NIST issues guidance on contractor, supply chain

Keeping up with DoD cybersecurity compliance demands

April 11, 2019 By Nancy Cleveland

On Jan. 21, 2019, Ellen Lord, the Under Secretary of Defense for Acquisition and Sustainment, issued a memorandum focused on assessing contractor compliance with the DFARS cyber clause via audits of a Contractor’s purchasing system.  One intent of this guidance is to have the Defense Contract Management Agency, or DCMA, “validate, for contracts for which they provide contract administration and oversight, contractor compliance with the requirements of DFARS clause 252.204-7012.”

This would be done as part of a review of a contractor’s purchasing system in accordance with DFARS 252.244-7001.  Pursuant to this DFARS clause, contractors are required to provide adequate security on their internal networks to protect Covered Defense Information (CDI) and are required to flow DFARS clause 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting” to subcontractors without alteration.

On Feb. 26, 2019, the DCMA updated its Contractor Purchasing System Review (CPSR) Guidebook to incorporate requirements from the January 2019 memorandum. In particular, the “Supply Chain Management Process” outlined in Appendix 24 states that “[p]rotecting Controlled Unclassified Information is a critical aspect” of supply chain management.

The guidebook assumes obligations that are beyond those imposed by the DFARS clause, presumably assuming that new requirements will be imposed contractually in the future.

Keep reading this article at: https://www.insidegovernmentcontracts.com/2019/03/keeping-up-with-dod-cybersecurity-compliance-demands/

Filed Under: Contracting Tips Tagged With: controlled defense information, cyber, cyber incident, cybersecurity, DFARS, DoD, NIST, NIST 800-171

Readying contractors’ security plans for evaluation

February 18, 2019 By Nancy Cleveland

The Defense Department recently issued final guidance for requiring activities to assess contractors’ system security plans and their implementation of the security controls in National Institute of Standards and Technology Special Publication 800-171.

It includes a compliance guidance document, which explains how department entities will assess contractor implementation of its security controls, and an impact guidance document, which explains how the Pentagon will assess the risks of security controls not implemented.

The compliance guidance addresses three objectives pre-award: requiring a self-attestation of implementation of the special publication in all proposals; imposing enhanced security controls in certain situations; and providing alternatives for compliance as an evaluation factor.

Defense Federal Acquisition Regulation Supplement 252.204-7008, which is required in every noncommercial off-the-shelf solicitation, provides that “[b]y submission of this offer, the offeror represents that it will implement the security requirements specified by [NIST SP 800-171].” The Defense Department has interpreted “implementation” as having a completed security system plan and a plan of action and milestones for the relevant covered defense information.

If a requiring activity believes that enhanced security controls are required beyond those in NIST SP 800-171, the compliance guidance provides direction for adding the requirements to a solicitation.

The guidance does not define what constitutes “enhanced controls.” NIST is expected to issue a new appendix of enhanced controls in the first quarter of 2019.

Keep reading this article at: http://www.nationaldefensemagazine.org/articles/2019/1/30/readying-security-plans-for-evaluation

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

Filed Under: Contracting News Tagged With: controlled defense information, cyber, cyber incident, cybersecurity, DFARS, DoD, enhanced controls, network infrastructure, NIST, NIST 800-171

DoD continues to up the ante on cybersecurity compliance for contractors

February 4, 2019 By Nancy Cleveland

Compliance with the security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 is only the beginning for contractors that receive controlled defense information (CDI) in performance of Department of Defense (DoD) contracts and subcontracts.

Faced with an evolving cyber threat, DoD contractors have experienced an increased emphasis on protecting DoD’s information and on confirming contractor compliance with DoD cybersecurity requirements.  This includes audits by the DoD Inspector General (IG) “to determine whether DoD contractors have security controls in place” to protect CDI and enhanced security controls for certain high risk contractor networks.

And on September 28, 2018, the Navy issued a policy memorandum calling for enhanced cybersecurity requirements, including some that have generated opposition within the defense community such as the installation of network sensors by the Naval Criminal Investigative Service on contractor systems.

Other requiring activities are reportedly requiring similar enhanced protections, and NIST is expected to issue a public draft of Revision 2 to NIST SP 800-171 by the end of February, with an appendix of additional enhanced controls.

Keep reading this article at: https://www.insidegovernmentcontracts.com/2019/01/dod-continues-ante-cybersecurity-compliance-contractors/

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

Filed Under: Contracting News Tagged With: controlled defense information, cyber, cyber incident, cybersecurity, DFARS, DoD, network infrastructure, NIST, NIST 800-171

The new rules of cybersecurity

January 24, 2019 By Nancy Cleveland

At this very moment someone, somewhere in the world may be plotting to hack into an organization’s critical network infrastructure.

Creativity, time and investment are never in short supply when determined attackers are intent on gaining access to networks. It’s created an environment whereby solutions to prevent attacks are being developed just after new hacking tactics are deployed. To solve this divergence, we need to focus on “cyber at machine speed” — implementing new tools simultaneously with or even before hackers.

In short, getting the basics right is no longer enough. Adversaries now have the tools, the motivation and certainly the persistence to overcome current standards and compliance protocols.

Simply put, adequacy is no longer adequate.

Keep reading this article at: https://www.nextgov.com/ideas/2018/12/new-rules-cybersecurity/153714/

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

Filed Under: Contracting Tips Tagged With: controlled defense information, cyber, cyber incident, cybersecurity, DFARS, DoD, network infrastructure, NIST, NIST 800-171 NIST issues guidance on contractor

DoD and other agencies seek to enhance contractors’ cyber and supply chain security

January 4, 2019 By Nancy Cleveland

The Department of Defense (DoD) and its component services and agencies are taking several independent steps to assess and enhance their cyber and supply chain security that will directly or indirectly affect DoD contractors and subcontractors.

