The Contracting Education Academy

Contracting Academy Logo
You are here: Home / Archives for MDA

By

Defense contractor certification body says maintenance of companies’ cybersecurity posture is within its role

The accreditation body overseeing the Defense Department’s cybersecurity certification for prospective contractors is also authorized to provide certified companies with cybersecurity services, according to members of the group’s board of directors. 

“A continuous monitoring capability could provide benefits to organizations in the defense supply chain by increasing their awareness of changes to their current cybersecurity posture,” Mark Berman, chairman of the board’s communications committee told Nextgov. “This initiative is a potential avenue where we can provide value add to enhance and maintain the security posture.”

Berman was responding to comments from observers who say an April 22 request for proposal the accreditation board issued for a “continuous monitoring solution” marks a departure from the training and certification functions the group is expected to perform.

The Pentagon’s Cybersecurity Maturity Model Certification program is scheduled to take effect this fall following a change to defense federal acquisition regulations. Companies will have to attain third-party certification of their cybersecurity practices if they want to do business with the department. Defense contractors currently state whether they adhere to standards such as those outlined by the National Institute of Standards and Technology without any outside entity verifying their claims.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2020/05/defense-contractor-certification-body-says-maintenance-companies-cybersecurity-posture-within-its-role/165131/

By

DoD sees CMMC as new way to monitor supply chain, spot shell companies

The Defense Department wants to implement its much-discussed Cybersecurity Maturity Model Certification program mainly to ensure every single one of its vendors is undertaking minimum levels of commonly-understood cybersecurity practices so it can protect its supply chain.

But Defense officials increasingly see CMMC as a way to monitor aspects of that supply chain that aren’t strictly about cybersecurity.

DoD expects tens of thousands of its contractors to earn a CMMC certification over the next five years. But to get one — even at the most rudimentary Level One of CMMC — each company will need an in-person visit from a third-party assessor. Those visits are primarily so that auditors can verify companies have actually implemented the security practices required for their level of certification, since no self-attestations will be allowed.

But there’s another reason DoD also wants a set of human eyes on each CMMC applicant: the department wants to make sure each firm that’s certified is actually a real company with real employees.

Keep reading this article at: https://federalnewsnetwork.com/defense-main/2020/04/dod-sees-cmmc-as-new-way-to-monitor-supply-chain-spot-shell-companies/

By

Pentagon’s cybersecurity certification plan includes continuously monitoring contractors

The accreditation body overseeing the Defense Department’s Cybersecurity Maturity Model Certification program — the CMMC-AB — issued a request for proposal that provides insight into how the group plans to keep track of contractors outside of conducting physical audits.

The CMMC will end the DoD’s practice of allowing contractors to “self-certify” their cybersecurity practices. Before the end of the year, the department intends to require companies doing business with the DoD to gain a certificate from third-party auditors that will be valid for up to three years.

“As part of the CMMC-AB’s efforts to mitigate risks posed to the country through sharing of sensitive information with DoD supply chain partners, a continuous monitoring solution will help fill in the gaps between assessments scheduled for once every three years,” the RFP reads. “The CMMC-AB is issuing this request for proposal to help us identify appropriate partners in our continuous monitoring solution.”

The CMMC-AB posted the RFP to its LinkedIn page with a May 1 deadline for responses.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2020/04/pentagons-cybersecurity-certification-plan-includes-continuously-monitoring-contractors/164821/

By

OTAs given greater flexibility to foster innovation in coronavirus response

Defense Department leaders and agencies have been granted much-needed flexibility to respond to the coronavirus pandemic. 
Click on image above to open memorandum.

Last week, Under Secretary of Defense for Acquisition & Sustainment Ellen Lord delegated approval authority for Other Transaction Agreements (OTAs) related to the coronavirus response, consistent with Section 13006 of the CARES Act.

In an April 5 memorandum, Under Secretary Lord designated approval authorities for OTA prototype projects and follow-on production contracts and agreements as follows:

  • Above $100 million, and up to $500 million, to the Directors of Defense Agencies/Field Activities with contracting authority, as well as the Director of the Defense Innovation Unit. This authority was otherwise vested in the Senior Procurement Executives (SPEs) of the Military Departments, the Director of the Defense Advanced Research Projects Agency (“DARPA”), and the Director of the Missile Defense Agency (MDA).
  • Above $500 million, to the SPEs of the Military Departments, and the Directors of DARPA and the MDA. This authority was otherwise restricted to the Under Secretaries for Acquisition & Sustainment and Research & Engineering. Approval authority for OT prototype actions between $100 million and $500 million may now be further delegated by the SPE or Director.

In addition, in lieu of providing 30 days’ advance notice to congressional defense committees of OTAs above $500 million that are related to COVID-19, Section 13006 permits Under Secretary Lord or the Under Secretary of Defense for Research & Engineering to provide notice as soon as practicable after the OTA’s commencement.

Keep reading this article at: https://www.insidegovernmentcontracts.com/2020/04/other-transaction-authorities-given-greater-flexibility-to-foster-innovation-in-coronavirus-response/

The Contracting Education Academy at Georgia Tech has established a webpage where all contract-related developments related to the coronavirus (COVID-19) are summarized.  Find the page at: https://contractingacademy.gatech.edu/coronavirus-information-for-contracting-officers-and-contractors/

By

CMMC standards for non-defense contractors could be coming

The Department of Defense‘s push to secure its leaky supply chain from cyberattacks might “rapidly” become a standard for civilian agencies too.

Katie Arrington, the Pentagon’s CISO for acquisition and sustainment, said Thursday that she has met with Chris Krebs — the head of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) — to discuss the DoD’s new Cybersecurity Maturity Model Certification (CMMC) and how it could translate eventually to civilian, non-defense federal contractors.

Arrington was said she believes CMMC “will become a federal standard for the whole of government rapidly.” But, a CISA official was more cautious about amplifying CMMC beyond its defense acquisition purposes, saying “civilian agencies operate under separate acquisition authorities and CMMC is a DoD-specific program.”

“CISA is certainly following the development of CMMC with great interest and it’s likely that civilian agencies will naturally benefit from CMMC implementation,” the official told FedScoop. “Due to that overlap, we aim to harmonize our cybersecurity approaches as much as possible, including on directives.”

Keep reading this article at: https://www.fedscoop.com/cmmc-federal-standards-for-acqusition/

Contracting Academy Logo
75 Fifth Street, NW, Suite 300
Atlanta, GA 30308
info@ContractingAcademy.gatech.edu
Phone: 404-894-6109
Fax: 404-410-6885

RSS Twitter