Cybersecurity

On January 30, the Department of Defense (DoD) released the Cybersecurity Maturity Model Certification (CMMC) outlining cybersecurity requirements that DoD contractors and subcontractors must meet to certify they adequately satisfy the DoD standards. These new requirements may go into effect for certain procurements as soon as the end of September 2020.

In this 60-minute webinar,

The Department of Defense (DoD) has now finalized its new cybersecurity standards, which we discussed last year.  The new cybersecurity standards, which are intended to protect controlled unclassified information, will be implemented by the Cyber Maturity Model Certification program (CMMC), which was finalized last week after multiple draft iterations.  CMMC Version 1.0 is available here.

CMMC Will Require Third-Party Certification of Cybersecurity Maturity Level

Among other changes from the prior cybersecurity compliance regime, this new approach will require that to be eligible for DoD awards, contractors must be certified by a third-party commercial certification organization to have achieved one of five cybersecurity maturity levels, with higher levels representing more advanced cybersecurity. Later this year, DoD solicitations will contain the applicable CMMC requirement, and contractors failing to meet this standard will be unable to bid. The requirements will apply to all parties within the supply chain (although subcontractors may not have to meet as high a CMMC standard as the prime contractor, depending on their scope of work).Continue Reading DoD Finalizes Cybersecurity Maturity Model Certification

In line with recent actions taken across the government to enhance the resilience of the nation’s cybersecurity apparatus, the Cybersecurity Infrastructure Security Agency (CISA) recently released a set of best practices for small businesses.  These Cyber Essentials, according to CISA, are intended as a starting point to nurture a “culture of security, and specific actions for leaders and their IT professionals to put that culture into actions.”

The Cyber Essentials provide guidance for both organization leaders and IT professionals across six elements:

  • Yourself
  • Your Staff
  • Your Systems
  • Your Surroundings
  • Your Data
  • Your Actions under Stress.

Continue Reading Covering the Basics: CISA Announces Cybersecurity Essentials for Small Businesses

As the Department of Defense (DoD) pushes to overhaul cybersecurity requirements with a new Cybersecurity Maturity Model Certification (CMMC) program to be implemented in the fall of 2020, I recently provided insights for an article in Law360 that highlighted some potential challenges the quick rollout and still-unanswered questions could present. Contractors generally welcome the unified and modernized approach to cybersecurity, but because there are many questions left unanswered since the initial drafts released in May and in September, there are concerns among some that the perceived rush is creating undue stress and confusion.

As a result, the September draft of the CMMC program received a large volume of public comments, which Todd noted was unusual given the limited time available for comment. For solutions the DOD could address in the final rule, I suggested the Department ensure minimum cybersecurity levels are included in contracts as pass-fail threshold requirements, rather than as subjective assessments that potentially open up new grounds for bid protests.Continue Reading Insight on DoD’s Cybersecurity Plan

I am excited to be presenting a training seminar titled, “Trends and Changes in Federal Contracting FY 20” for the Florida Procurement Technical Assistance Center (Florida PTAC).

The interactive seminar will provide insight into the world of federal government contracting for Fiscal Year 2020 and new initiatives that will impact federal businesses in the next 12 months.Continue Reading Trends and Changes in Federal Contracting for Fiscal Year 2020

In an article published by Law360, we examined a report issued by the U.S. Department of Defense (DoD) Inspector General on July 23, which summarizes the findings of an audit into the protection of controlled unclassified information (CUI) on contractor networks.

The DoD reviewed nine contractors’ information systems and revealed some deficiencies that do not meet the standards set forth in National Institute of Standards and Technology (NIST) Special Publication 800-171. The exposed deficiencies include: not mitigating vulnerabilities on their networks and systems, not scanning their network for vulnerabilities, not mitigating high vulnerabilities identified in the contractor’s management programs and more.Continue Reading Findings of DoD Audit and Recommendations for Cyber Enforcement

The Department of Defense (DoD) Inspector General recently issued a report summarizing the findings of an audit into the protection of Controlled Unclassified Information (CUI) on contractor networks.  Based on an in-depth review into nine contractors, the audit uncovered some common practices that fall short of meeting the standards set forth in NIST SP 800-171, which contractors are obligated to follow under DFARS 252.204-7012.

Shortcomings Discovered in DoD Audit

These common lapses include the following, among others:

  • Inconsistent tracking of cybersecurity threats
  • Failure to consistently mitigate network vulnerabilities
  • Uneven use of strong passwords
  • Inconsistent use of multifactor identification

Continue Reading Vulnerable Systems: Contractor Protection of Controlled Unclassified Information at Risk

At the end of June, the U.S. Supreme Court issued an important Freedom of Information Act (FOIA) decision that decreases the burden on contractors seeking to protect confidential information.  As most contractors are aware, FOIA requires that, upon request, the government disclose information in its possession, unless an exemption applies.  This presents a significant risk for contractors as they regularly provide highly sensitive information to the government in the course of obtaining or performing federal contracts and grants.

Fortunately, that type of information falls within the scope of the exemption at 5 U.S.C. 552(b)(4) (Exemption 4), which shields from disclosure “trade secrets and commercial or financial information obtained from a person and privileged or confidential.”  After receiving notice that a party is seeking the public release of such information, in order to protect it, contractors previously had to demonstrate that the information was customarily kept private and that the government agreed, implicitly or expressly, to treat it as confidential.Continue Reading Protecting Government Contractors’ Confidential Information Just Got Easier

The National Institute of Standards and Technology (NIST) is responsible for developing information security standards and guidelines—including minimum requirements for federal information systems. At the end of February, NIST released its Final Draft of Special Publication (SP) 800-171A—Assessing Security Requirements for Controlled Unclassified Information.

First proposed in November 2017, the publication means to provide agencies and contractors with guidance regarding how to conduct assessments under the prominent cybersecurity standard NIST SP 800-171—Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. This standard acts as the foundation for how contractors must protect all forms of Controlled Unclassified Information (CUI).Continue Reading Final Draft of NIST SP 800-171A Still Open for Comments

In mid-January, the General Services Administration (GSA) released their Semiannual Regulation Agenda. Within this agenda, GSA announced plans to update requirements in the General Services Administration Acquisition Regulation (GSAR)—concerning reporting cyber incidents that potentially affect GSA or its contractors.

The agency will be turning to the Federal Information Security Modernization Act of 2014 (FISMA), along with other cyber regulations, as a model on how to update its policies. These updates would be improvements to the existing cyber incident reporting policy within GSA Order CIO 9297.2—i.e. GSA Information Notification Policy. By integrating these updated policies into the GSAR, contracting officers would be required to include cyber incident reporting requirements within all of their procurement contracts.
Continue Reading General Services Administration Announces Plans to Update Cybersecurity Requirements for Contractors