The Contracting Education Academy

Contracting Academy Logo
You are here: Home / Archives for security threat

By

GSA introduces vendor risk assessment program in draft solicitation

The General Services Administration could soon start requiring on-site assessments of certain federal contractors under a new program to scrutinize risks to the supply chain. 

Tucked into the draft of a new governmentwide acquisition vehicle for information technology services called Polaris is language describing a tool to “identify, assess and monitor supply chain risks of critical vendors.”  It would use classified and unclassified sources.

GSA said once the tool it’s developing—referred to as the Vendor Risk Assessment Program — is complete, “the contractor agrees the government may, at its own discretion, perform audits of supply chain risk processes or events,” adding, “on site assessments may be required.”

The Vendor Risk Assessment Program first appeared online in a Sept. 2017 blogpost by GSA’s Shon Lyublanovits describing plans to address risks to the supply chain of the government’s information and communications technology. Around that time, agencies would have been busy working to remove Kaspersky software from their systems.  And GSA was engaged in a series of pilots toward a service that would be shared across the government to uncover businesses’ due diligence, including for cybersecurity concerns.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2021/01/gsa-introduces-vendor-risk-assessment-program-draft-solicitation/171289/

By

GSA to remove almost all drones from contract offerings over China concerns

By Feb. 1, all but five unmanned aerial vehicles will be removed from the General Services Administration’s offerings.

The General Services Administration — the federal government’s central buyer — will no longer include drones in its suite of offerings, except those previously approved by a small innovation unit inside the Defense Department.

Citing the threat of Chinese manufacturers, GSA officials announced Tuesday the agency will be canceling contracts offering drones from all but five suppliers on the Multiple Award Schedules, the set of pre-vetted contracts that offer everything from paper clips to helicopters to data centers.

“GSA is removing all identified drones that are not approved through the [Defense Innovation Unit’s] Blue sUAS program from MAS contracts,” a GSA spokesperson told Nextgov. “Affected vendors will be notified by their contracting officer and only the identified drones will be removed from their MAS contract.”

Keep reading this article at: https://www.nextgov.com/cybersecurity/2021/01/gsa-remove-almost-all-drones-contract-offerings-over-china-concerns/171352/

By

Comments on government supply chain rule push for better definitions and more time

Industry groups and other comments highlight the difficulty of complying with a provision of last year’s defense authorization act that requires the removal of products from companies including Huawei and ZTE. 

The broad, ambiguous language of Congressionally-mandated rule for government contractors to remove products and services from companies that pose threats to national security is complicating implementation, according to public comments.

The comment period for the interim Federal Acquisition Rule implementing Part B of Section 889 — a provision of the 2019 National Defense Authorization Act — closed last week, and the more than 30 comments submitted raise questions related to fundamental compliance issues.

While in general, commenters agree with the rule’s intent, groups representing industry, including the National Defense Industrial Association, BSA | The Software Alliance, the Coalition for Government Procurement and the Internet Association submitted detailed letters to Regulations.gov outlining compliance challenges.  Nearly all asked for extended timelines for implementation and better definitions for key terms and phrases used in the regulation.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2020/09/comments-government-supply-chain-rule-push-better-definitions-and-more-time/168460/

By

Top DoD scientist sets up task forces to look at industrial base, infrastructure

The Defense Department’s top scientist is concerned about the state of defense businesses, critical infrastructure and security of microelectronics in the military, and he’s asking some of the Pentagon’s top minds to look into the issues.

In three Oct. 30 memos to the Defense Science Board — a group of military, civilian, science and academic experts sponsored by DoD — Defense Undersecretary for Research and Engineering Michael Griffin asks that task forces be set up to assess the businesses the Pentagon needs to create weapons and how to protect the military’s resiliency. He also asks a task force to look at how to ensure trustworthy microelectronics are used in military systems.

The 21st Century Industrial Base for National Defense Task Force is tasked with taking proactive steps to increase the depth, breadth and security of the defense industrial base.

The memo gives the task force up to 12 months to study how the industrial base can respond to the need for the military to surge and mobilize. It will also look at how industry can adapt modernization practices to continuously adapt to threats.

Keep reading this article at: https://federalnewsnetwork.com/defense-main/2019/11/top-dod-scientist-sets-up-task-forces-to-look-at-industrial-base-infrastructure/

By

People are key to securing the defense-industrial supply chain

Infiltrating the defense supply chain is one of the most insidious means by which attackers can compromise our nation’s communications and weapons systems. Successfully targeting a single component of the defense industrial base can cause a ripple effect that can significantly impact everything from data centers to war fighters in theater.

The Department of Defense’s new “Deliver Uncompromised” security initiative is designed to tackle this problem at its root cause: third-party suppliers. In essence, the DoD is requiring its suppliers to bake security into their applications from the beginning of the production process. A “good enough” approach that just clears the bar for minimal security criteria is no longer good enough. Security must be ingrained in the very fabric of the entire production process.

Security starts with people

The process starts with people. They are responsible for ensuring that the solutions that comprise the supply chain work as designed and are inherently secure. They work closely with highly sensitive and proprietary information that is attractive to enterprising hackers. They are the first line of defense.

Unfortunately, those same factors make people the most attractive attack vector. When a malicious actor wants to gain access to a component or system, it’s often easier to just steal someone’s credentials than it is to try and find their way around a firewall. Obtaining a simple password is often enough to gain access to a critical system that can then be compromised, or information that can be exploited.

Keep reading article at: https://www.fifthdomain.com/opinion/2019/05/13/people-are-key-to-securing-the-defense-industrial-supply-chain/

Contracting Academy Logo
75 Fifth Street, NW, Suite 300
Atlanta, GA 30308
info@ContractingAcademy.gatech.edu
Phone: 404-894-6109
Fax: 404-410-6885

RSS Twitter