The Contracting Education Academy

Contracting Academy Logo
  • Home
  • Training & Education
  • Services
  • Contact Us
You are here: Home / Archives for cybersecurity

October 26, 2020 By cs

DoD’s CMMC remains stuck in drama, confusion and concern

Industry experts continue to raise serious concerns about the way forward for the Defense Department’s cybersecurity maturity model certification (CMMC) program.

A technology industry representative told reporters on Oct. 20th that the interim rule DoD published in September didn’t offer enough clarity about the certification process, the costs to become certified and whether there will be reciprocity with other cyber standards. Comments on the interim rule are due Nov. 30 and so far more than two dozen people or organizations have submitted analysis.

The official said they are raising these concerns now because DoD is acting with some urgency to get the program rolled out with the release of the interim rule despite repeated attempts by industry and others to raise these problems.

“The interim rule in September addresses some of these concerns and it adds additional information around the requirements around National Institute of Standards and Technology Special publication 800-171, but it doesn’t really address all of them,” said the technology industry representative, who requested anonymity in order to talk candidly about the CMMC program so as not to hurt their relationship with DoD, during the conference call.

Keep reading this article at: https://federalnewsnetwork.com/defense-industry/2020/10/dods-cmmc-remains-stuck-in-drama-confusion-and-concern/

Filed Under: Government Contracting News Tagged With: CMMC, CMMC accreditation, CMMC Accreditation Body, cybersecurity, Cybersecurity Maturity Model Certification, DFARS, DoD, FAR, federal regulations, NIST, SP 800-171

October 23, 2020 By cs

DoD’s interim rule adds a new twist to implementing cyber maturity model

The Defense Department released one of the last major pieces to complete the Cybersecurity Maturity Model Certification (CMMC) program puzzle.

The Pentagon issued an interim rule under the Defense Federal Acquisition Regulations on Sept. 29 to add more clarity around the implementation timeline and around the requirements contractors will have to adhere to over the next five years.

One surprise among observers is the new requirements for vendors working at medium or high security levels to undergo an assessment by the government of how they comply with the standards outlined in Special Publication 800-171 from the National Institute of Standards and Technology.

“The assessment uses a standard scoring methodology, which reflects the net effect of NIST SP 800-171 security requirements not yet implemented by a contractor, and three assessment levels (basic, medium and high), which reflect the depth of the assessment performed and the associated level of confidence in the score resulting from the assessment,” the interim rule stated. “A basic assessment is a self-assessment completed by the contractor, while medium or high assessments are completed by the government. The assessments are completed for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order.”

Keep reading this article at: https://federalnewsnetwork.com/defense-industry/2020/09/dods-interim-rule-adds-a-new-twist-to-implementing-cyber-maturity-model/

Filed Under: Government Contracting News Tagged With: CMMC, CMMC accreditation, CMMC Accreditation Body, cybersecurity, Cybersecurity Maturity Model Certification, DFARS, DoD, FAR, federal regulations, NIST, SP 800-171

October 14, 2020 By cs

DoD’s interim rule imposes new assessment requirements but is short on detail on implementation of CMMC

Two weeks ago, the Department of Defense (DoD) released an interim rule that industry hoped would provide clear guidance with regard to DoD’s implementation of its Cybersecurity Maturity Model Certification (CMMC) framework. 

The vast majority of the rule focuses on DoD’s increased requirements for confirming that contractors are currently in compliance with all 110 security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (NIST 800-171).  The interim rule also includes a clause for adding CMMC as a requirement in a DoD contract, but the clause fails to address many of the questions that industry has with regard to implementation of the CMMC program.

The rule becomes effective November 30, 2020.

DoD has been focused on improving the cyber resiliency and security of the Defense Industrial Base (DIB) sector for over a decade.  The Council of Economic Advisors estimates that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016.  The interim rule is one of multiple efforts by DoD focused on the broader supply chain security and resiliency of the DIB and builds on existing FAR and DFARS clause cybersecurity requirements.  Increasing security concerns coupled with recent high-profile data breaches have led DoD to move beyond self-certification to auditable verification systems when it comes to protecting sensitive Government information.

Keep reading this article at: https://www.insidegovernmentcontracts.com/2020/10/department-of-defenses-interim-rule-imposes-new-assessment-requirements-but-is-short-on-detail-on-implementation-of-cmmc/

See previous articles on NIST 800-171 and the CMMC here and here respectively.

