Skip to content Skip to left sidebar Skip to right sidebar Skip to footer

Cybersecurity

Self-Assess No More

Cybersecurity for  Department of Defense (DoD) contractors is an ongoing issue. Now, DoD is issuing an interim rule to implement an Assessment Methodology and Cybersecurity Maturity Model Certification framework. This will assess contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the DoD supply chain. (Federal Register, DFARS Case 2019-D041 Action: Interim Rule)

The current self-attestation of NIST Special Publication (SP) 800-171 is not working due to a lack of DoD verification. Until the implementation of the interim rule, DoD did not have a mandate to verify contractor basic safeguarding or security requirements prior to contract award.  This regulation changes that. The interim rule adds a process for contractors to  implement cybersecurity requirements. This is to be accomplished while the DoD’s Cybersecurity Maturity Model Certification (CMMC) and the procedures with the Accreditation Body (AB) are solidified. (Meritalk, September 28, 2020)

Questions about how the new rule will affect your contract or upcoming bid and what you can expect? Give us a call.

What Brand is Your Telcom and Video?

Section 889 of the FY 2019 National Defense Authorization Act was passed to fight national security and intellectual property threats to the United States.  The legislation includes two prohibitions Part A and Part B. (GSA Section 889 Industry Focused Flyer, GSA.gov, July 16, 2020)

Part A, which became effective on August 13, 2019 bans telecommunications/video surveillance equipment made by the following companies:

  • Huawei Technologies Company
  • ZTE Corporation
  • Hytera Communications Corporation
  • Hangzhou Hikvision Digital Technology Company
  • Dahua Technology Company

Part A can be found in the Federal Acquisition Regulation (FAR) at FAR subpart 2.1.

Part B, effective 13 August 2020, prohibits the government from contracting with any organization that uses equipment or services of any of the companies listed under Part A. Part B applies, whether or not that usage is in performance of work under a Federal contract. In other words, if you use any of the banned companies in the fulfillment of a  non-government contract, you will be prohibited from working with the government. All contractors must verify whether they do or do not use prohibited telecommunications/video surveillance equipment or services. Part B has been added to the Federal Acquisition Regulation (FAR) at FAR subpart 4.21. (ibid)

GSA recommends companies to complete an in-depth review of all in-house technology to rule out using banned companies in Part A . If prohibited equipment or services are being used, companies that wish to continue doing business with the government must eliminate them. GSA does not take responsibility for changes contractors make, unless done so by a modification to a current contract.

However, two possible waiver procedures with extremely high standards are available. This is to ensure waivers are not used to get “around” the prohibitions.

GSA is modifying all solicitations, Indefinite Delivery Vehicles (IDVs), GWACs, and other IDIQ contracts, to include Section 889 Part B requirements immediately. These requirements will be added to GSA’s existing non-IDV contracts as those contracts have their periods of performance extended.

GSA is hosting the following events so that industry may obtain additional guidance:

  1. The GSA Office of Small Business Utilization webinar on Section 889, July 30, 2020, 2:00 p.m. EST, registration may be found here.
  2. GSA recorded virtual webinar August 12, 2020, at 1:00 p.m. EST, registration forthcoming. This webinar will include leaders from GSA’s business lines explaining how they are implementing Section 889 into their business lines and panelists will answer pre-collected questions. (Questions may be sent to gsaombudsman@gsa.gov to arrive by COB August 5, 2020.) (ibid)

GSA recommends that vendors study the tools and publications to aid their understanding and compliance, as provided in Acquisition.gov.

Not certain if your contract is affected by Section 889 Part B and if so, what you can do? Give us a call.

Updating Govt Cloud Security

Cloud vendors will soon see standardized security liability language in all government contracts. This is partly due to agencies’ migration to the cloud being sped up once the pandemic hit and increased teleworking, making the need for cybersecurity assurances essential. (Nextgov, May 20, 2020)

Thomas Santucci, the director of the Data Center and Cloud Optimization Infrastructure Program Management Office at GSA, recently elaborated on the subject, “I think there is a need to update our [service level agreements] with the cloud providers and we’re actively working on that within [the General Services Administration]…. OMB has just stood up a [program management office] to work on a cloud SLA template for the federal government to be attached to every contract.” (ibid)

When referring to the pandemic, Santucci said, “Users are now remote rather than in a central building or campus. Agencies that are doing well are mostly in the cloud with little or no impact. Remote users do not need a [virtual private network] to gain access to their emails or files, collaboration products have significantly reduced file duplicates, and bandwidth consumption is between the home internet connection and the cloud. It’s a great success story.” (ibid)

Officials at the National Institute of Standards and Technology (NIST) believe moving to the cloud does not mean security is a “one and done” feature. There are many considerations that customers may be responsible for under contracts. Increased use of cloud services is not 100 percent secure.

Rep. Doris Matsui, D-California recently wrote to NIST Director Walter Copan, requesting NIST work to establish metrics to accompany their Cybersecurity Framework. The framework allows entities to implement security controls based on their needs. Matsui’s letter to Copan asked for ways to evaluate the security implications of those decisions. Matsui states, “with quantifiable measurement tools, cybersecurity strategies can be compared across industries and between entities. Metrics and measurements that facilitate comparisons and assess risk will be valuable for consumers, companies, and governments.” (ibid)

Wondering how your contract or upcoming proposal might be impacted by cloud migration and updated service level agreements? Give us a call.

CMMC Coming to Solicitations

Cybersecurity Maturity Model Certification (CMMC) requirements may show up in solicitations within six months. (GOVCONWire, May 12, 2020)

A Department of Defense spokesperson expects about 10 DoD RFIs in June to include the new requirements. She said, “As we release the RFIs, we’ll have the certified and trained auditors who will be able to go out to industry and certify companies at the level of maturity required for the work that they’re bidding on.” (ibid)

Additionally, changes to the Defense Federal Acquisition Regulation Supplement 252.204-7012 should be finalized by October. “You will not see the CMMC in any Department of Defense contracts or RFPs until the rule change is completed.” (ibid)

Questions on the Cybersecurity Maturity Model Certification and whether you can bid on upcoming solicitations? Give us a call.

CMMC not for COTS

A recent modification to DoD’s website spells out a small but very specific change about the Cybersecurity Maturity Model Certification (CMMC): it’s not applicable to DoD suppliers that only provide commercial-off-the-shelf products. (FedScoop, May 5, 2020)

Originally, DoD and CMMC administrators explained that all contractors and subcontractors must be certified under  CMMC by a third-party assessor. However, a few weeks ago, the Office of the Under Secretary of Defense for Acquisition and Sustainment changed the official website. The revised FAQ section states: “Companies that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification.” (ibid)

CMMC is in place to certify contractors have the cybersecurity practices in place to work with controlled unclassified information, the actual products themselves. (ibid)

Wondering if CMMC applies to the products and or services you provide? Give us a call.