cybersecurity | The Contracting Education Academy

December 24, 2020 By cs

Pentagon announces 7 procurements to test out new CMMC process

The Defense Department on Thursday disclosed the first seven contracts that are likely to be the initial test cases for the Cybersecurity Maturity Model Certification (CMMC) program, DoD’s new approach to shoring up its suppliers’ IT security.

The department stopped short of a full commitment to subject the forthcoming Navy, Air Force and Missile Defense Agency procurements to CMMC’s requirements.

In a statement, DoD said only that they are “candidates” under consideration to serve as pathfinders.

The projects, as described by the Pentagon, are:

Navy

Integrated Common Processor
F/A-18E/F Full Mod of the SBAR and Shut off Valve
Yard services for the Arleigh Burke Class destroyer

Air Force

Mobility Air Force Tactical Data Links
Consolidated Broadband Global Area Network Follow-On
Azure Cloud Solution

Missile Defense Agency

Technical Advisory and Assistance Contract

The department did not immediately provide further details on the procurements beyond the descriptions above, but said each of the contracts are expected to be awarded in fiscal 2021.

Keep reading this article at: https://federalnewsnetwork.com/defense-main/2020/12/pentagon-reveals-first-contracts-to-serve-as-pathfinders-for-cmmc/

December 8, 2020 By cs

What DoD’s cyber certification program reveals about info-sharing challenges

As the new regime takes effect, the tech industry’s lead trade association would rather higher level certifications be done by the department than independent third parties.

The Information Technology Industry Council is arguing that the foundation of U.S. cybersecurity policy — information sharing between organizations — presents a security threat that is too costly for many to address in response to a rule implementing the Pentagon’s Cybersecurity Maturity Model Certification Program.

The CMMC program was designed to change the Defense Department’s practice of having contractors simply attest to their own level of cybersecurity and institute a system of third-party auditors to validate required practices are in place.

The department’s Defense Contract Management Agency currently conducts audits of contractors’ cybersecurity through Defense Industrial Base Cybersecurity Assessment Center, or DIBCAC, assessments. But Katie Arrington, the DoD official heading up the CMMC program, said a new ecosystem of private third-party assessors is necessary to scale such reviews across all of the approximately 300,000 companies the department relies on.

Organizations hoping to work with the Defense Department would be required to obtain certification through an accreditation body that entered into a no-cost contract with the Defense Department on Nov. 25. The currently all-volunteer organization will be funded through fees it receives from assessors it trains to conduct audits and individuals it approves as qualified to consult with prospective contractors on CMMC requirements.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2020/12/what-dods-cyber-certification-program-reveals-about-info-sharing-challenges/170400/

December 4, 2020 By cs

Pentagon ready to name first 15 ‘pathfinder’ contracts for CMMC

It’s a significant week for the Defense Department’s Cybersecurity Maturity Model Certification program: New rules that serve as a precursor to the full CMMC implementation took effect on Tuesday, and an announcement of the first 15 contracts that will serve as “pathfinders” for the new model are imminent.

That initial set of procurements would represent the first real-world use of CMMC, the program the department has been building for the past year-and-a-half to shore up the cybersecurity of its industrial base. So far, DoD acquisition officials have only applied the model to contracts in non-punitive tabletop exercises, and without publicly identifying the contracts involved.

The department expects to name the first 15 pathfinders within “the next few days,” Katie Arrington, the chief information security officer in DoD’s acquisition and sustainment office told an industry conference. The announcement has been highly-anticipated as the defense industry waits to see how many vendors could be impacted by the initial pathfinder process.

Meanwhile, earlier this week, two precursors to the full CMMC rollout took effect — part of a sweeping rule change DoD promulgated in September to implement the program. Going forward, almost all vendors bidding on new contracts will have to log into a web portal and attest to which specific security controls in NIST Special Publication 800-171 they’re currently complying with.

Keep reading this article at: https://federalnewsnetwork.com/defense-main/2020/12/pentagon-ready-to-name-first-15-pathfinder-contracts-for-cmmc/

November 24, 2020 By cs

DoD contractors: Will you be ready for CMMC on Nov. 30?

Responding to fundamental concerns about the cybersecurity of its private sector supply chain, the Department of Defense (DoD) will begin requiring at the end of this month all of its contractors to comply with a complex and demanding new cybersecurity framework.

Starting on November 30, 2020, contractors working for the DoD will need to comply with the long-anticipated Cybersecurity Maturity Model Certification (CMMC). This mandatory requirement will be a go/no-go criterion for eligibility for many DoD contracts.

Issued on September 29, 2020 the interim rule, amends the Defense Federal Acquisition Regulation Supplement (DFARS) to establish the DoD Assessment Methodology for contractor cybersecurity certification and implement the CMMC program.

What is the DoD Assessment Methodology?

The DoD Assessment Methodology requirement was developed to address perceived flaws in the self-assessment process. Currently, under DFARS clause 252.204-7012, contractors must self-certify their compliance with the cybersecurity requirements of NIST SP 800-171 to “covered contractor information systems,” which are generally those that store, process, generate, transmit or access “covered defense information.” Through the interim rule, the DoD Assessment Methodology rates contractor cybersecurity levels as Basic, Medium or High based on the contractor’s implementation of the 110 controls identified under the National Institutes of Standards and Technology (NIST) Special Publication (SP) 800-171.

Keep reading this article at: https://www.mondaq.com/unitedstates/security/1003266/defense-department-contractors-will-you-be-ready-for-cmmc-on-november-30

November 20, 2020 By cs

What lessons can public and private sector organizations share on cybersecurity?

In the midst of receiving the results of the 2020 presidential election, we’re faced with a potential administration change.

As such, we’re entering a period of transition that raises questions about the best way to protect our nation’s digital infrastructure from nefarious actors wishing to cause harm to our systems.

While comparing the difference between how the private sector operates versus the public sector, the past few years have brought into sharp focus the benefits and drawbacks of how each approach cybersecurity. And looking forward, we see a more intertwined fate of both, as sophisticated and brazen cyberattacks deploy similar TTPs (techniques, tactics and procedures).

After all, phishing and ransomware campaigns don’t care whether you have a .com, .gov or .org email address, and non-state eCrime actors are taking advantage of remote working conditions whether you work for a corporation, city government or a federal agency.

In fact, since March 2020, CrowdStrike has observed a 330% increase from cyber threat actors deploying malicious files using COVID themes. And in the six months from January to June, CrowdStrike’s threat hunting team, OverWatch, observed more hands-on-keyboard intrusions than were seen throughout all of 2019.

Keep reading this article at: https://www.fedscoop.com/transition-coming-lessons-can-public-private-sector-organizations-share-cybersecurity/