The Contracting Education Academy

Contracting Academy Logo
You are here: Home / Archives for security

By

GSA introduces vendor risk assessment program in draft solicitation

The General Services Administration could soon start requiring on-site assessments of certain federal contractors under a new program to scrutinize risks to the supply chain. 

Tucked into the draft of a new governmentwide acquisition vehicle for information technology services called Polaris is language describing a tool to “identify, assess and monitor supply chain risks of critical vendors.”  It would use classified and unclassified sources.

GSA said once the tool it’s developing—referred to as the Vendor Risk Assessment Program — is complete, “the contractor agrees the government may, at its own discretion, perform audits of supply chain risk processes or events,” adding, “on site assessments may be required.”

The Vendor Risk Assessment Program first appeared online in a Sept. 2017 blogpost by GSA’s Shon Lyublanovits describing plans to address risks to the supply chain of the government’s information and communications technology. Around that time, agencies would have been busy working to remove Kaspersky software from their systems.  And GSA was engaged in a series of pilots toward a service that would be shared across the government to uncover businesses’ due diligence, including for cybersecurity concerns.

Keep reading this article at: https://www.nextgov.com/cybersecurity/2021/01/gsa-introduces-vendor-risk-assessment-program-draft-solicitation/171289/

By

Pentagon acquisition chief hints Section 889 supply chain waiver may be extended

The Pentagon and the Office of the Director of National Intelligence are discussing extending a waiver that gives the defense industrial base more time to ensure certain noncritical weapons systems comply with a new rule aimed at excising Chinese telecommunications equipment from the supply chain, according to the Defense Department’s acquisition chief. 

Undersecretary for Acquisition and Sustainment Ellen Lord talked briefly about implementation of Section 889 Part B, a provision of the 2019 National Defense Authorization Act, during a Defense News Conference.  Her remarks came a day ahead of a feedback webinar the General Services Administration will host to solicit questions, comments and concerns from stakeholders about Section 889 implementation.

“So what we did is we got a waiver from ODNI for noncritical weapons systems,” Lord said. “We continue to discuss an extension beyond September of that with them.”

Part B of Section 889 officially went into effect August 13, about a month after the final version of the rule was released in July. The rule prohibits federal agencies from contracting with entities that use equipment from certain covered companies including Huawei and ZTE. In effect, Part B requires contractors to search through their supply chains to determine and disclose to the government whether they use any of the covered equipment or services.

Keep reading this article at: https://www.nextgov.com/cio-briefing/2020/09/pentagon-acquisition-chief-hints-section-889-supply-chain-waiver-may-be-extended/168332/

By

How industry and government can partner for more secure systems

Industry needs to be able to tell government how software was developed and how security measures were integrated into it, a top official at the National Institute of Standards and Technology said March 10.

“Give us some evidence that those security features are actually in place and doing what they’re supposed to do,” said Ron Ross, a fellow at NIST who leads a new DevSecOps project.

Ross, speaking at an Advanced Technology Academic Research Center event on DevOps, said that the future of U.S. national and economic security hinges on industry and government getting the transition to DevOps and DevSecOps, two different software development approaches where collaboration and security considered from the beginning, because they are critical to national and economic security.

“All the work that’s going on now, whether it’s experimental or whether it’s becoming more mature, we need to be able to normalize this type of process so it becomes [something] people would just do routinely — it becomes institutionalized and operationalized across the entire federal government,” Ross said.

Industry, Ross said, is a critical partner in that process. The key is ensuring that customers no longer have to worry about the effectiveness and origin of security controls.

Keep reading this article at: https://www.fifthdomain.com/civilian/2020/03/10/how-industry-and-government-can-partner-for-more-secure-systems/

By

Supply chain security requires acquisition reform, security experts say

To secure the government’s IT ecosystem, agencies must better understand their tech, the vendors who built it, and those companies’ suppliers.

The government can make significant progress in securing its IT supply chain by following a few basic procurement practices, but most agencies have yet to adopt them, according to federal security experts.

While government leaders have recently given a lot of attention to the supply chain security threats posed by foreign vendors, officials must devote equal energy to reforming their acquisition policies so they put those warnings to good use, experts said. Those efforts require an in-depth understanding of both the government’s IT infrastructure and the countless firms in its vendor pool, they said, but today that remains a challenge for most agencies.

“Supply chain [security] is where we were with cyber[security] maybe 15, 20 years ago,” Michele Iversen, director of risk assessment and operational integration at the Defense Department, said during a panel at the recent Fifth Domain’s CyberCon event. “We really don’t really have the visibility that we need to know where the threats are and what’s actually happening.”

Keep reading this article at: https://www.nextgov.com/cybersecurity/2019/11/supply-chain-security-requires-acquisition-reform-security-experts-say/161251/

By

People are key to securing the defense-industrial supply chain

Infiltrating the defense supply chain is one of the most insidious means by which attackers can compromise our nation’s communications and weapons systems. Successfully targeting a single component of the defense industrial base can cause a ripple effect that can significantly impact everything from data centers to war fighters in theater.

The Department of Defense’s new “Deliver Uncompromised” security initiative is designed to tackle this problem at its root cause: third-party suppliers. In essence, the DoD is requiring its suppliers to bake security into their applications from the beginning of the production process. A “good enough” approach that just clears the bar for minimal security criteria is no longer good enough. Security must be ingrained in the very fabric of the entire production process.

Security starts with people

The process starts with people. They are responsible for ensuring that the solutions that comprise the supply chain work as designed and are inherently secure. They work closely with highly sensitive and proprietary information that is attractive to enterprising hackers. They are the first line of defense.

Unfortunately, those same factors make people the most attractive attack vector. When a malicious actor wants to gain access to a component or system, it’s often easier to just steal someone’s credentials than it is to try and find their way around a firewall. Obtaining a simple password is often enough to gain access to a critical system that can then be compromised, or information that can be exploited.

Keep reading article at: https://www.fifthdomain.com/opinion/2019/05/13/people-are-key-to-securing-the-defense-industrial-supply-chain/

Contracting Academy Logo
75 Fifth Street, NW, Suite 300
Atlanta, GA 30308
info@ContractingAcademy.gatech.edu
Phone: 404-894-6109
Fax: 404-410-6885

RSS Twitter