DFARS | The Contracting Education Academy

March 25, 2021 By cs

CMMC: The dramatic year of the Pentagon’s contractor cybersecurity program

In 2020, an ambitious Defense Department effort to account for its suppliers’ cybersecurity had many in the community kicking and screaming in tow, but represents a new collective policy thrust that won’t be dismissed.

The program, led by Katie Arrington, the chief information security officer for Defense acquisitions, is based on the idea that the government should incorporate security standards into its contract administration.

Arrington’s presentations on the program often include an estimate of how much is lost each year through cyber disruptions — $600 billion, according to research cited in the DOD’s answers to frequently asked questions about the program — and highlight intellectual property theft by China.

Before the idea of CMMC, companies within the defense industrial base simply pledged their adherence to cybersecurity practices outlined by the National Institute of Standards and Technology. A 2015 rule required Defense contractors to report cyber incidents and to provide “adequate security” using NIST Special Publication 800-171 to protect covered information. But it wasn’t until summer 2019 that the Defense Department started checking whether companies were implementing the standard.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2021/01/cmmc-dramatic-year-pentagons-contractor-cybersecurity-program/171084/

March 23, 2021 By cs

What does CMMC really mean for small businesses?

If you are a small business, you have an area of expertise, and then there are a lot of departments where you just don’t have the manpower or bandwidth to give it adequate consideration.

That is certainly the case when it comes to concerns like payroll, accounting or HR.

Now, consider how significant your records are and how you keep and secure your computer documents and policies. The security of your organization’s data and that of your clients is going to be essential to your survival. One data spill can shutter your doors, ruin your reputation, and cost you staggering fines.

Now more than ever, businesses do not have the luxury of ignoring the implications of inadequate data management and security.

What It Means, and Why

The recent emergence of the Cybersecurity Maturity Model Certification (CMMC) initiative, which effectively builds off of the tenets of the DoD’s existing DFARS 252.204-7012 regulation requiring contractors to at a minimum “self-certify” their implementation of proper security practices, essentially ups the ante for its Defense Industrial Base by now independently verifying that they have the proper controls in place to protect the government’s data before doing business with them.

Translation: If you currently do work for the DoD or plan on doing work with them in the future, from mowing the lawn to handling freight, you have some digital hygiene to do – NOW.

Keep reading this article at: https://federalnewsnetwork.com/commentary/2021/01/what-does-cmmc-really-mean-for-small-businesses/

February 15, 2021 By cs

CMMC model tweaks coming after industry feedback

The foundation of the Cybersecurity Maturity Model Certification (CMMC) — the Department of Defense’s new cyber requirements for contractors — will see some coming changes, its leaders recently said.

The DOD will make alterations to the highest level of the five-tier security model after receiving public comments on the recently issued CMMC Defense Federal Acquisition Regulation System rule.

The department issued an “interim final” rule in September instead of first issuing a proposed rule, which meant the rule took effect upon publication. But there was still a 60-day comment period for industry to weigh in. The Office of Management and Budget, which hosts the council overseeing acquisition rules, allowed for this because of “the threat to national security” embedded in supply chain vulnerabilities, Jessica Maxwell, a DoD spokeswoman said in a statement.

Keep reading this article at: https://www.fedscoop.com/cmmc-model-assessment-guide-to-get-tweaks-after-feedback-from-industry/

February 9, 2021 By cs

CMMC implementation creates issues for ‘shop floors’

As of Nov. 30, defense contractors and suppliers are required to comply with an interim rule that strengthens implementation of the Cybersecurity Maturity Model Certification (CMMC), which is designed to protect controlled unclassified information from hackers.

In December, the Legal and Policy Committee of the National Defense Industrial Association’s Cybersecurity Division hosted the second in a four-part series of tabletop exercises to dry run the implementation and highlight areas where special attention may be needed. This exercise focused specifically on the implications for manufacturers in defense supply chains, probing deeper into issues from the first exercise, held in October.

Controlled unclassified information, or CUI, needs to be protected not only in enterprise information systems, but also in shop floor networks and systems where technical data may be at risk. The Defense Federal Acquisition Regulation Supplement 252.204-7012 clause that established CMMC mandates use of 110 security requirements defined by National Institute of Standards and Technology Special Publication 800-171 that are appropriate for information technology systems, but in many instances, not appropriate for operational technology systems as found in manufacturing facilities.

Manufacturing systems are capital investments expected to last 20 years or more. Many run old operating systems that do not support patches or encryption. Updates are expensive and rare. Efficiency requires connectivity and safety requires easy, rapid access. Workarounds are possible, but smaller manufacturers may need help in implementing them.

Keep reading this article at: https://www.nationaldefensemagazine.org/articles/2021/1/29/cmmc-implementation-creates-issues-for-shop-floors

February 2, 2021 By cs

DoD’s cybersecurity certification requirements to appear in DHS contracts

The Department of Defense is figuring out how to incorporate its Cybersecurity Maturity Model Certification (CMMC) program in contracts offered by the Department of Homeland Security, according to the official helming the initiative.

The CMMC program will ultimately require all defense contractors have their cybersecurity practices certified by a system of independent third party auditors. As it is now, companies simply pledge their adherence to security controls detailed in standards issued by the National Institute of Standards and Technology.

Rules to implement the program are expected to be finalized as early as next month and have caused some heartburn within the contracting community. But the program is being rolled out in phases — 15 prime contractors, and all their subcontractors, are being selected to undergo assessments this year — and won’t be fully applicable until 2025.

That led one participant during a virtual meeting hosted by the Armed Forces Communications & Electronics Association Thursday to suggest organizations might even want to deprioritize complying with the CMMC’s requirements.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2021/01/dods-cybersecurity-certification-requirements-appear-dhs-contracts/171551/