New Cybersecurity Certification Requirements

The Office for the Under Secretary of Defense and Sustainment (OUSD (A&S)) recently released its Cyber Security Maturity model Certification (CMMC). DoD stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDCs) and the Defense Industrial Base (DIB) all had a hand in developing the CMMC model. This model measures cybersecurity maturity using five levels (from basic to advanced) and aligns a set of processes and practices with the type and sensitivity of the information to be protected and any associated threats to that information. (CMMC Model v1.0, January 30, 2020)

DoD’s CMMC enhances the protection of:

  • Federal Contract Information (FCI) provided or generated by the government, but not intended for public release
  • Controlled Unclassified Information (CUI), which requires safeguarding or dissemination consistent with laws, regulations and government-wide policies. (ibid)

The CMMC model includes the safeguarding requirements for FCI spelled out in FAR clause 52.204-21 and the security requirements for CUI stated in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 per DFARS clause 252.204-7012 [3,4,5].

Included in the CMMC model is a certification piece verifying the implementation of cybersecurity maturity measure processes and practices. This is intended to deliver assurance to the DoD that contractors and subcontractors can sufficiently protect CUI at a level equal to the risk. (ibid)

To obtain a full overview of the CMMC Model, domains, practices, and processes, please review the Cybersecurity Maturity Model Certification.

Have questions about the effect on your current contract or one in works? Give us a call.

Wanna Connect a Hybrid Cloud?

The Department of Defense (DoD) wants a hybrid cloud environment to serve as the cornerstone for department-wide use of artificial intelligence. The Joint Artificial Intelligence Center (JAIC) issued two sources sought notices from all business that can provide system engineering and integration “to support the procurement, implementation, and operation of a hybrid and multi-cloud deployable development and production platform for Artificial Intelligence and Machine Learning (AI/ML) solutions.” (Fedscoop, November 25, 2019)

This hybrid cloud environment will form the basis of the Joint Common Foundation (JCF), a DoD/Government  AI/ML development platform, containing Data, Tools, and Processes. JCF will include shared data, reusable tools, frameworks, and standards. Additionally, it will include cloud and edge services to develop, secure, test and evaluate, deliver, and sustain capabilities. “The JCF will incorporate the architecture and software artifacts of the Enterprise Development, Security and Operations (DevSecOps) initiative and evolve toward enabling the DoD Artificial Intelligence Strategy.” (ibid)

Proposed vendors answer specific questions about past experience integrating multiple cloud providers at scale with continuous development and integration while meeting security compliance standards. A solicitation conference will be held in early 2020, followed by a request for quotation, and award by the end of September 2020.

The award of JCF will move swiftly. Give us a call if we can answer any questions or assist with your proposal efforts.

Network Security Big and Small

As many companies have discovered, the Pentagon has increased network security requirements. Small companies are having a tough time with the new rules, as expected, but it appears larger companies are having issues as well. (Government Executive, December 3, 2019)

Some big companies are providing too much data to small subcontractors, which in turn leaves them at risk to foreign hackers. Foreign hackers look at fifth or sixth tier subs to find information — where the biggest “holes” are. (ibid)

In 2016, hackers stole sensitive data on the F-35 Joint Strike Fighter. This is just one of the many cases that prompted the Pentagon to issue new rules for handling sensitive information. By January 1, 2018, all companies doing business with the Pentagon were required to have a plan in place to meet the new standards. (ibid)

In the past, companies needed to only self-certify that they had a plan in place. Unfortunately, no one checked the plans, hence the hacking ensued.

Multi-factor authentication and FIPS-validated encryption seem to be two areas where companies are having a great deal of trouble. Without these working properly, it is much easier for unauthorized access into secure systems.

The Pentagon warned contractors that they will lose business if they and their subcontractors do not meet the updated rules. However, full compliance does not make a company safe from hackers. Individual companies must have an unobstructed view into their own networks as well as ongoing, updated security measures from their subcontractors in order to stay ahead of hackers.

Wondering if you are meeting the Pentagon’s new security rules? We can help you figure it out, give us a call.

Cybersecurity Knowledge for Free

Who should understand cybersecurity? According to the Department of Homeland Security, everyone.  Whether or not you work in IT,  a basic understanding of cybersecurity is necessary. Now, thanks to the National Security Agency (NSA) and Penn State University, you can learn online at no charge. (Federal News Network, October 11, 2019)

NSA and Penn State, as part of an undertaking directed by the Department of Homeland Security, have created an online course to educate people on cybersecurity operations, law, and policy. Geared toward non-lawyers, no technical background is required. The entire course can be taken as a whole or in modules. In addition, anyone interested in the course can teach it or take it. It is offered through the Clark Center, with a variety of other cybersecurity courses.

The course begins with an overview of the U.S. government and the legal system and how they operate, providing a legal framework around cyber operations and cybersecurity. It gives similar overviews of technology concepts, then steps into the legal foundations for modern cyber law and policy focusing on the Constitution and the Bill of Rights and their application to these concepts. 

The third and final module reviews cyber operations. This is taught as a cyber threat response framework using real-world cases to keep students engaged. Many examples are taken from actual current events and show how domestic law, national security, and technology intersect. (ibid)

Wondering if you should hone up on your cyber education? Give us a call and we can discuss it with you.

CMMC a Plus for Small Businesses?

Katie Arrington, on staff  with the Undersecretary of Defense for Acquisition and Sustainment believes nation-states are actively targeting small businesses digitally. And, she says, we are losing the battle of cyberattacks. (Fifth Domain, October 8, 2019)

According to Arrington, rivals cost the US an estimated $600 billion per year and 5G will multiply that number exponentially by 2025. As a result, Arrington believes the cybersecurity maturity model certification (CMMC) is actually intended for small businesses. (ibid)

CMMC grades company cybersecurity on a scale of one (least secure) to five (most stringent). Small businesses must comply with a tiered rating structure. So a company offering cleaning services may need only comply with CMMC level one while an engineering firm is held to level four

Arrington says that CMMC levels the playing field. Old compliance standards allowed companies to perform their contracts while working on their plan of action to become technically acceptable. This left sensitive systems that require additional security controls vulnerable and with weak spots. Many small businesses do not have the resources to obtain a high CMMC level, ultimately limiting competition in the marketplace; others fear the costs will be so high, that small companies will be priced out of the marketplace and limit their ability to compete on government contracts. 

The most recent Navy breaches targeted contractors without classified information per se, but taken in total the data disclosed sensitive capabilities. This is exactly what the CMMC framework addresses. (ibid)

Requests for proposals are expected to include CMMC requirements, as early as fall 2020.

Questions about CMMC requirements? Give us a call.