The Contracting Education Academy

Contracting Academy Logo
You are here: Home / Archives for cybersecurity

By

CMMC model tweaks coming after industry feedback

The foundation of the Cybersecurity Maturity Model Certification (CMMC) — the Department of Defense’s new cyber requirements for contractors — will see some coming changes, its leaders recently said.

The DOD will make alterations to the highest level of the five-tier security model after receiving public comments on the recently issued CMMC Defense Federal Acquisition Regulation System rule.

The department issued an “interim final” rule in September instead of first issuing a proposed rule, which meant the rule took effect upon publication. But there was still a 60-day comment period for industry to weigh in. The Office of Management and Budget, which hosts the council overseeing acquisition rules, allowed for this because of “the threat to national security” embedded in supply chain vulnerabilities, Jessica Maxwell, a DoD spokeswoman said in a statement.

Keep reading this article at: https://www.fedscoop.com/cmmc-model-assessment-guide-to-get-tweaks-after-feedback-from-industry/

 

By

CMMC implementation creates issues for ‘shop floors’

As of Nov. 30, defense contractors and suppliers are required to comply with an interim rule that strengthens implementation of the Cybersecurity Maturity Model Certification (CMMC), which is designed to protect controlled unclassified information from hackers.

In December, the Legal and Policy Committee of the National Defense Industrial Association’s Cybersecurity Division hosted the second in a four-part series of tabletop exercises to dry run the implementation and highlight areas where special attention may be needed.  This exercise focused specifically on the implications for manufacturers in defense supply chains, probing deeper into issues from the first exercise, held in October.

Controlled unclassified information, or CUI, needs to be protected not only in enterprise information systems, but also in shop floor networks and systems where technical data may be at risk. The Defense Federal Acquisition Regulation Supplement 252.204-7012 clause that established CMMC mandates use of 110 security requirements defined by National Institute of Standards and Technology Special Publication 800-171 that are appropriate for information technology systems, but in many instances, not appropriate for operational technology systems as found in manufacturing facilities.

Manufacturing systems are capital investments expected to last 20 years or more.  Many run old operating systems that do not support patches or encryption.  Updates are expensive and rare.  Efficiency requires connectivity and safety requires easy, rapid access.  Workarounds are possible, but smaller manufacturers may need help in implementing them.

Keep reading this article at: https://www.nationaldefensemagazine.org/articles/2021/1/29/cmmc-implementation-creates-issues-for-shop-floors

By

DoD’s cybersecurity certification requirements to appear in DHS contracts

The Department of Defense is figuring out how to incorporate its Cybersecurity Maturity Model Certification (CMMC) program in contracts offered by the Department of Homeland Security, according to the official helming the initiative.

The CMMC program will ultimately require all defense contractors have their cybersecurity practices certified by a system of independent third party auditors. As it is now, companies simply pledge their adherence to security controls detailed in standards issued by the National Institute of Standards and Technology.

Rules to implement the program are expected to be finalized as early as next month and have caused some heartburn within the contracting community. But the program is being rolled out in phases — 15 prime contractors, and all their subcontractors, are being selected to undergo assessments this year — and won’t be fully applicable until 2025.

That led one participant during a virtual meeting hosted by the Armed Forces Communications & Electronics Association Thursday to suggest organizations might even want to deprioritize complying with the CMMC’s requirements.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2021/01/dods-cybersecurity-certification-requirements-appear-dhs-contracts/171551/

By

Cybersecurity and government contracting: False Claims Act considerations

As the recent SolarWinds Orion attack makes clear, cybersecurity will be a focus in the coming years for both governmental and non-governmental entities alike. 

In the federal contracting community, it has long been predicted that the government’s increased cybersecurity requirements will eventually lead to a corresponding increase in False Claims Act (FCA) litigation involving cybersecurity compliance.  This prediction may soon be proven true, as a December 2020 speech from Deputy Assistant Attorney General Michael Granston specifically identified “cybersecurity related fraud” as an “area where we could see enhanced False Claims Act activity.”

This post discusses recent efforts to use the FCA to enforce cybersecurity compliance — and, based on those efforts, what government contractors may expect to see in the future.

In recent years, the government and qui tam plaintiffs have begun using the FCA to pursue alleged noncompliance with cybersecurity regulations, and some of these efforts have gained traction.  For instance, in May 2019, a federal district court in California declined to dismiss a case alleging that a government contractor had falsely asserted its compliance with cybersecurity standards when entering into Department of Defense contracts.  And in July 2019, the Department of Justice announced that another contractor had agreed to pay more than $8 million in connection with resolving a qui tam suit alleging failure to meet federal cybersecurity standards, marking the first settlement based on FCA allegations related to cybersecurity noncompliance.

More recently, however, at least one court rejected the attempt to build an FCA case out of alleged deviations from cybersecurity regulations.

Keep reading this article at: https://www.insidegovernmentcontracts.com/2021/01/cybersecurity-and-government-contracting-false-claims-act-considerations/

By

GSA introduces vendor risk assessment program in draft solicitation

The General Services Administration could soon start requiring on-site assessments of certain federal contractors under a new program to scrutinize risks to the supply chain. 

Tucked into the draft of a new governmentwide acquisition vehicle for information technology services called Polaris is language describing a tool to “identify, assess and monitor supply chain risks of critical vendors.”  It would use classified and unclassified sources.

GSA said once the tool it’s developing—referred to as the Vendor Risk Assessment Program — is complete, “the contractor agrees the government may, at its own discretion, perform audits of supply chain risk processes or events,” adding, “on site assessments may be required.”

The Vendor Risk Assessment Program first appeared online in a Sept. 2017 blogpost by GSA’s Shon Lyublanovits describing plans to address risks to the supply chain of the government’s information and communications technology. Around that time, agencies would have been busy working to remove Kaspersky software from their systems.  And GSA was engaged in a series of pilots toward a service that would be shared across the government to uncover businesses’ due diligence, including for cybersecurity concerns.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2021/01/gsa-introduces-vendor-risk-assessment-program-draft-solicitation/171289/

Contracting Academy Logo
75 Fifth Street, NW, Suite 300
Atlanta, GA 30308
info@ContractingAcademy.gatech.edu
Phone: 404-894-6109
Fax: 404-410-6885

RSS Twitter