The Contracting Education Academy

Contracting Academy Logo
You are here: Home / Archives for cybersecurity

By

Civilian vendor cybersecurity certification would look very different from DoD

A civilian counterpart to the Pentagon’s Cybersecurity Maturity Model Certification would need to suit the varying missions across government, according to federal deputy CIO Margie Graves.

The Defense Department is working on a new policy that will require its vendors to obtain a certification confirming the contractor’s own systems have strong enough cybersecurity to protect the department’s secrets. A civilian agency counterpart to that would look very different than what the Pentagon is developing, according to the second-ranking civilian IT official.

While the government does have a method for certifying the cybersecurity of vendors’ products — through the authority to operate, or ATO, process and the Federal Risk and Authorization Management Program, or FedRAMP — it does not have a program for assessing the security of the systems used by the vendors.

The Defense Department’s Cybersecurity Maturity Model Certification, or CMMC, looks to change that with a set of 18 “key sets of capabilities for cybersecurity,” according to the draft released in September.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2019/10/civilian-vendor-cybersecurity-certification-would-look-very-different-dod/160982/

By

Pentagon standing up a nonprofit to assess vendor cybersecurity

The organization would be responsible for running the department’s Cybersecurity Maturity Model Certification.

The Defense Department is looking to stand up a nonprofit organization to measure the strength of its contractors’ cybersecurity practices.

The group would be responsible for running the vendor accreditation process under the Pentagon’s new Cybersecurity Maturity Model Certification, or CMMC. The framework, which was released in draft form last month, will serve as a yardstick for determining if contractors are taking sufficient steps to protect the sensitive military data that resides on their networks.

The certification process is intended to push the Pentagon’s extensive network of vendors to strengthen their digital defenses, or at least adopt protections that are appropriate for the sensitivity of their work. The program comes adversaries like China increasingly target defense contractors to steal military secrets.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2019/10/pentagon-standing-nonprofit-assess-vendor-cybersecurity/160425/

By

A new contract offers on-demand support for cyber missions

The government has selected Parsons for a $590 million cyber contract called Combatant Commands Cyber Mission Support (CCMS).

The contract, run out of the General Services Administration (GSA), will support cyber capabilities — both hardware and software requirements — across the government to include geographic and functional combatant commands, the interagency and federal/civilian agencies.

“The contract, the way it was structured was to be able to develop and deliver capability — multi-domain capability — across the services, both defensive, non-defensive capabilities, as well as open-source, intelligence analytics through this contracting mechanism,” Paul Decker, executive vice president and head of cyber and intelligence business for Parsons, told Fifth Domain.

“The intent of this is for it to be a multiuse contract to serve both the DoD, as well as interagencies across the department … A key takeaway is as organizational requirements continue to get fed up through the various different tactical organizations, it is all going to be about having technology that is interoperable, integrateable and that can be used at each echelon at an organization.”

Keep reading this article at: https://www.fifthdomain.com/dod/2019/09/25/a-new-contract-offers-on-demand-support-for-cyber-missions

By

DoD will require vendor cybersecurity certifications by this time next year

The department released a draft maturity model and timeline for new certification requirements for all of the defense industrial base.

The government has stringent processes for verifying the IT products and services it uses comply with relevant cybersecurity standards, such as authorities to operate for cloud services and supply chain regulations for hardware products. But those standards and processes don’t cover the vendors.

For the Defense Department, this is a critical issue, as doing business with industry requires the department to share sensitive information, even at the earliest steps of the process.

The department has been kicking around the idea of creating a certification standard for defense industrial base companies to ensure vendors’ cybersecurity posture was adequate to handle controlled and classified information. That became an official effort in March, and on Sept. 4th the department released the first draft Cybersecurity Maturity Model Certification, or CMMC, outline for public comment.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2019/09/dod-will-require-vendor-cybersecurity-certifications-time-next-year/159702/

 

 

By

DoD releases public draft of Cybersecurity Maturity Model Certification, seeks industry input

On September 4, the Office of the Assistant Secretary of Defense for Acquisition released Version 0.4 of its draft Cybersecurity Maturity Model Certification (CMMC) for public comment. 

The CMMC was created in response to growing concerns by Congress and within DoD over the increased presence of cyber threats and intrusions aimed at the Defense Industrial Base (DIB) and its supply chains.  In its overview briefing for the new model, DoD describes the draft CMMC framework as a “unified cybersecurity standard” for DoD acquisitions that is intended to build upon existing regulations, policy, and memoranda by adding a verification component to cybersecurity protections for safeguarding Controlled Unclassified Information (CUI) within the DIB.

As discussed in a prior post, the model describes the requirements that contractors must meet to qualify for certain maturity certifications, ranging from Level 1 (“Basic Cyber Hygiene” practices and “Performed” processes) through Level 5 (“Advanced / Progressive” practices and “Optimized” processes), with such certification determinations to generally be made by third party auditors.

The CMMC establishes a new framework for defense contractors to become certified as cybersecurity compliant.  DoD has stated that it intends to release Version 1.0 of the CMMC framework in January 2020 and will begin using that version in new DoD solicitations starting in Fall 2020.  Notwithstanding the pendency of these deadlines, a large number of questions remain outstanding.  DoD is seeking feedback on the current version of the model by September 25, 2019.

Keep reading this article at: https://www.insidegovernmentcontracts.com/2019/09/dod-releases-public-draft-of-cybersecurity-maturity-model-certification-and-seeks-industry-input/

Contracting Academy Logo
75 Fifth Street, NW, Suite 300
Atlanta, GA 30308
info@ContractingAcademy.gatech.edu
Phone: 404-894-6109
Fax: 404-410-6885

RSS Twitter