The Contracting Education Academy

Contracting Academy Logo
You are here: Home / Archives for cybersecurity

By

DoD will require vendor cybersecurity certifications by this time next year

The department released a draft maturity model and timeline for new certification requirements for all of the defense industrial base.

The government has stringent processes for verifying the IT products and services it uses comply with relevant cybersecurity standards, such as authorities to operate for cloud services and supply chain regulations for hardware products. But those standards and processes don’t cover the vendors.

For the Defense Department, this is a critical issue, as doing business with industry requires the department to share sensitive information, even at the earliest steps of the process.

The department has been kicking around the idea of creating a certification standard for defense industrial base companies to ensure vendors’ cybersecurity posture was adequate to handle controlled and classified information. That became an official effort in March, and on Sept. 4th the department released the first draft Cybersecurity Maturity Model Certification, or CMMC, outline for public comment.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2019/09/dod-will-require-vendor-cybersecurity-certifications-time-next-year/159702/

 

 

By

DoD releases public draft of Cybersecurity Maturity Model Certification, seeks industry input

On September 4, the Office of the Assistant Secretary of Defense for Acquisition released Version 0.4 of its draft Cybersecurity Maturity Model Certification (CMMC) for public comment. 

The CMMC was created in response to growing concerns by Congress and within DoD over the increased presence of cyber threats and intrusions aimed at the Defense Industrial Base (DIB) and its supply chains.  In its overview briefing for the new model, DoD describes the draft CMMC framework as a “unified cybersecurity standard” for DoD acquisitions that is intended to build upon existing regulations, policy, and memoranda by adding a verification component to cybersecurity protections for safeguarding Controlled Unclassified Information (CUI) within the DIB.

As discussed in a prior post, the model describes the requirements that contractors must meet to qualify for certain maturity certifications, ranging from Level 1 (“Basic Cyber Hygiene” practices and “Performed” processes) through Level 5 (“Advanced / Progressive” practices and “Optimized” processes), with such certification determinations to generally be made by third party auditors.

The CMMC establishes a new framework for defense contractors to become certified as cybersecurity compliant.  DoD has stated that it intends to release Version 1.0 of the CMMC framework in January 2020 and will begin using that version in new DoD solicitations starting in Fall 2020.  Notwithstanding the pendency of these deadlines, a large number of questions remain outstanding.  DoD is seeking feedback on the current version of the model by September 25, 2019.

Keep reading this article at: https://www.insidegovernmentcontracts.com/2019/09/dod-releases-public-draft-of-cybersecurity-maturity-model-certification-and-seeks-industry-input/

By

How to manage risk along the federal government supply chain

Even the most sophisticated federal agencies have found it difficult to effectively measure and evaluate the cyber risk of their contractor base.

The U.S. federal government relies on an ever-expanding supply chain of tens of thousands of contractors and subcontractors to provide critical services, hold and maintain sensitive data, and perform key functions. While this supply chain is essential to agencies’ fundamental operations, it also increases the number of access point nefarious actors have to their systems and data and, consequently, puts agencies and sensitive data at greater risk.

Even the most sophisticated federal agencies have found it difficult to effectively measure and evaluate the cyber risk of their contractor base. For example, the Navy recently released a report that highlighted growing concerns around supply chain cybersecurity, noting that the federal supply chain has been “compromised in ways and to an extent yet to be fully understood.” In a July 2019 report on the security of its contractors, the Defense Department Inspector General was blunt: The department “does not know the amount of DoD information managed by contractors and cannot determine whether contractors are protecting unclassified DoD information from unauthorized disclosure.”

In fact, data suggests that contractors are not meeting agency expectations for security. Recent BitSight research found that the average security performance rating across all federal agencies was at least 15 points higher than the mean security performance rating of any contractor sector. In other words, there is a significant security performance gap between federal agencies and their supply chain partners.

The time has come for agencies to prioritize this critical risk in their cybersecurity programs. There are steps agencies can take to more effectively measure, monitor and manage this challenge.

Keep reading this article at: https://www.nextgov.com/ideas/2019/08/how-manage-risk-along-federal-government-supply-chain/159401/

By

Agencies faced 31,000 cyber incidents last year, but gave up no major breaches

The total number of incidents the government experienced last year dropped 12% from 2017, according to the Office of Management and Budget.

Federal agencies didn’t experience a single “major” cybersecurity incident in 2018, marking the first time in three years the government avoided such a severe digital incursion, according to a recent White House report.

Not one of the more than 31,000 cybersecurity incidents that agencies faced last year reached the “major incident” threshold, which is defined as an event that affects more than 100,000 individuals or otherwise causes “demonstrable harm” to the U.S, according to the Office of Management and Budget. The government fell victim to five major incidents in 2017 and 16 in 2016.

Overall, the total number of cyber events the government experienced dropped 12% from 2017, OMB officials told Congress in their annual report on the Federal Information Security Management Act.

While OMB called this downward trend “encouraging,” they warned that agencies shouldn’t let down their guard. Phishing and other email-based attacks remain a popular strategy for online bad actors, and the government is still struggling to attribute and label the thousands of attacks every year, officials said.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2019/08/agencies-faced-31000-cyber-incidents-last-year-gave-no-major-breaches/159290/

By

DHS building a contract to manage all its cybersecurity operations centers

The single contract will likely have multiple awardees, each capable of managing the entirety of operations at each of the department’s 17 security centers.

The Homeland Security Department is building a contract vehicle of vendors able to manage its 17 unclassified security operations centers—the cybersecurity hubs for the government’s central cybersecurity agency.

The agency issued a request for information Aug. 7th outlining its tentative acquisition strategy and asking for feedback from industry on capabilities and approach to spinning up additional resources in times of crisis, such as during a large-scale cyberattack.

“The Department of Homeland Security has a complex and demanding mission,” the notice on FedBizOpps reads. “To assist in meeting that mission, DHS needs robust and effective information systems. It also needs to protect those systems from cyber threats posed by nation-states and criminal enterprises.”

Keep reading this article at: https://www.nextgov.com/cybersecurity/2019/08/dhs-building-contract-manage-all-its-cybersecurity-operations-centers/159032/

Contracting Academy Logo
75 Fifth Street, NW, Suite 300
Atlanta, GA 30308
info@ContractingAcademy.gatech.edu
Phone: 404-894-6109
Fax: 404-410-6885

RSS Twitter