security | Georgia Tech Procurement Assistance Center

People are key to securing the defense-industrial supply chain

May 16, 2019 By Nancy Cleveland

Infiltrating the defense supply chain is one of the most insidious means by which attackers can compromise our nation’s communications and weapons systems. Successfully targeting a single component of the defense industrial base can cause a ripple effect that can significantly impact everything from data centers to war fighters in theater.

The Department of Defense’s new “Deliver Uncompromised” security initiative is designed to tackle this problem at its root cause: third-party suppliers. In essence, the DoD is requiring its suppliers to bake security into their applications from the beginning of the production process. A “good enough” approach that just clears the bar for minimal security criteria is no longer good enough. Security must be ingrained in the very fabric of the entire production process.

Continue reading at: Fifth Domain

Why computer passwords are still a problem in 2019

January 29, 2019 By Nancy Cleveland

There was a recent article before the holiday break on the complexity of computer passwords. The top “worst” password for 2018 was “123456.” Close behind in second place was “password.” They were also in first and second place in 2017. Slightly more complex was “123456789,” in third place in 2018, with the one-character shorter version, “12345678” just behind in fourth place. You get the gist.

Passwords are one of the critical problems in cybersecurity today. They are too easy to guess. They are too easy to break. All a hacker needs is your user ID (say, e.g. notsodifficult@password.com) and he or she can be off to the races in a matter of minutes invading your employee email account. Likely he also will be able to raid many of your other online accounts (like shopping, online gaming and streaming video) because you thought your lame password was so tricky that it was worthy of reusing in your 10 other accounts. The technical term for what happens here is an account takeover. In this case times 10. Re-using a lame password is problem one.

Problem two is social media. We are enamored with sharing information with our family and friends. That is good. Unfortunately, we share too much: names, places you went on vacation, names of dogs and cats and other animals, even grandparents’ names and locations. That is all good, except when those same names of places and dogs show up in your password.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2019/01/why-computer-passwords-are-still-problem-2019/154086/

DoD and other agencies seek to enhance contractors’ cyber and supply chain security

January 4, 2019 By Nancy Cleveland

The Department of Defense (DoD) and its component services and agencies are taking several independent steps to assess and enhance their cyber and supply chain security that will directly or indirectly affect DoD contractors and subcontractors.

Other federal agencies, including the Department of Homeland Security (DHS), Commerce, and General Services Administration (GSA), are also considering or implementing measures to enhance cyber and supply chain security that will directly or indirectly affect government contractors and their supply chains.

These initiatives will intensify scrutiny of government contractors and subcontractors, increase their cyber and supply chain security compliance requirements, and affect their ability to compete for, and win, government contracts. This article summarizes these initiatives and states our view that, despite the proposal and likely adoption of a comprehensive new Federal Acquisition Regulation (FAR) cybersecurity clause next year, federal government contractors and subcontractors are likely to face multiple, overlapping, and possibly conflicting cybersecurity and supply chain requirements for some time to come.

Keep reading this article at: http://www.mondaq.com/article.asp?articleid=767144

See GTPAC’s video, template and other resources designed to help contractors comply with the DoD/NIST cybersecurity rules at: http://gtpac.org/cybersecurity-training-video/

Four steps to fix the security clearance backlog

December 13, 2018 By Nancy Cleveland

Congress will get an update on the security clearance backlog this week, but if you can’t tune in, here’s the bottom line up front: the government has taken steps, there has been progress and the system is improving, but it’s not nearly enough.

There are still more than 600,000 government and industry employees waiting for security clearances from the federal government — highly skilled Americans who are sidelined because of bureaucratic red tape. Some have been waiting as long as 500 days just to go to work.

We in the aerospace and defense industry must frequently ask new employees to delay showing up for work, or do less important work, for months until their clearances are approved. The slow pace of background investigations impedes our industry’s ability to recruit the talented individuals we need to fulfill important roles, such as conducting space missions, managing cyber networks, and performing advanced manufacturing.

Keep reading this article at: https://www.defenseone.com/ideas/2018/12/four-steps-fix-security-clearance-backlog/153445

DHS would get more power to bar risky contractors under dueling proposals

July 27, 2018 By Nancy Cleveland

Two House Republicans are working on legislation that would expand the Homeland Security Department’s authority to deny contracts to companies that pose cybersecurity supply chain threats while the Trump administration is pushing an even more expansive proposal.

The bill in the House will be modeled on authorities Congress gave the Defense Department in 2011 that were implemented in 2015, said Rep. Scott Perry, R-Pa., who is drafting the bill with Rep. Peter King, R-N.Y.

Under those rules, Pentagon contracting officers can bar vendors that pose a security risk from competing for contracts before they’re awarded and halt contractors from hiring risky subcontractors after an award.

Under current Homeland Security Department rules, contracting officers working on unclassified contracts can’t bar vendors before an award based on information provided by intelligence agencies, Soraya Correa, the department’s chief procurement officer, who testified before two House Homeland Security panels last Thursday.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2018/07/dhs-would-get-more-power-bar-risky-contractors-under-forthcoming-bill/149675/

DHS would get more power to bar risky contractors under dueling proposals

July 17, 2018 By Nancy Cleveland

Keep reading this article at: https://www.nextgov.com/cybersecurity/2018/07/dhs-would-get-more-power-bar-risky-contractors-under-forthcoming-bill/149675/

Free webinar on facility security clearance process to be held Mar. 31

March 23, 2017 By Nancy Cleveland

The Florida 8(a) Alliance is hosting a briefing on how to begin the facility security clearance process so that your business can work on classified contracts.

