The Contracting Education Academy

Contracting Academy Logo
You are here: Home / Archives for cybersecurity

By

GSA could be vulnerable to security threats from ‘trusted insiders’

The General Services Administration needs to bolster its efforts to protect against insider threats from current and recently separated employees, a watchdog reported recently.

The GSA inspector general reviewed the agency’s processes to thwart harmful actions from “trusted insiders” to its personnel, facilities, operations and resources. GSA has about 12,000 employees throughout its central office, Federal Acquisition Service, Public Buildings Service, Office of Governmentwide Policy, 11 national staff offices, 11 regional offices and two independent offices. An October 2011 executive order and subsequent policy from November 2012 laid out requirements for agencies’ insider threat programs. In 2014, GSA established its own program (a two-person team that reports to the senior designated official who is the associate administrator of GSA’s Office of Mission Assurance) and in 2017 the National Insider Threat Task Force certified it met the minimum standards. However, the inspector general found some areas of concern since then.

“We found that GSA’s [insider threat program] does not consistently collaborate with other GSA staff offices to gather key threat information proactively and does not communicate insider threat risks and program challenges to the GSA administrator as required,” said the report.  “Instead, the [program] senior designated official has taken a reactive approach that leaves GSA susceptible to insider threats.”

Another issue was that after the National Insider Threat Task Force deemed GSA’s insider threat program was at full operational capacity in November 2017, GSA’s insider threat working group disbanded because staff thought it was no longer needed.  The group had members from the Office of Human Resources Management, Office of GSA IT, Office of the Chief Financial Officer and Office of Mission Assurance.

Keep reading this article at: https://www.govexec.com/oversight/2021/02/watchdog-says-gsas-insider-threats-program-needs-improvement/172147/

By

CMMC: The dramatic year of the Pentagon’s contractor cybersecurity program

In 2020, an ambitious Defense Department effort to account for its suppliers’ cybersecurity had many in the community kicking and screaming in tow, but represents a new collective policy thrust that won’t be dismissed.  

The program, led by Katie Arrington, the chief information security officer for Defense acquisitions, is based on the idea that the government should incorporate security standards into its contract administration.

Arrington’s presentations on the program often include an estimate of how much is lost each year through cyber disruptions — $600 billion, according to research cited in the DOD’s answers to frequently asked questions about the program — and highlight intellectual property theft by China.

Before the idea of CMMC, companies within the defense industrial base simply pledged their adherence to cybersecurity practices outlined by the National Institute of Standards and Technology. A 2015 rule required Defense contractors to report cyber incidents and to provide “adequate security” using NIST Special Publication 800-171 to protect covered information. But it wasn’t until summer 2019 that the Defense Department started checking whether companies were implementing the standard.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2021/01/cmmc-dramatic-year-pentagons-contractor-cybersecurity-program/171084/

By

10 of 15 of DoD’s major IT projects are behind schedule, GAO finds

The Defense Department’s software development approaches are helping to avoid cost increases and schedule delays for many major information technology systems, but uneven implementation of cybersecurity best practices may be introducing risk to these programs, according to a watchdog report.  

In the first of a series of annual reviews of major Defense IT systems, the Government Accountability Office (GAO) examined 15 business and non-business DoD IT programs and found 10 programs had schedule delays, including one 5-year delay.  Eleven had decreased cost estimates as of December 2019, according to the audit, which was released to the general public just before the holidays.

While GAO didn’t make any specific recommendations in the audit, DoD in its comments said the audit “highlight[s] opportunities for continued improvement to acquiring IT capabilities.”

The main challenge for DoD’s major IT systems is the agency’s mixed record on incorporating cybersecurity best practices.

While all 15 programs are using cybersecurity strategies, only eight conducted cybersecurity vulnerability assessments, which help determine whether security measures are strong enough. In addition, 11 of the 15 programs conducted operational cybersecurity testing, but only six conducted developmental cybersecurity testing.

Keep reading this article at: https://www.nextgov.com/it-modernization/2021/01/10-15-dods-major-it-projects-are-behind-schedule-gao-found/171155/

By

2021 NDAA includes numerous provisions impacting government contracts

The National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2021 (Pub. L. No. 116-283) was enacted into law on January 1, 2021, when the Senate voted to override President Trump’s veto of the bill.

The Senate’s move, the final step in the legislative process, followed the House’s earlier vote to override President Trump’s veto in December 2020.

The FY21 NDAA sets funding levels and outlines policy priorities for the U.S. Department of Defense (DoD). It also addresses many areas of importance to government contractors, including acquisition policy and management, supply chain and industrial base matters, and small business issues.  The final version of the NDAA produced by negotiators on the Conference Committee included provisions from earlier House and Senate versions, which we summarized in an earlier article.

This article includes our annual summary, by topic, of the most relevant provisions of the FY21 NDAA for government contractors. As detailed below, some of the provisions from the earlier House and Senate versions of the NDAA that we highlighted in our previous article were not accepted into the final version.  As we’ve previously summarized, the NDAA also includes numerous provisions addressing cybersecurity and artificial intelligence policies with ramifications far beyond DoD, including implementing recommendations from the Cyberspace Solarium Commission’s 2020 Report.

Keep reading this article at: https://www.jdsupra.com/legalnews/national-defense-authorization-act-for-5444697/

By

Army awards $5 million ‘bridge’ contract for cyber training

Army Materials Command skipped a competitive bidding process for short-term cyber training services, citing urgent need while it waits for a bid protest to be resolved.

“The growth of the Cyber threat to the Armed Forces mandates that the cybersecurity and tactical network management efforts for Program Executive Offices and [Major Army Commands] continue without interruption,” reads a notice of the justification published on Beta.sam.gov Monday.  “A lapse in services would have impacted and/or delayed operational requirements at the tactical level, resulting in increased cost to the Government as well as the risk for potential loss of life during operational deployments.”

The Army’s contracting command awarded a $5.6 million bridge task order to Beshenich Muir & Associates, LLC, or BMA, on Jan.11 to provide support to the Regional Signal Training Sites of the U.S. Army Signal School at the U.S. Army Cyber Center of Excellence. The contract comes with a three-month base period, to account for the adjudication of the protest of an initial task order issued to BMA on Nov. 23 from Obxtek, Inc. The bridge task order also has an additional three-month optional period in case there’s a supplemental protest.

A decision on the protest, which is not publicly available, is due from the Government Accountability office March 29 and Obxtek said it generally doesn’t comment on open cases.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2021/02/army-awards-5m-bridge-contract-cyber-training/171973/

Contracting Academy Logo
75 Fifth Street, NW, Suite 300
Atlanta, GA 30308
info@ContractingAcademy.gatech.edu
Phone: 404-894-6109
Fax: 404-410-6885

RSS Twitter