Other federal agencies, including the Department of Homeland Security (DHS), Commerce, and General Services Administration (GSA), are also considering or implementing measures to enhance cyber and supply chain security that will directly or indirectly affect government contractors and their supply chains.

These initiatives will intensify scrutiny of government contractors and subcontractors, increase their cyber and supply chain security compliance requirements, and affect their ability to compete for, and win, government contracts. This article summarizes these initiatives and states our view that, despite the proposal and likely adoption of a comprehensive new Federal Acquisition Regulation (FAR) cybersecurity clause next year, federal government contractors and subcontractors are likely to face multiple, overlapping, and possibly conflicting cybersecurity and supply chain requirements for some time to come.

Keep reading this article at: http://www.mondaq.com/article.asp?articleid=767144

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

Filed Under: Contracting Tips Tagged With: controlled defense information, cyber, cyber incident, cybersecurity, DFARS, DoD, FAR, GSA, HHS, NIST, NIST 800-171 NIST issues guidance on contractor, security, supply chain

Contractors are a bull’s-eye for hackers

December 19, 2018 By Nancy Cleveland

The U.S. defense industrial supply chain is vast, complex and vulnerable. Organic components, large-scale integrators, myriad commercial service providers, and tens of thousands of private companies sustain the Defense Department. According to the SANS Institute, the percentage of cyber breaches that originate in the supply chain could be as high as 80 percent.

Some progress has undoubtedly been made with regard to securing the supply chain. The Defense Federal Acquisition Regulation Supplement (DFARS) NIST SP 800-171 supply chain program, for instance, introduced 109 stringent requirements for Defense Department suppliers dealing with sensitive government data—53 related to technology and 56 related to security policy.

But while DFARS applies to all contractors and suppliers regardless of size, it has not yet been fully implemented and it is not bulletproof.  Still, it is a big step toward securing the supply chain at all levels.

Keep reading this article at: https://www.afcea.org/content/contractors-are-bulls-eye-hackers

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

Filed Under: Contracting Tips Tagged With: controlled defense information, cyber, cyber incident, cybersecurity, DFARS, DoD, NIST, NIST 800-171 NIST issues guidance on contractor, risk

Pentagon considers cybersecurity certification for its contractors

December 18, 2018 By Nancy Cleveland

In cybersecurity, you’re only as strong as your weakest link.

For the Defense Department, the area with the fewest cyber protections are the defense contractors the department works with, particularly the small businesses that don’t have the expertise or resources to build a robust security posture.

The Pentagon put together a task force to assess whether small businesses within the defense industrial base are complying with the cybersecurity framework published by the National Institute of Standards and Technology and provide assistance to companies that need help.

The department issued a new rule last year requiring vendors to show that they are in compliance with NIST standards or have a plan to get there quickly. Those plans were due Jan. 1.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2018/12/pentagon-considers-cybersecurity-certification-its-contractors/153330/

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

Filed Under: Contracting News Tagged With: controlled defense information, cyber, cyber incident, cybersecurity, DFARS, DoD, GTPAC, NIST, NIST 800-171 NIST issues guidance on contractor

  • 1
  • 2
  • 3
  • …
  • 5
  • Next Page »

Recent Posts

  • Contractors must update EEO poster
  • SBA scorecard shows federal government continues to prioritize small business contracting
  • The risk of organizational conflicts of interest
  • The gap widens between COFC and GAO on late is late rule
  • OMB releases guidance related to small business goals

Popular Topics

8(a) abuse Army bid protest budget budget cuts certification construction contract awards contracting opportunities cybersecurity DoD DOJ False Claims Act FAR federal contracting federal contracts fraud GAO Georgia Tech government contracting government contract training government trends GSA GSA Schedule GTPAC HUBZone innovation IT Justice Dept. marketing NDAA OMB SBA SDVOSB set-aside small business small business goals spending subcontracting technology VA veteran owned business VOSB wosb

Contracting News

SBA scorecard shows federal government continues to prioritize small business contracting

OMB releases guidance related to small business goals

OMB issues guidance on impact of injunction on government contractor vaccine mandate

Changes coming to DOD’s Cybersecurity Maturity Model Certification under CMMC 2.0

Judge issues nationwide injunction halting enforcement of COVID-19 vaccine mandate

Read More

Contracting Tips

Contractors must update EEO poster

The risk of organizational conflicts of interest

The gap widens between COFC and GAO on late is late rule

Are verbal agreements good enough for government contractors?

CMMC 2.0 simplifies requirements but raises risks for government contractors

Read More

GTPAC News

VA direct access program events in 2022

Sandia National Laboratories seeks small business suppliers

Navy OSBP hosting DCAA overview (part 2) event Jan. 12, 2022

Navy OSBP hosting cybersecurity “ask me anything” event Dec. 16th

State of Georgia hosting supplier systems training on January 26, 2022

Read More

Georgia Tech News

Undergraduate enrollment growth reflects inclusive excellence

Georgia Tech delivers $4 billion in economic impact to the State of Georgia

Georgia Tech awards first round of seed grants to support team-based research

Georgia Tech announces inaugural Associate Vice President of Corporate Engagement

DoD funds Georgia Tech to enhance U.S. hypersonics capabilities

Read More

  • SAM.gov registration is free, and help with SAM is free, too
APTAC RSS Twitter GTPAC - 30th Year of Service

Copyright © 2023 · Georgia Tech - Enterprise Innovation Institute