The Contracting Education Academy

Contracting Academy Logo
You are here: Home / Archives for sensitive data

By

How to manage risk along the federal government supply chain

Even the most sophisticated federal agencies have found it difficult to effectively measure and evaluate the cyber risk of their contractor base.

The U.S. federal government relies on an ever-expanding supply chain of tens of thousands of contractors and subcontractors to provide critical services, hold and maintain sensitive data, and perform key functions. While this supply chain is essential to agencies’ fundamental operations, it also increases the number of access point nefarious actors have to their systems and data and, consequently, puts agencies and sensitive data at greater risk.

Even the most sophisticated federal agencies have found it difficult to effectively measure and evaluate the cyber risk of their contractor base. For example, the Navy recently released a report that highlighted growing concerns around supply chain cybersecurity, noting that the federal supply chain has been “compromised in ways and to an extent yet to be fully understood.” In a July 2019 report on the security of its contractors, the Defense Department Inspector General was blunt: The department “does not know the amount of DoD information managed by contractors and cannot determine whether contractors are protecting unclassified DoD information from unauthorized disclosure.”

In fact, data suggests that contractors are not meeting agency expectations for security. Recent BitSight research found that the average security performance rating across all federal agencies was at least 15 points higher than the mean security performance rating of any contractor sector. In other words, there is a significant security performance gap between federal agencies and their supply chain partners.

The time has come for agencies to prioritize this critical risk in their cybersecurity programs. There are steps agencies can take to more effectively measure, monitor and manage this challenge.

Keep reading this article at: https://www.nextgov.com/ideas/2019/08/how-manage-risk-along-federal-government-supply-chain/159401/

By

Buy American, Hire American: Will it impact contractors’ ability to store data offshore?

Buy American and hire American.

The concept is easy, but the implementation can be far more complicated, particularly in the current government contracting world where waivers to those requirements have become common.

In an attempt to strengthen the commitment to buying American and hiring American, on January 26, 2018, a bipartisan group of ten Senators sent a letter to President Trump urging him to “keep the promises” that he had made in April 2017 to buy American and hire American. The letter follows Senators Rob Portman (R-OH), Sherrod Brown (D-OH), Lindsey Graham (R-SC), and Chris Murphy’s (D-CT) introduction of the bipartisan BuyAmerican.gov Act of 2018 on January 9, 2018.

This new legislation seems to be an effort to codify President Trump’s April 18, 2017, Buy American and Hire American Executive Order (the Executive Order), and slow what the BuyAmerican.gov Act Press Release calls the “excessive number of waivers” to the Buy American laws. Since President Trump signed the Executive Order, much has been written about the potential effects of that Executive Order. However, the potential impacts on government contractors who maintain or store data relating to their performance of federal government contracts have been largely disregarded.

To date, nothing in the Federal Acquisition Regulation (FAR) prohibits contractors from storing contract-related data offshore — i.e., outside the United States.  Some federal agencies have included an obligation for bidders to disclose their intentions regarding data storage if they are successful and awarded a contract, but these efforts have not been consistent across federal agencies. States have been the most aggressive in terms of policing a contractor’s ability to store state contract data offshore. Seven states have statutes or regulations that prohibit contractors from storing state contract data outside the United States.  Multiple other states have regulations or include provisions in their solicitations that require bidders on state contracts to disclose where the contractor intends to store the state’s data.

Keep reading this article at: https://www.jdsupra.com/legalnews/buy-american-hire-american-will-it-19180/

By

Clearing up confusion about data on nonfederal systems

The National Institute of Standards and Technology (NIST) is looking for input on a government guide on how to handle sensitive federal information that resides in nonfederal systems and organizations.

NISTLast fall, NIST issued recommendations for securing sensitive data on IT systems at companies that work for the government. The draft standards, released Nov. 18, are aimed at contractors and other nonfederal organizations that store controlled but unclassified information (CUI) in the course of their work.

At the time, NIST officials told FCW that nonfederal organizations must try to meet a wide range of contract clauses. “Conflicting guidance” from multiple agencies can lead to “confusion and inefficiencies” about how to handle sensitive federal information in nonfederal information systems that include contractors, state and local governments, and colleges and universities.

Keep reading this article at: http://fcw.com/articles/2015/04/07/nist-data-guidance.aspx

Contracting Academy Logo
75 Fifth Street, NW, Suite 300
Atlanta, GA 30308
info@ContractingAcademy.gatech.edu
Phone: 404-894-6109
Fax: 404-410-6885

RSS Twitter