Cybersecurity Knowledge for Free

Who should understand cybersecurity? According to the Department of Homeland Security, everyone.  Whether or not you work in IT,  a basic understanding of cybersecurity is necessary. Now, thanks to the National Security Agency (NSA) and Penn State University, you can learn online at no charge. (Federal News Network, October 11, 2019)

NSA and Penn State, as part of an undertaking directed by the Department of Homeland Security, have created an online course to educate people on cybersecurity operations, law, and policy. Geared toward non-lawyers, no technical background is required. The entire course can be taken as a whole or in modules. In addition, anyone interested in the course can teach it or take it. It is offered through the Clark Center, with a variety of other cybersecurity courses.

The course begins with an overview of the U.S. government and the legal system and how they operate, providing a legal framework around cyber operations and cybersecurity. It gives similar overviews of technology concepts, then steps into the legal foundations for modern cyber law and policy focusing on the Constitution and the Bill of Rights and their application to these concepts. 

The third and final module reviews cyber operations. This is taught as a cyber threat response framework using real-world cases to keep students engaged. Many examples are taken from actual current events and show how domestic law, national security, and technology intersect. (ibid)

Wondering if you should hone up on your cyber education? Give us a call and we can discuss it with you.

CMMC a Plus for Small Businesses?

Katie Arrington, on staff  with the Undersecretary of Defense for Acquisition and Sustainment believes nation-states are actively targeting small businesses digitally. And, she says, we are losing the battle of cyberattacks. (Fifth Domain, October 8, 2019)

According to Arrington, rivals cost the US an estimated $600 billion per year and 5G will multiply that number exponentially by 2025. As a result, Arrington believes the cybersecurity maturity model certification (CMMC) is actually intended for small businesses. (ibid)

CMMC grades company cybersecurity on a scale of one (least secure) to five (most stringent). Small businesses must comply with a tiered rating structure. So a company offering cleaning services may need only comply with CMMC level one while an engineering firm is held to level four

Arrington says that CMMC levels the playing field. Old compliance standards allowed companies to perform their contracts while working on their plan of action to become technically acceptable. This left sensitive systems that require additional security controls vulnerable and with weak spots. Many small businesses do not have the resources to obtain a high CMMC level, ultimately limiting competition in the marketplace; others fear the costs will be so high, that small companies will be priced out of the marketplace and limit their ability to compete on government contracts. 

The most recent Navy breaches targeted contractors without classified information per se, but taken in total the data disclosed sensitive capabilities. This is exactly what the CMMC framework addresses. (ibid)

Requests for proposals are expected to include CMMC requirements, as early as fall 2020.

Questions about CMMC requirements? Give us a call.

CMMC RFI

The Department of Defense (DoD) has issued a request for information for the “long-term implementation, functioning, sustainment, and growth” of the Cybersecurity Maturity Model Certification (CMMC). (FedBizOps.gov, October 3, 2019)

Last month, DoD issued version 0.4 of the CMMC. Contractors may now see the cybersecurity standards required when working on projects with controlled but unclassified information. CMMC will assist DoD to secure more than 300,000 organizations. (Fed Scoop, October 4, 2019)

The accreditation body does not directly perform the assessments but manages third-party organizations that do. It is  a nonprofit that utilizes “revenues generated through dues, fees, partner relationships, conferences, etc.” to fund the work.  The deadline to submit feedback is October 21, 2019. (FedBizOps.gov ibid)

We’d be glad to discuss this RFI with you. Just give us a call.

Time to Uncover Some Chinese Equipment

Recently, GSA sent a letter to contractors explaining the new FAR interim rule regarding supply chain security, which went into effect last month. The rule prohibits federal agencies from procuring, obtaining, extending, or renewing a contract to procure or obtain “any equipment, system, or service that uses covered telecommunications equipment or services  as a substantial or essential component of any system or as critical technology as part of any system.” (Acquisition.gov)

Covered equipment encompasses telecommunications and video surveillance products and services by Hauwei Technologies Company, ZTE Corporation, Hytera Communications Corporation, Hikvision Digital Technology Company, or Hahua Technology Company, or any company that the head of a relevant federal agency reasonably believes is controlled by the government of the Peoples Republic of China.

The interim rule:

  • Prohibits contractors from providing covered telecommunications services/equipment unless an exception or waiver is granted
  • Mandates every offeror represent whether it will provide covered telecommunications equipment/services as part of its offer, and if that is the case, the offeror must provide details about the covered equipment or services
  • Requires contractors to report any covered equipment/services throughout the life of the contract. (ibid)

At the same time, the FAR interim rule went into effect, GSA issued a class deviation. This essentially takes a risk-based approach to the new FAR interim rule by limiting the representation requirement for GSA funded orders to the indefinite-delivery contract level. The deviation necessitates the following:

  • At all times requires an order-level representation for acquisition vehicles that carry a “high risk” of including covered telecommunications equipment or services.
  • Must have an order-level representation for all orders that could include information technology or communications technology under all GSA acquisitions.
  • The creation of a GSA Acquisition Regulation (GSAR) representation clause, requiring the GSAR and FAR reporting clauses in all new and ongoing GSA contracts.
  • Initiates GSA specific implementation targets for modification of existing contracts.
  • Simplifies the application of Section 889 of the NDAA to other GSA program areas. (ibid)

The interim rule affects ALL contractors. As a contractor, you are responsible for determining whether covered telecommunications equipment/services will be provided under both new and existing contracts and orders.

Below is some fundamental information to help you prepare as GSA puts into place the interim rule and class deviation:

  • FAS contracting activity will issue a mod requiring you to respond to incorporate FAR clause 52.204-25 and GSAR clause 552.204-70.
  • Your mod response must delineate if you will or will not provide covered telecommunications equipment/services in the performance of any contract, subcontract, order, or any other contractual instrument.
  • The substance of FAR clause 52.204-25 must be inserted into all subcontracts.
  • You must report any covered telecommunication equipment or services you discover during the course of contract performance.
  • For new GSA solicitations, you are required to represent at the contract level if you will or won’t provide covered telecommunications equipment/services to the Government in the performance of a contract or subcontract.
  • Contract level solicitations will include FAR provision 52.204-24, clause 52.204-25and GSAR clause 552.204-70.
  • In responses to solicitations and orders under indefinite-delivery contracts, representation of FAR 52.204-24 is required when there is a high risk of inclusion of covered telecommunications equipment/services. (ibid)

Wondering how all this might affect your current contract or upcoming bid? Give us a call.

Refurbishing Fraud

Yeow! GSA will be removing refurbished technology from the Schedules as part of the upcoming consolidation. We can thank cybercriminals for this lovely change.

Individuals not associated with the government have been placing IT orders. They trick small businesses into sending used hardware to empty warehouses, where they remove the equipment and sell it on the black market. Meanwhile, they never pay the original bill.

Additionally, some of the equipment has been discovered as counterfeit — which of course doesn’t meet government standards — as refurbished. This leaves the purchasing agencies open to risk. (FEDSCOOP, August 21, 2019)

According to Lawrence Hale, a director within the GSA Federal Acquisition Service, fraudsters phish small businesses, and GSA cannot guarantee the origin of refurbished products. “It’s a supply chain attack.” The only way to stop it is to shut the SIN down. (ibid)

As GSA consolidates 24 of its Multiple Award Schedules into one on October 1, 2019, a request for information is looking for industry feedback on supply and service categories and SINs that the forthcoming solicitation will be split into. (ibid)

Do you resell refurbished technology equipment to the government? Are you wondering how to provide feedback on the removal of SIN 132-9, allowing for the purchase of refurbished technology?  Give us a call.