The webinar — entitled “A Roadmap to the Facility Security Clearance (FCL) Process” — will be held on Friday, Mar. 31, 2017, from 1:00 to 2:00 pm Eastern Daylight Time.

The webinar is free and open to anyone. Registration may be accomplished at: https://attendee.gotowebinar.com/register/2974445415999054339.

The top 10 reasons people are denied a security clearance

January 27, 2017 By Nancy Cleveland

In 2016, the Defense Office of Hearing and Appeals held 1,142 security clearance appeals hearings. They made decisions on security clearance eligibility, placement into public trust positions and Common Access Card denials.

If you are denied a security clearance or your security clearance is revoked due to adverse information that has been discovered or self-reported, you have the right to appeal the decision before DOHA. A study of the cases and their outcomes offers a good chance to see the trends in security clearance denials, and what issues are likely to cause issues in your own background investigation.

Among the things you discover if you study DOHA cases for very long: Many cases look very similar and the primary issues remain the same from year to year.

To keep reading this article which includes the top 10 issues that appeared before the DOHA board in 2016, click on this link: http://www.govexec.com/excellence/promising-practices/2017/01/top-10-reasons-people-are-denied-security-clearance/134818

4 things you need to know about new contractor requirements for classified networks

November 7, 2016 By Nancy Cleveland

dan-valez Over the years, I’ve sought to provide practical perspectives on the National Industrial Security Program Operating Manual from the Defense Security Service (DSS). Known as the NISPOM, the manual serves as a repository of “must do’s” for Department of Defense (DoD) contractors supporting classified programs.

Given that the protection of classified information and tech systems remains an increasingly complex and constantly evolving challenge, DSS updates NISPOM as requirements shift.

national-industrial-security-program-operating-manual-feb-2006 In May, the most recent update was issued in what was called an “Industrial Security Letter” which summarized a number of new, minimum standards referred to collectively as “Conforming Change 2.”

The letter states that contractors cleared for work involving classified information must establish and maintain a program “to detect, deter and mitigate insider threats.” The letter mandates the monitoring of user activity on classified information systems. For example, to track “activity indicative of insider threat behavior.”

User monitoring and other measures now have emerged as requirements – not recommendations – to pursue this line of business with the government.

Keep reading to see the four key changes/provisions in the “new” NISPOM, and what contractors should know about them: https://washingtontechnology.com/articles/2016/10/27/insights-velez-new-cyber-requirements.aspx

Final rule beefs up mandates for contractor information systems security

May 24, 2016 By Nancy Cleveland

A new final rule four years in the making will amend the Federal Acquisition Regulations, or FAR, with new sections on the basic safeguarding of contractor information systems.

The rule, published on May 16, 2016 in the Federal Register and issued by the Defense Department, General Services Administration and NASA, will add a subpart and contract clause on contractor systems that process, store or transmit federal contract information, and calls on contractors to apply a minimum of 15 security control requirements.

This type of information is not intended for public release and excludes information that the government provides to the public or that is related to processing payments.

The focus of the rule is on a basic level of safeguarding, and contractors still have to comply with safeguarding requirements for protecting controlled unclassified information, or CUI. “Systems that contain classified information, or CUI, such as personally identifiable information, require more than the basic level of protection,” the rule stated.

Keep reading this article at: http://www.fiercegovernmentit.com/story/final-rule-beefs-mandates-contractor-information-systems-security/2016-05-17

People are key to securing the defense-industrial supply chain

Why computer passwords are still a problem in 2019

DoD and other agencies seek to enhance contractors’ cyber and supply chain security

Four steps to fix the security clearance backlog

Congress will get an update on the security clearance backlog this week, but if you can’t tune in, here’s the bottom line up front: the government has taken steps, there has been progress and the system is improving, but it’s not nearly enough.

DHS would get more power to bar risky contractors under dueling proposals

DHS would get more power to bar risky contractors under dueling proposals

Free webinar on facility security clearance process to be held Mar. 31

The top 10 reasons people are denied a security clearance

4 things you need to know about new contractor requirements for classified networks

Final rule beefs up mandates for contractor information systems security

Contracting News

SBA scorecard shows federal government continues to prioritize small business contracting

OMB releases guidance related to small business goals

OMB issues guidance on impact of injunction on government contractor vaccine mandate

Changes coming to DOD’s Cybersecurity Maturity Model Certification under CMMC 2.0

Judge issues nationwide injunction halting enforcement of COVID-19 vaccine mandate

Contracting Tips

Contractors must update EEO poster

The risk of organizational conflicts of interest

The gap widens between COFC and GAO on late is late rule

Are verbal agreements good enough for government contractors?

CMMC 2.0 simplifies requirements but raises risks for government contractors

GTPAC News

VA direct access program events in 2022

Sandia National Laboratories seeks small business suppliers

Navy OSBP hosting DCAA overview (part 2) event Jan. 12, 2022

Navy OSBP hosting cybersecurity “ask me anything” event Dec. 16th

State of Georgia hosting supplier systems training on January 26, 2022

Georgia Tech News

Undergraduate enrollment growth reflects inclusive excellence

Georgia Tech delivers $4 billion in economic impact to the State of Georgia

Georgia Tech awards first round of seed grants to support team-based research

Georgia Tech announces inaugural Associate Vice President of Corporate Engagement

DoD funds Georgia Tech to enhance U.S. hypersonics capabilities