The Contracting Education Academy

Contracting Academy Logo
You are here: Home / Archives for contractor information systems

By

CMMC: The dramatic year of the Pentagon’s contractor cybersecurity program

In 2020, an ambitious Defense Department effort to account for its suppliers’ cybersecurity had many in the community kicking and screaming in tow, but represents a new collective policy thrust that won’t be dismissed.  

The program, led by Katie Arrington, the chief information security officer for Defense acquisitions, is based on the idea that the government should incorporate security standards into its contract administration.

Arrington’s presentations on the program often include an estimate of how much is lost each year through cyber disruptions — $600 billion, according to research cited in the DOD’s answers to frequently asked questions about the program — and highlight intellectual property theft by China.

Before the idea of CMMC, companies within the defense industrial base simply pledged their adherence to cybersecurity practices outlined by the National Institute of Standards and Technology. A 2015 rule required Defense contractors to report cyber incidents and to provide “adequate security” using NIST Special Publication 800-171 to protect covered information. But it wasn’t until summer 2019 that the Defense Department started checking whether companies were implementing the standard.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2021/01/cmmc-dramatic-year-pentagons-contractor-cybersecurity-program/171084/

By

CMMC model tweaks coming after industry feedback

The foundation of the Cybersecurity Maturity Model Certification (CMMC) — the Department of Defense’s new cyber requirements for contractors — will see some coming changes, its leaders recently said.

The DOD will make alterations to the highest level of the five-tier security model after receiving public comments on the recently issued CMMC Defense Federal Acquisition Regulation System rule.

The department issued an “interim final” rule in September instead of first issuing a proposed rule, which meant the rule took effect upon publication. But there was still a 60-day comment period for industry to weigh in. The Office of Management and Budget, which hosts the council overseeing acquisition rules, allowed for this because of “the threat to national security” embedded in supply chain vulnerabilities, Jessica Maxwell, a DoD spokeswoman said in a statement.

Keep reading this article at: https://www.fedscoop.com/cmmc-model-assessment-guide-to-get-tweaks-after-feedback-from-industry/

 

By

CMMC implementation creates issues for ‘shop floors’

As of Nov. 30, defense contractors and suppliers are required to comply with an interim rule that strengthens implementation of the Cybersecurity Maturity Model Certification (CMMC), which is designed to protect controlled unclassified information from hackers.

In December, the Legal and Policy Committee of the National Defense Industrial Association’s Cybersecurity Division hosted the second in a four-part series of tabletop exercises to dry run the implementation and highlight areas where special attention may be needed.  This exercise focused specifically on the implications for manufacturers in defense supply chains, probing deeper into issues from the first exercise, held in October.

Controlled unclassified information, or CUI, needs to be protected not only in enterprise information systems, but also in shop floor networks and systems where technical data may be at risk. The Defense Federal Acquisition Regulation Supplement 252.204-7012 clause that established CMMC mandates use of 110 security requirements defined by National Institute of Standards and Technology Special Publication 800-171 that are appropriate for information technology systems, but in many instances, not appropriate for operational technology systems as found in manufacturing facilities.

Manufacturing systems are capital investments expected to last 20 years or more.  Many run old operating systems that do not support patches or encryption.  Updates are expensive and rare.  Efficiency requires connectivity and safety requires easy, rapid access.  Workarounds are possible, but smaller manufacturers may need help in implementing them.

Keep reading this article at: https://www.nationaldefensemagazine.org/articles/2021/1/29/cmmc-implementation-creates-issues-for-shop-floors

By

DoD’s cybersecurity certification requirements to appear in DHS contracts

The Department of Defense is figuring out how to incorporate its Cybersecurity Maturity Model Certification (CMMC) program in contracts offered by the Department of Homeland Security, according to the official helming the initiative.

The CMMC program will ultimately require all defense contractors have their cybersecurity practices certified by a system of independent third party auditors. As it is now, companies simply pledge their adherence to security controls detailed in standards issued by the National Institute of Standards and Technology.

Rules to implement the program are expected to be finalized as early as next month and have caused some heartburn within the contracting community. But the program is being rolled out in phases — 15 prime contractors, and all their subcontractors, are being selected to undergo assessments this year — and won’t be fully applicable until 2025.

That led one participant during a virtual meeting hosted by the Armed Forces Communications & Electronics Association Thursday to suggest organizations might even want to deprioritize complying with the CMMC’s requirements.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2021/01/dods-cybersecurity-certification-requirements-appear-dhs-contracts/171551/

By

Pentagon announces 7 procurements to test out new CMMC process

The Defense Department on Thursday disclosed the first seven contracts that are likely to be the initial test cases for the Cybersecurity Maturity Model Certification (CMMC) program, DoD’s new approach to shoring up its suppliers’ IT security.

The department stopped short of a full commitment to subject the forthcoming Navy, Air Force and Missile Defense Agency procurements to CMMC’s requirements.

In a statement, DoD said only that they are “candidates” under consideration to serve as pathfinders.

The projects, as described by the Pentagon, are:

 

Navy
  • Integrated Common Processor
  • F/A-18E/F Full Mod of the SBAR and Shut off Valve
  • Yard services for the Arleigh Burke Class destroyer
Air Force
  • Mobility Air Force Tactical Data Links
  • Consolidated Broadband Global Area Network Follow-On
  • Azure Cloud Solution
Missile Defense Agency
  • Technical Advisory and Assistance Contract

The department did not immediately provide further details on the procurements beyond the descriptions above, but said each of the contracts are expected to be awarded in fiscal 2021.

Keep reading this article at: https://federalnewsnetwork.com/defense-main/2020/12/pentagon-reveals-first-contracts-to-serve-as-pathfinders-for-cmmc/

Contracting Academy Logo
75 Fifth Street, NW, Suite 300
Atlanta, GA 30308
info@ContractingAcademy.gatech.edu
Phone: 404-894-6109
Fax: 404-410-6885

RSS Twitter