cyber | The Contracting Education Academy

February 17, 2021 By cs

Army awards $5 million ‘bridge’ contract for cyber training

Army Materials Command skipped a competitive bidding process for short-term cyber training services, citing urgent need while it waits for a bid protest to be resolved.

“The growth of the Cyber threat to the Armed Forces mandates that the cybersecurity and tactical network management efforts for Program Executive Offices and [Major Army Commands] continue without interruption,” reads a notice of the justification published on Beta.sam.gov Monday. “A lapse in services would have impacted and/or delayed operational requirements at the tactical level, resulting in increased cost to the Government as well as the risk for potential loss of life during operational deployments.”

The Army’s contracting command awarded a $5.6 million bridge task order to Beshenich Muir & Associates, LLC, or BMA, on Jan.11 to provide support to the Regional Signal Training Sites of the U.S. Army Signal School at the U.S. Army Cyber Center of Excellence. The contract comes with a three-month base period, to account for the adjudication of the protest of an initial task order issued to BMA on Nov. 23 from Obxtek, Inc. The bridge task order also has an additional three-month optional period in case there’s a supplemental protest.

A decision on the protest, which is not publicly available, is due from the Government Accountability office March 29 and Obxtek said it generally doesn’t comment on open cases.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2021/02/army-awards-5m-bridge-contract-cyber-training/171973/

May 29, 2020 By cs

The White House is rewriting contracting language to clarify security liability

The Office of Management and Budget (OMB) plans to standardize language in all government contracts with cloud vendors that would update liability terms regarding security, according to the official in charge of leading federal agencies’ move to the shared-responsibility ecosystems.

**Technology vendors precluding liability in government contracts has long been an issue, and now COVID-19 has sped up some agencies’ cloud migration and amplified calls for cybersecurity assurances.**

“I think there is a need to update our [service level agreements] with the cloud providers and we’re actively working on that within [the General Services Administration],” Thomas Santucci, the director of the Data Center and Cloud Optimization Infrastructure Program Management Office at GSA, said.

Santucci provided a status report on the government’s efforts to improve efficiency and lower costs by moving to the cloud during a virtual conference the Digital Government Institute hosted today.

“OMB has just stood up a [program management office] to work on a cloud SLA template for the federal government to be attached to every contract,” Santucci said when asked about the liability issue and whether cloud service providers or government customers should be held responsible for security.

Security was one of the topics mentioned in establishing the new contract templates, he said.

Keep reading thi9s article at: https://www.nextgov.com/it-modernization/2020/05/white-house-rewriting-contracting-language-clarify-security-liability/165549/

The Contracting Education Academy at Georgia Tech has established a webpage where all contract-related developments related to the coronavirus (COVID-19) are summarized. Find the page at: https://contractingacademy.gatech.edu/coronavirus-information-for-contracting-officers-and-contractors/

May 12, 2020 By cs

Cyber and other transaction agreements

Rapid acquisitions for prototypes and experimental technology will be subject to the Defense Department’s unified cybersecurity standard, according to Katie Arrington, DoD’s chief information security officer for acquisition.

Arrington said DoD’s upcoming implementation of its Cybersecurity Maturity Model Certification will apply to other transaction agreements — a rapid contract mechanism frequently used to help develop and field prototypes.

“In an OTA, in the technical specs, they can actually call it out and say what they want,” said Arrington during an April 29 NextGov webinar on CMMC.

OTAs are meant to speed the government buying process and allow DoD to buy new capabilities faster by allowing officials to sidestep competitive bidding in certain cases. But there’s ample worry of potential overuse, which could invite congressional scrutiny.

Arrington’s comments come as DoD has begun pushing for the use of OTAs to find and execute on solutions that can help treat or prevent the spread of coronavirus. Ellen Lord, DoD’s acquisition chief, issued a memo in early April to ease the OTA process by delegating contracting authorities to heads of agencies and combatant commanders during the pandemic.

Keep reading this article at: https://fcw.com/articles/2020/04/30/cmmc-ota-cyber-williams.aspx

February 4, 2020 By cs

Pentagon announces final version of cyber standards for contractors

During an event where Defense Department officials looked to dispel myths about a plan to certify the cybersecurity of its contractors through third-party audits, the department’s head of acquisitions spoke to why the rollout of the program isn’t expected to be done till 2026.

“We are doing this with what I would call irreversible momentum,” Undersecretary of Defense for Acquisition and Sustainment Ellen Lord said, answering questions from reporters.

Some stakeholders have said the plan to subject companies in the defense industrial base to reviews by independent auditors—instead of allowing them to self-attest to security practices—is moving at break-neck speed. But Defense officials were pressed at the event to explain why it would take such a long time to fully implement the program.

“We’re being realistic in terms of making sure we have pathfinder projects and then we implement it and learn, get the feedback, and go on,” Lord said.

While the department plans to note CMMC requirements in requests for information starting late spring, specific security levels—ranging 1 through 5, described in a final version 1.0 of the model—won’t be included in requests for proposals till the fall, when it is expected the related rule will be finalized in Defense Federal Acquisition Regulations.

Spring is also when auditors will start attending classes and CMMC training will be available on the Defense Acquisition University website, officials said.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2020/01/pentagon-announces-final-version-cyber-standards-contractors/162807/

January 30, 2020 By cs

Final DoD cybersecurity certification model due Friday

The Defense Department official leading the development of an ambitious plan to independently certify military contractors’ cybersecurity practices will review a final version of the plan Friday (Jan. 31, 2020) and shared key details for its implementation.

Stipulations of the Cybersecurity Maturity Model Certification (CMMC) will be written into the Defense Federal Acquisition Regulation Supplement (DFARS) as an update to rule 252.204.7012, which currently requires contractors handling information of certain sensitivity to implement security practices spelled out in National Institute of Standards and Technology (NIST) Special Publication 800-171 and to report cyber incidents within 72 hours.

The major change in the updated rule—which is expected to be open for comment in the spring—will be that contractors will no longer be permitted to self-attest their adherence to the NIST-described practices, as they are now.

The new program will also introduce five levels of tiered requirements for defense contractors. Contractors dealing with information that is not as sensitive would have to meet the “basic cyber hygiene” of level 1, versus the “good cyber hygiene” that implies compliance with the NIST 800-171 controls, or the “advanced” practices that would be required at level 5.

That risk-based approach has gotten the coming CMMC some praise, but the contracting community is on high alert with concerns ranging from the cost of certification to the details of how the audits will function through a nonprofit accreditation body.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2020/01/final-dod-cybersecurity-certification-model-due-friday/162713/

Army Materials Command skipped a competitive bidding process for short-term cyber training services, citing urgent need while it waits for a bid protest to be resolved.

The Office of Management and Budget (OMB) plans to standardize language in all government contracts with cloud vendors that would update liability terms regarding security, according to the official in charge of leading federal agencies’ move to the shared-responsibility ecosystems.

Rapid acquisitions for prototypes and experimental technology will be subject to the Defense Department’s unified cybersecurity standard, according to Katie Arrington, DoD’s chief information security officer for acquisition.

During an event where Defense Department officials looked to dispel myths about a plan to certify the cybersecurity of its contractors through third-party audits, the department’s head of acquisitions spoke to why the rollout of the program isn’t expected to be done till 2026.

The Defense Department official leading the development of an ambitious plan to independently certify military contractors’ cybersecurity practices will review a final version of the plan Friday (Jan. 31, 2020) and shared key details for its implementation.

Search this Website