Skip to content Skip to left sidebar Skip to right sidebar Skip to footer

Cybersecurity

CMMC RFI

The Department of Defense (DoD) has issued a request for information for the “long-term implementation, functioning, sustainment, and growth” of the Cybersecurity Maturity Model Certification (CMMC). (FedBizOps.gov, October 3, 2019)

Last month, DoD issued version 0.4 of the CMMC. Contractors may now see the cybersecurity standards required when working on projects with controlled but unclassified information. CMMC will assist DoD to secure more than 300,000 organizations. (Fed Scoop, October 4, 2019)

The accreditation body does not directly perform the assessments but manages third-party organizations that do. It is  a nonprofit that utilizes “revenues generated through dues, fees, partner relationships, conferences, etc.” to fund the work.  The deadline to submit feedback is October 21, 2019. (FedBizOps.gov ibid)

We’d be glad to discuss this RFI with you. Just give us a call.

Time to Uncover Some Chinese Equipment

Recently, GSA sent a letter to contractors explaining the new FAR interim rule regarding supply chain security, which went into effect last month. The rule prohibits federal agencies from procuring, obtaining, extending, or renewing a contract to procure or obtain “any equipment, system, or service that uses covered telecommunications equipment or services  as a substantial or essential component of any system or as critical technology as part of any system.” (Acquisition.gov)

Covered equipment encompasses telecommunications and video surveillance products and services by Hauwei Technologies Company, ZTE Corporation, Hytera Communications Corporation, Hikvision Digital Technology Company, or Hahua Technology Company, or any company that the head of a relevant federal agency reasonably believes is controlled by the government of the Peoples Republic of China.

The interim rule:

  • Prohibits contractors from providing covered telecommunications services/equipment unless an exception or waiver is granted
  • Mandates every offeror represent whether it will provide covered telecommunications equipment/services as part of its offer, and if that is the case, the offeror must provide details about the covered equipment or services
  • Requires contractors to report any covered equipment/services throughout the life of the contract. (ibid)

At the same time, the FAR interim rule went into effect, GSA issued a class deviation. This essentially takes a risk-based approach to the new FAR interim rule by limiting the representation requirement for GSA funded orders to the indefinite-delivery contract level. The deviation necessitates the following:

  • At all times requires an order-level representation for acquisition vehicles that carry a “high risk” of including covered telecommunications equipment or services.
  • Must have an order-level representation for all orders that could include information technology or communications technology under all GSA acquisitions.
  • The creation of a GSA Acquisition Regulation (GSAR) representation clause, requiring the GSAR and FAR reporting clauses in all new and ongoing GSA contracts.
  • Initiates GSA specific implementation targets for modification of existing contracts.
  • Simplifies the application of Section 889 of the NDAA to other GSA program areas. (ibid)

The interim rule affects ALL contractors. As a contractor, you are responsible for determining whether covered telecommunications equipment/services will be provided under both new and existing contracts and orders.

Below is some fundamental information to help you prepare as GSA puts into place the interim rule and class deviation:

  • FAS contracting activity will issue a mod requiring you to respond to incorporate FAR clause 52.204-25 and GSAR clause 552.204-70.
  • Your mod response must delineate if you will or will not provide covered telecommunications equipment/services in the performance of any contract, subcontract, order, or any other contractual instrument.
  • The substance of FAR clause 52.204-25 must be inserted into all subcontracts.
  • You must report any covered telecommunication equipment or services you discover during the course of contract performance.
  • For new GSA solicitations, you are required to represent at the contract level if you will or won’t provide covered telecommunications equipment/services to the Government in the performance of a contract or subcontract.
  • Contract level solicitations will include FAR provision 52.204-24, clause 52.204-25and GSAR clause 552.204-70.
  • In responses to solicitations and orders under indefinite-delivery contracts, representation of FAR 52.204-24 is required when there is a high risk of inclusion of covered telecommunications equipment/services. (ibid)

Wondering how all this might affect your current contract or upcoming bid? Give us a call.

Refurbishing Fraud

Yeow! GSA will be removing refurbished technology from the Schedules as part of the upcoming consolidation. We can thank cybercriminals for this lovely change.

Individuals not associated with the government have been placing IT orders. They trick small businesses into sending used hardware to empty warehouses, where they remove the equipment and sell it on the black market. Meanwhile, they never pay the original bill.

Additionally, some of the equipment has been discovered as counterfeit — which of course doesn’t meet government standards — as refurbished. This leaves the purchasing agencies open to risk. (FEDSCOOP, August 21, 2019)

According to Lawrence Hale, a director within the GSA Federal Acquisition Service, fraudsters phish small businesses, and GSA cannot guarantee the origin of refurbished products. “It’s a supply chain attack.” The only way to stop it is to shut the SIN down. (ibid)

As GSA consolidates 24 of its Multiple Award Schedules into one on October 1, 2019, a request for information is looking for industry feedback on supply and service categories and SINs that the forthcoming solicitation will be split into. (ibid)

Do you resell refurbished technology equipment to the government? Are you wondering how to provide feedback on the removal of SIN 132-9, allowing for the purchase of refurbished technology?  Give us a call.

