The Contracting Education Academy

Contracting Academy Logo
You are here: Home / Archives for cyber attacks

By

Cybersecurity and government contracting: False Claims Act considerations

As the recent SolarWinds Orion attack makes clear, cybersecurity will be a focus in the coming years for both governmental and non-governmental entities alike. 

In the federal contracting community, it has long been predicted that the government’s increased cybersecurity requirements will eventually lead to a corresponding increase in False Claims Act (FCA) litigation involving cybersecurity compliance.  This prediction may soon be proven true, as a December 2020 speech from Deputy Assistant Attorney General Michael Granston specifically identified “cybersecurity related fraud” as an “area where we could see enhanced False Claims Act activity.”

This post discusses recent efforts to use the FCA to enforce cybersecurity compliance — and, based on those efforts, what government contractors may expect to see in the future.

In recent years, the government and qui tam plaintiffs have begun using the FCA to pursue alleged noncompliance with cybersecurity regulations, and some of these efforts have gained traction.  For instance, in May 2019, a federal district court in California declined to dismiss a case alleging that a government contractor had falsely asserted its compliance with cybersecurity standards when entering into Department of Defense contracts.  And in July 2019, the Department of Justice announced that another contractor had agreed to pay more than $8 million in connection with resolving a qui tam suit alleging failure to meet federal cybersecurity standards, marking the first settlement based on FCA allegations related to cybersecurity noncompliance.

More recently, however, at least one court rejected the attempt to build an FCA case out of alleged deviations from cybersecurity regulations.

Keep reading this article at: https://www.insidegovernmentcontracts.com/2021/01/cybersecurity-and-government-contracting-false-claims-act-considerations/

By

What lessons can public and private sector organizations share on cybersecurity?

In the midst of receiving the results of the 2020 presidential election, we’re faced with a potential administration change.

As such, we’re entering a period of transition that raises questions about the best way to protect our nation’s digital infrastructure from nefarious actors wishing to cause harm to our systems.

While comparing the difference between how the private sector operates versus the public sector, the past few years have brought into sharp focus the benefits and drawbacks of how each approach cybersecurity.  And looking forward, we see a more intertwined fate of both, as sophisticated and brazen cyberattacks deploy similar TTPs (techniques, tactics and procedures).

After all, phishing and ransomware campaigns don’t care whether you have a .com, .gov or .org email address, and non-state eCrime actors are taking advantage of remote working conditions whether you work for a corporation, city government or a federal agency.

In fact, since March 2020, CrowdStrike has observed a 330% increase from cyber threat actors deploying malicious files using COVID themes. And in the six months from January to June, CrowdStrike’s threat hunting team, OverWatch, observed more hands-on-keyboard intrusions than were seen throughout all of 2019.

Keep reading this article at: https://www.fedscoop.com/transition-coming-lessons-can-public-private-sector-organizations-share-cybersecurity/

By

Pentagon standing up a nonprofit to assess vendor cybersecurity

The organization would be responsible for running the department’s Cybersecurity Maturity Model Certification.

The Defense Department is looking to stand up a nonprofit organization to measure the strength of its contractors’ cybersecurity practices.

The group would be responsible for running the vendor accreditation process under the Pentagon’s new Cybersecurity Maturity Model Certification, or CMMC. The framework, which was released in draft form last month, will serve as a yardstick for determining if contractors are taking sufficient steps to protect the sensitive military data that resides on their networks.

The certification process is intended to push the Pentagon’s extensive network of vendors to strengthen their digital defenses, or at least adopt protections that are appropriate for the sensitivity of their work. The program comes adversaries like China increasingly target defense contractors to steal military secrets.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2019/10/pentagon-standing-nonprofit-assess-vendor-cybersecurity/160425/

By

Agencies faced 31,000 cyber incidents last year, but gave up no major breaches

The total number of incidents the government experienced last year dropped 12% from 2017, according to the Office of Management and Budget.

Federal agencies didn’t experience a single “major” cybersecurity incident in 2018, marking the first time in three years the government avoided such a severe digital incursion, according to a recent White House report.

Not one of the more than 31,000 cybersecurity incidents that agencies faced last year reached the “major incident” threshold, which is defined as an event that affects more than 100,000 individuals or otherwise causes “demonstrable harm” to the U.S, according to the Office of Management and Budget. The government fell victim to five major incidents in 2017 and 16 in 2016.

Overall, the total number of cyber events the government experienced dropped 12% from 2017, OMB officials told Congress in their annual report on the Federal Information Security Management Act.

While OMB called this downward trend “encouraging,” they warned that agencies shouldn’t let down their guard. Phishing and other email-based attacks remain a popular strategy for online bad actors, and the government is still struggling to attribute and label the thousands of attacks every year, officials said.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2019/08/agencies-faced-31000-cyber-incidents-last-year-gave-no-major-breaches/159290/

By

Cyber Command’s acquisition authority still in its infancy

U.S. Cyber Command is still in the beginning stages of building out an acquisition capability.

Eight years after its launch and about two years after being granted limited acquisition authority from Congress, the command is still working to demonstrate that its wares and abilities make good use of funds and that it is capable of managing contracts, its acquisition executive said.

“I will say we are in our infancy from an acquisition perspective. We are putting the foundation of the personnel and the skills,” Stephen Schanberger said Sept. 6 at the Billington Cybersecurity Summit. “We’re in the beginning stages right now.”

In the fiscal 2016 defense authorization bill, Congress gave Cyber Command limited acquisition authority capped at $75 million with a sunsetting in 2021. Congressional aides have equated this authority to that of Special Operations Command, noting that they wanted to employ a crawl, walk, run mentality to make sure Cyber Command can execute it.

Keep reading this article at: https://www.fifthdomain.com/dod/cybercom/2018/09/07/cyber-commands-acquisition-authority-still-in-its-infancy/

Contracting Academy Logo
75 Fifth Street, NW, Suite 300
Atlanta, GA 30308
info@ContractingAcademy.gatech.edu
Phone: 404-894-6109
Fax: 404-410-6885

RSS Twitter