The Contracting Education Academy

Contracting Academy Logo
You are here: Home / Archives for cyber incidents

By

Agencies faced 31,000 cyber incidents last year, but gave up no major breaches

The total number of incidents the government experienced last year dropped 12% from 2017, according to the Office of Management and Budget.

Federal agencies didn’t experience a single “major” cybersecurity incident in 2018, marking the first time in three years the government avoided such a severe digital incursion, according to a recent White House report.

Not one of the more than 31,000 cybersecurity incidents that agencies faced last year reached the “major incident” threshold, which is defined as an event that affects more than 100,000 individuals or otherwise causes “demonstrable harm” to the U.S, according to the Office of Management and Budget. The government fell victim to five major incidents in 2017 and 16 in 2016.

Overall, the total number of cyber events the government experienced dropped 12% from 2017, OMB officials told Congress in their annual report on the Federal Information Security Management Act.

While OMB called this downward trend “encouraging,” they warned that agencies shouldn’t let down their guard. Phishing and other email-based attacks remain a popular strategy for online bad actors, and the government is still struggling to attribute and label the thousands of attacks every year, officials said.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2019/08/agencies-faced-31000-cyber-incidents-last-year-gave-no-major-breaches/159290/

By

Senate Armed Services Subcommittee on Cybersecurity holds hearing to discuss responsibilities of the industrial base

On March 26, 2019, the Senate Armed Services’ Subcommittee on Cybersecurity held a hearing to receive testimony assessing how the Department of Defense’s (DoD) cybersecurity policies and regulations have affected the Defense Industrial Base (DIB).

To gain a better understanding of the DIB’s cybersecurity concerns, the Subcommittee invited William LaPlante, Senior Vice President and General Manager of MITRE’s National Security Sector; John Luddy, Vice President For National Security Policy at the Aerospace Industries Association; Christopher Peters, Chief Executive Officer of the Lucrum Group; and Michael MacKay, the Chief Technology Officer of Progeny Systems Corporation.

In their opening remarks, the Chairman of the Subcommittee, Senator Mike Rounds (R-SD), and Ranking Member, Senator Joe Manchin (D-WV), acknowledged industry concerns about the DoD’s lack of clarity and disparate implementation of cybersecurity regulations, such as guidance relating to DFARS 252.204-7012 (DFARS Cyber Rule or Rule) and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.

Senator Rounds stated that he “expects [DoD] to come up with measured policies to make improvements in [cybersecurity]” and he “hope[s] DoD takes seriously the concerns of the DIB.”  He further noted that DoD “cannot simply apply increasingly stringent cybersecurity requirements on its contractors” and that “doing so without subsidy or assistance is unlikely to particularly improve cybersecurity [for] the DIB” and would likely drive the most innovative small businesses out of the supply chain.  Senator Rounds called for putting a program in place to ensure the best possible protections for contractors regardless of size and referred to the “Achilles heel” of this issue as the desire to use a large number of small contractors while still needing to protect sensitive government information.  Later in the hearing, Senator Manchin expressed great concern over the cyber incidents experienced by DoD contractors and urged the witnesses to “tell [the Subcommittee] what you need . . . [the Subcommittee] is here to fix it and you’re here to tell us what’s broken.”

Keep reading this article at: https://www.insidegovernmentcontracts.com/2019/03/senate-armed-services-subcommittee-on-cybersecurity-holds-hearing-to-discuss-the-responsibilities-of-the-defense-industrial-base/

By

Contractors face new data breach disclosure and investigation requirements

The government’s lead contracting agency plans to formalize how and when contractors are required to disclose data breaches and to mandate better government visibility into how serious those breaches are.

The proposed rule will mandate that the General Services Administration (GSA) and the agency that’s being served by the contract have access to breached contractor systems, according to a regulatory roadmap set to be published in the Nov. 16th edition of the Federal Register.

Contractors will also be required to preserve images of the affected systems for the government to review, the roadmap states.

The proposed rule is scheduled to be published in February with a comment period that closes in April.

Contractors have frequently been a weak point for federal cybersecurity efforts.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2018/11/government-contractors-face-new-data-breach-disclosure-and-investigation-requirements/152864/

By

Cyber Command’s acquisition authority still in its infancy

U.S. Cyber Command is still in the beginning stages of building out an acquisition capability.

Eight years after its launch and about two years after being granted limited acquisition authority from Congress, the command is still working to demonstrate that its wares and abilities make good use of funds and that it is capable of managing contracts, its acquisition executive said.

“I will say we are in our infancy from an acquisition perspective. We are putting the foundation of the personnel and the skills,” Stephen Schanberger said Sept. 6 at the Billington Cybersecurity Summit. “We’re in the beginning stages right now.”

In the fiscal 2016 defense authorization bill, Congress gave Cyber Command limited acquisition authority capped at $75 million with a sunsetting in 2021. Congressional aides have equated this authority to that of Special Operations Command, noting that they wanted to employ a crawl, walk, run mentality to make sure Cyber Command can execute it.

Keep reading this article at: https://www.fifthdomain.com/dod/cybercom/2018/09/07/cyber-commands-acquisition-authority-still-in-its-infancy/

By

Paper submittals will soon be required of all SAM.gov registrants

Effective April 27, 2018, the General Services Administration (GSA) will be requiring each entity that wants to renew or update their electronic registration in the System for Award Management (SAM) to mail-in an original, signed notarized letter that confirms the identity of the account’s authorized administrator.

This comes as a follow-up to an announcement make about two and a half weeks ago that GSA is engaged in “an active investigation into alleged third-party fraudulent activity” within SAM.

SAM is essentially the vendor database of the federal government.  GSA is in the process of integrating a total of ten databases within SAM.

At present, before a new SAM entity registration is activated, the entity establishing the new record in SAM must submit an original, signed notarized letter identifying the authorized “entity administrator” who is associated with the entity’s DUNS number.  With GSA’s latest announcement, the notarized letter also will be required of all existing SAM registrants who wish to update or renew their record.

The alleged breach of the SAM database was identified by GSA’s Office of Inspector General (OIG), and there is ongoing concern that vendors’ financial information and points of contact could be exposed.  This creates risk that grant and contract payments could be diverted.

In GSA’s first announcement of the problem, GSA advised that “entities should contact their Federal agency awarding official if they find that payments, which were due their entity from a Federal agency, have been paid to a bank account other than the entity’s bank account.”   SAM contains bank routing information on each entity.  GSA’s advice was later updated to say: “If an entity suspects a payment due them from a Federal agency was paid to a bank account other than their own, they should contact the Federal Service Desk.”

The Federal Service Desk can be contacted by phone at 866-606-8220 (toll free) or 334-206-7828 (internationally), Monday through Friday from 8 a.m. to 8 p.m. (EDT).

The notarized letter, on company stationery, is to be mailed to the Federal Service Desk.  Details for the letter appear at: https://www.fsd.gov/fsd-gov/answer.do?sysparm_kbid=d2e67885db0d5f00b3257d321f96194b&sysparm_search=kb0013183.

Update: GSA has produced a template for the notarized letter.  It is available at: SAM_Notary_Letter_Template_4.12.18_GSA_version

 

Contracting Academy Logo
75 Fifth Street, NW, Suite 300
Atlanta, GA 30308
info@ContractingAcademy.gatech.edu
Phone: 404-894-6109
Fax: 404-410-6885

RSS Twitter