Line Item: Cybersecurity

We knew it would eventually happen. DoD is finally looking to permit cybersecurity costs as “allowable” on certain types of government contracts. (Federal News Network, June 2019)

Katie Arrington, the special assistant to the Assistant Secretary of Defense for Acquisition for Cyber in the Office of the Under Secretary of Acquisition and Sustainment in DoD, recently spoke at the Professional Services Council (PSC) gathering in Virginia. Ms. Arrington is the lead for the DoD effort to develop and institutionalize the new Cybersecurity Maturity Model Certification (CMMC) standard for vendors. She told attendees that she wants to enact a legitimate standard for cybersecurity allowable costs. (ibid)

During a recent webinar, Arrington spoke about cyber attacks and the need for the defense industrial base to defend themselves against nation-state attacks. DoD is aiming at not just it’s 200,000 prime contractors but all vendors (approximately 300,000) that comprise the DoD supply chain. (ibid)

Arrington is working with the Johns Hopkins University Applied Physics Lab and Carnegie Mellon University’s Software Engineering Institute to generate initial requirements. The draft will require DoD vendors to be certified through third-party assessment organizations. The standard incorporates existing requirements from NIST, the Federal Risk Authorization Management Program (FedRAMP), and other models.  (ibid)

Arrington expects DoD to carry out 12 webinars across the country over the summer. She aims to receive feedback from industry experts with a draft standard by the end of summer and third-party assessors to start certifying vendors in January. (CMMC requirements will be added to requests for information by June of 2020 and become a standard in solicitations by September 2020.) (ibid)

According to Alan Chvotkin, senior vice president and general counsel for PSC, the certification of contractors will be a very competitive discriminator in the marketplace. His main concern is whether DoD will only certify the big six contractors and what is going to take place for the prime and a subcontractor. (ibid)

Congress recognizes that risks to the supply chain need to be reduced. The Senate version of the 2020 National Defense Authorization Act, includes a provision requiring DoD to move to a broader cybersecurity standard with its contractors. Currently, DoD mandates defense contractors meet the requirements of NIST Special Publication 800-171; however, there is no current audit for compliance. Oversight of subcontractors by prime contractors is also a reasonable concern as is the lack of information available on subcontractors. The committee feels prime contractors should be held responsible and accountable for securing DoD technology and sensitive information and ultimately delivering uncompromised products and capabilities. This is seen as a first step in securing the supply chain. (ibid)

The Senate Armed Services Committee (SASC) believes DoD should provide direct technical assistance to contractors, based on risk, and in such a way as to not harm the industrial base while at the same time providing incentives/penalties for non-compliance of vendors’ cyber performance. DoD is being asked to provide the SASC with a briefing by March of 2020 and quarterly briefings on how the standard is being implemented by both vendors and the DoD. (ibid)

Although security has always been an allowable overhead cost, it will now be used as an incentive to get vendors to more quickly align themselves to the CMMC standard. The incentive doesn’t force companies to trade off security for other expenses. It appears the government will offer some reimbursement for some share of the cost, hopefully bringing all vendors up to the same level. (Firm-fixed-price contracts do not fall under the allowable cost umbrella in the same manner, as cyber is counted as general overhead in the final cost to the government.) (ibid)

Eager to learn a little more about the cyber standard and how it might affect your current contract or an upcoming bid? Give us a call at 301-913-5000.

 

 

We See the Future and it is … Single Sign On

By now you’ve likely heard of Single Sign On (SSO). It’s not exactly new, and it’s currently used by just a few agencies, but it is the wave of the future as agencies move to more cloud-based apps. In fact, 6 U.S. Code § 1523(b)(1)(D), a provision of law governing federal cybersecurity regulations, states that agency heads must “implement a single sign-on trusted identity platform for individuals accessing each public website of the agency that requires user authentication.” This provision was created by GSA working with the Department of Homeland Security. (FedTech, May 24, 2019)

What exactly is SSO? SSO allows a user to sign in one time with one high-strength password and access all that specific user’s authorized applications. With SSO, a user need not memorize a different password for each and every application they access. SSO uses the Security Assertion Markup Language protocol that gives the user the ability to log on once for affiliated but separate websites. According to Tracy David, a cloud client executive at CDW, SSO uses “highly complex encrypted keys, which the end user has no access to view or change.” Ultimately, this makes for a much higher level of security for each agency. (ibid)

At this time, you must log in to each app with a different password. More often than not, passwords across applications are similar (if not the same) and easily remembered. This weakens the security level of the agency as stolen credentials account for roughly 80 percent of breaches. With SSO, you have one complex, single-sign-on password protected with multi-factor authentication.  (ibid)

Many agencies are still using on-premises SSO, which will be more difficult as apps move to the cloud. Insiders believe that the Defense Department’s forthcoming Joint Enterprise Defense Infrastructure cloud contract signals cloud adoption becoming the “norm” in government.

Questions about how this affects your current government contract, or how you might work with the government on SSO Technology? Give us a call at 301-913-5000.