The Contracting Education Academy

Contracting Academy Logo
You are here: Home / Archives for cybersecurity

By

Defense contractor cybersecurity certifiers launching ‘national conversation’ webinars

About 3,500 people have registered for the first of a series of webinars organizers are planning to meet the high demand for knowledge of how the Pentagon’s Cybersecurity Maturity Model Certification program will work.

The CMMC Accreditation Body — newly incorporated as a nonprofit in Maryland — emailed stakeholders last Wednesday touting its activity so far in standing up a system to manage audits of defense contractors’ cybersecurity and outlining the next steps.

Implementation of the CMMC will end the current policy of defense contractors self-attesting their adherence to specific security controls, such as those outlined in National Institute of Standards and Technology Special Publication 800-171.

The program has made many in the industry anxious about exactly what auditors will want to see in order to hand over the certifications necessary to do business with the Defense Department and created an ecosystem of independent third parties eager to profit from the system.

Two weeks ago, Ellen Lord, undersecretary of Defense for acquisitions, issued a statement dispelling claims some were making that they could provide the sought-after certifications.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2020/04/defense-contractor-cybersecurity-certifiers-launching-national-conversation-webinars/164332/

By

How industry and government can partner for more secure systems

Industry needs to be able to tell government how software was developed and how security measures were integrated into it, a top official at the National Institute of Standards and Technology said March 10.

“Give us some evidence that those security features are actually in place and doing what they’re supposed to do,” said Ron Ross, a fellow at NIST who leads a new DevSecOps project.

Ross, speaking at an Advanced Technology Academic Research Center event on DevOps, said that the future of U.S. national and economic security hinges on industry and government getting the transition to DevOps and DevSecOps, two different software development approaches where collaboration and security considered from the beginning, because they are critical to national and economic security.

“All the work that’s going on now, whether it’s experimental or whether it’s becoming more mature, we need to be able to normalize this type of process so it becomes [something] people would just do routinely — it becomes institutionalized and operationalized across the entire federal government,” Ross said.

Industry, Ross said, is a critical partner in that process. The key is ensuring that customers no longer have to worry about the effectiveness and origin of security controls.

Keep reading this article at: https://www.fifthdomain.com/civilian/2020/03/10/how-industry-and-government-can-partner-for-more-secure-systems/

By

Coronavirus will not delay Pentagon’s contractor cybersecurity program, official says

The Defense Department officially entered into an agreement with the nonprofit corporation that will serve as the accreditation body for its Cybersecurity Maturity Model Certification program, the chief information security officer for the department’s acquisition office confirmed. 

“Yesterday the CMMC accreditation body made a public post that we have executed the [memorandum of understanding],”  said Katie Arrington, who is spearheading the program and participated in a webcast on the issue Thursday.

A resolute Arrington sought to quash any idea that the government’s efforts to contain the coronavirus pandemic would delay the Defense Department’s plan to validate contractors’ cybersecurity claims using independent third-party auditors.

“We, all of us that are mission-essential, have been working on COVID-19, but,” she said, “although we are working diligently to ensure we are doing our best in the Department of Defense to save lives, work does continue and we are not slowing our roll at all.”

Arrington and other webinar participants noted the extensive impact the CMMC is expected to make across the federal government, its contractors and international partners.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2020/03/coronavirus-will-not-delay-pentagons-contractor-cybersecurity-program-official-says/164152/

By

Industry on pins and needles as DoD and accreditation body work to finalize CMMC agreement

The Defense Department is one small step away from officially getting the Cybersecurity Maturity Model Certification (CMMC) off the starting blocks.

Ellen Lord, the undersecretary of Defense for Acquisition and Sustainment, is ready to sign off on the memorandum of understanding with the CMMC accreditation body that would jumpstart the training of third-party assessment organizations.

Katie Arrington, the chief information security officer for acquisition at DoD, said the MOU is through the clearance process and is just awaiting Lord’s signature.

Arrington, speaking at the Washington Technology CMMC event in McLean, Virginia on March 13, said once the MOU is signed, the six-month push to begin putting CMMC standards in procurements officially will begin.

“The accreditation board, the Johns Hopkins University Applied Physics Laboratory, Carnegie Mellon University and DoD are going through simulations of training, working through the kinks,” she said. “The first session of classes will actually be a lot of the proof in the pudding, and DoD will be there to help through this. This is new so we want to make sure we get it right.”

Keep reading this article at: https://federalnewsnetwork.com/reporters-notebook-jason-miller/2020/03/industry-on-pins-and-needles-as-dod-accreditation-body-to-finalize-cmmc-agreement/

By

Pentagon announces final version of cyber standards for contractors

During an event where Defense Department officials looked to dispel myths about a plan to certify the cybersecurity of its contractors through third-party audits, the department’s head of acquisitions spoke to why the rollout of the program isn’t expected to be done till 2026. 

“We are doing this with what I would call irreversible momentum,” Undersecretary of Defense for Acquisition and Sustainment Ellen Lord said, answering questions from reporters.

Some stakeholders have said the plan to subject companies in the defense industrial base to reviews by independent auditors—instead of allowing them to self-attest to security practices—is moving at break-neck speed.  But Defense officials were pressed at the event to explain why it would take such a long time to fully implement the program.

“We’re being realistic in terms of making sure we have pathfinder projects and then we implement it and learn, get the feedback, and go on,” Lord said.

While the department plans to note CMMC requirements in requests for information starting late spring, specific security levels—ranging 1 through 5, described in a final version 1.0 of the model—won’t be included in requests for proposals till the fall, when it is expected the related rule will be finalized in Defense Federal Acquisition Regulations.

Spring is also when auditors will start attending classes and CMMC training will be available on the Defense Acquisition University website, officials said.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2020/01/pentagon-announces-final-version-cyber-standards-contractors/162807/

Contracting Academy Logo
75 Fifth Street, NW, Suite 300
Atlanta, GA 30308
info@ContractingAcademy.gatech.edu
Phone: 404-894-6109
Fax: 404-410-6885

RSS Twitter