The Contracting Education Academy

Contracting Academy Logo
You are here: Home / Archives for cybersecurity

By

Defense contractor certification body says maintenance of companies’ cybersecurity posture is within its role

The accreditation body overseeing the Defense Department’s cybersecurity certification for prospective contractors is also authorized to provide certified companies with cybersecurity services, according to members of the group’s board of directors. 

“A continuous monitoring capability could provide benefits to organizations in the defense supply chain by increasing their awareness of changes to their current cybersecurity posture,” Mark Berman, chairman of the board’s communications committee told Nextgov. “This initiative is a potential avenue where we can provide value add to enhance and maintain the security posture.”

Berman was responding to comments from observers who say an April 22 request for proposal the accreditation board issued for a “continuous monitoring solution” marks a departure from the training and certification functions the group is expected to perform.

The Pentagon’s Cybersecurity Maturity Model Certification program is scheduled to take effect this fall following a change to defense federal acquisition regulations. Companies will have to attain third-party certification of their cybersecurity practices if they want to do business with the department. Defense contractors currently state whether they adhere to standards such as those outlined by the National Institute of Standards and Technology without any outside entity verifying their claims.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2020/05/defense-contractor-certification-body-says-maintenance-companies-cybersecurity-posture-within-its-role/165131/

By

Cyber and other transaction agreements

Rapid acquisitions for prototypes and experimental technology will be subject to the Defense Department’s unified cybersecurity standard, according to Katie Arrington, DoD’s chief information security officer for acquisition.

Arrington said DoD’s upcoming implementation of its Cybersecurity Maturity Model Certification will apply to other transaction agreements — a rapid contract mechanism frequently used to help develop and field prototypes.

“In an OTA, in the technical specs, they can actually call it out and say what they want,” said Arrington during an April 29 NextGov webinar on CMMC.

OTAs are meant to speed the government buying process and allow DoD to buy new capabilities faster by allowing officials to sidestep competitive bidding in certain cases. But there’s ample worry of potential overuse, which could invite congressional scrutiny.

Arrington’s comments come as DoD has begun pushing for the use of OTAs to find and execute on solutions that can help treat or prevent the spread of coronavirus. Ellen Lord, DoD’s acquisition chief, issued a memo in early April to ease the OTA process by delegating contracting authorities to heads of agencies and combatant commanders during the pandemic.

Keep reading this article at: https://fcw.com/articles/2020/04/30/cmmc-ota-cyber-williams.aspx

The Contracting Education Academy at Georgia Tech has established a webpage where all contract-related developments related to the coronavirus (COVID-19) are summarized.  Find the page at: https://contractingacademy.gatech.edu/coronavirus-information-for-contracting-officers-and-contractors/

By

DoD sees CMMC as new way to monitor supply chain, spot shell companies

The Defense Department wants to implement its much-discussed Cybersecurity Maturity Model Certification program mainly to ensure every single one of its vendors is undertaking minimum levels of commonly-understood cybersecurity practices so it can protect its supply chain.

But Defense officials increasingly see CMMC as a way to monitor aspects of that supply chain that aren’t strictly about cybersecurity.

DoD expects tens of thousands of its contractors to earn a CMMC certification over the next five years. But to get one — even at the most rudimentary Level One of CMMC — each company will need an in-person visit from a third-party assessor. Those visits are primarily so that auditors can verify companies have actually implemented the security practices required for their level of certification, since no self-attestations will be allowed.

But there’s another reason DoD also wants a set of human eyes on each CMMC applicant: the department wants to make sure each firm that’s certified is actually a real company with real employees.

Keep reading this article at: https://federalnewsnetwork.com/defense-main/2020/04/dod-sees-cmmc-as-new-way-to-monitor-supply-chain-spot-shell-companies/

By

Pentagon’s cybersecurity certification plan includes continuously monitoring contractors

The accreditation body overseeing the Defense Department’s Cybersecurity Maturity Model Certification program — the CMMC-AB — issued a request for proposal that provides insight into how the group plans to keep track of contractors outside of conducting physical audits.

The CMMC will end the DoD’s practice of allowing contractors to “self-certify” their cybersecurity practices. Before the end of the year, the department intends to require companies doing business with the DoD to gain a certificate from third-party auditors that will be valid for up to three years.

“As part of the CMMC-AB’s efforts to mitigate risks posed to the country through sharing of sensitive information with DoD supply chain partners, a continuous monitoring solution will help fill in the gaps between assessments scheduled for once every three years,” the RFP reads. “The CMMC-AB is issuing this request for proposal to help us identify appropriate partners in our continuous monitoring solution.”

The CMMC-AB posted the RFP to its LinkedIn page with a May 1 deadline for responses.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2020/04/pentagons-cybersecurity-certification-plan-includes-continuously-monitoring-contractors/164821/

By

CMMC standards for non-defense contractors could be coming

The Department of Defense‘s push to secure its leaky supply chain from cyberattacks might “rapidly” become a standard for civilian agencies too.

Katie Arrington, the Pentagon’s CISO for acquisition and sustainment, said Thursday that she has met with Chris Krebs — the head of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) — to discuss the DoD’s new Cybersecurity Maturity Model Certification (CMMC) and how it could translate eventually to civilian, non-defense federal contractors.

Arrington was said she believes CMMC “will become a federal standard for the whole of government rapidly.” But, a CISA official was more cautious about amplifying CMMC beyond its defense acquisition purposes, saying “civilian agencies operate under separate acquisition authorities and CMMC is a DoD-specific program.”

“CISA is certainly following the development of CMMC with great interest and it’s likely that civilian agencies will naturally benefit from CMMC implementation,” the official told FedScoop. “Due to that overlap, we aim to harmonize our cybersecurity approaches as much as possible, including on directives.”

Keep reading this article at: https://www.fedscoop.com/cmmc-federal-standards-for-acqusition/

Contracting Academy Logo
75 Fifth Street, NW, Suite 300
Atlanta, GA 30308
info@ContractingAcademy.gatech.edu
Phone: 404-894-6109
Fax: 404-410-6885

RSS Twitter