Filed Under: Government Contracting News Tagged With: CMMC, CMMC accreditation, CMMC Accreditation Body, cybersecurity, Cybersecurity Maturity Model Certification, DFARS, DoD, FAR, federal regulations, NIST, SP 800-171

September 29, 2020 By cs

Pentagon acquisition chief hints Section 889 supply chain waiver may be extended

The Pentagon and the Office of the Director of National Intelligence are discussing extending a waiver that gives the defense industrial base more time to ensure certain noncritical weapons systems comply with a new rule aimed at excising Chinese telecommunications equipment from the supply chain, according to the Defense Department’s acquisition chief. 

Undersecretary for Acquisition and Sustainment Ellen Lord talked briefly about implementation of Section 889 Part B, a provision of the 2019 National Defense Authorization Act, during a Defense News Conference.  Her remarks came a day ahead of a feedback webinar the General Services Administration will host to solicit questions, comments and concerns from stakeholders about Section 889 implementation.

“So what we did is we got a waiver from ODNI for noncritical weapons systems,” Lord said. “We continue to discuss an extension beyond September of that with them.”

Part B of Section 889 officially went into effect August 13, about a month after the final version of the rule was released in July. The rule prohibits federal agencies from contracting with entities that use equipment from certain covered companies including Huawei and ZTE. In effect, Part B requires contractors to search through their supply chains to determine and disclose to the government whether they use any of the covered equipment or services.

Keep reading this article at: https://www.nextgov.com/cio-briefing/2020/09/pentagon-acquisition-chief-hints-section-889-supply-chain-waiver-may-be-extended/168332/

Filed Under: Government Contracting News Tagged With: China, cybersecurity, DoD, GSA, Huawei, intellectual property, malicious software, national security, NDAA, Section 889, security, software, supply chain, ZTE

September 15, 2020 By cs

Big tech moves against certification as a government solution for cybersecurity

The trade association for the industry’s largest companies recommends relying on vendor declarations.

If governments are going to insist on using certification schemes — like the Defense Department’s new Cybersecurity Maturity Model Certification program — in efforts to improve cybersecurity, they should at least consider technology vendors’ own assessments, the Information Technology Industry Council said in new policy principles.

“Governments should consider alternatives to certification, such as supplier’s declaration of conformity/vendor attestation,” reads the policy recommendation released two weeks ago.

The suggestion is among six items the group offered for governments’ consideration, amid the Defense Department’s high-profile rejection of “self-attestation” in developing its CMMC program.

ITI Senior Vice President for Policy and Senior Counsel John Miller said the guidance is meant for a global audience, and highlighted the traction certification schemes have had not just within the U.S. and the European Union but also in countries like Brazil and India.

“Cybersecurity certification is not a comprehensive, one-size-fits-all solution, nor should it be considered a solution of first resort,” the document reads. “Nonetheless, if governments choose to set regulations to mandate certification schemes even after recognizing the limitations of certification, we recommend they follow six key considerations.”

Keep reading this article at: https://www.nextgov.com/cybersecurity/2020/09/big-tech-moves-against-certification-government-solution-cybersecurity/168230/

Filed Under: Government Contracting News Tagged With: CMMC, cybersecurity, Cybersecurity Maturity Model Certification, DoD, Information Technology Industry Council, ITI, self-attestation, self-certification

  • « Previous Page
  • 1
  • 2
  • 3
  • 4
  • 5
  • …
  • 31
  • Next Page »

Popular Topics

abuse acquisition reform acquisition strategy acquisition training acquisition workforce Air Force Army AT&L bid protest budget budget cuts competition cybersecurity DAU DFARS DHS DoD DOJ FAR fraud GAO Georgia Tech GSA GSA Schedule GSA Schedules IG industrial base information technology innovation IT Justice Dept. Navy NDAA OFPP OMB OTA Pentagon procurement reform protest SBA sequestration small business spending technology VA
Contracting Academy Logo
75 Fifth Street, NW, Suite 300
Atlanta, GA 30308
info@ContractingAcademy.gatech.edu
Phone: 404-894-6109
Fax: 404-410-6885

RSS Twitter

Search this Website

Copyright © 2021 · Georgia Tech - Enterprise Innovation Institute