Skip to content Skip to left sidebar Skip to right sidebar Skip to footer

Tag: sensitive data

Telework, the New (Temporary?) Norm

In a recent letter to her contracting staff, Soraya Correa, Homeland Security’s chief procurement officer, asked her contracting staff to stay apprised of the outbreak of COVID-19, before taking any trips. She is relying on the honor system for employees who must take trips to “affected areas, to contact their managers prior to their return to discuss possible telework or leave options.” Also, if they’ve been in close contact with a person “known to have COVID-19” or if airport screeners told them to self-quarantine after returning from overseas travel. Correa went on to say, “if contract performance is affected due to the COVID-19 situation, such as the need for alternate work locations, or travel or schedule changes, the contracting officer is the authority to discuss this with your company.” (FCW, March 9, 2020)

A spokesman for the Professional Services Council expects adjustments of this nature to be the new normal. He expects alternatives to how and where contracting personnel work, with programs necessitating a high level of security being prioritized. (ibid)

Federal agencies are already beginning to shake things up. One example is a recent notice on beta.SAM.gov, where the Department of Defense suggested that attendees of its National Cyber Range Complex Event Planning, Operations, and Support contracting meeting in Florida next week, have alternates at the ready. The notice also mentioned staying tuned in, as the outbreak could cancel the event. (ibid)

Need help determining if your contract may be at risk due to travel/work restrictions as a result of the virus outbreak ? Give us a call.

Network Security Big and Small

As many companies have discovered, the Pentagon has increased network security requirements. Small companies are having a tough time with the new rules, as expected, but it appears larger companies are having issues as well. (Government Executive, December 3, 2019)

Some big companies are providing too much data to small subcontractors, which in turn leaves them at risk to foreign hackers. Foreign hackers look at fifth or sixth tier subs to find information — where the biggest “holes” are. (ibid)

In 2016, hackers stole sensitive data on the F-35 Joint Strike Fighter. This is just one of the many cases that prompted the Pentagon to issue new rules for handling sensitive information. By January 1, 2018, all companies doing business with the Pentagon were required to have a plan in place to meet the new standards. (ibid)

In the past, companies needed to only self-certify that they had a plan in place. Unfortunately, no one checked the plans, hence the hacking ensued.

Multi-factor authentication and FIPS-validated encryption seem to be two areas where companies are having a great deal of trouble. Without these working properly, it is much easier for unauthorized access into secure systems.

The Pentagon warned contractors that they will lose business if they and their subcontractors do not meet the updated rules. However, full compliance does not make a company safe from hackers. Individual companies must have an unobstructed view into their own networks as well as ongoing, updated security measures from their subcontractors in order to stay ahead of hackers.

Wondering if you are meeting the Pentagon’s new security rules? We can help you figure it out, give us a call.

CMMC a Plus for Small Businesses?

Katie Arrington, on staff  with the Undersecretary of Defense for Acquisition and Sustainment believes nation-states are actively targeting small businesses digitally. And, she says, we are losing the battle of cyberattacks. (Fifth Domain, October 8, 2019)

According to Arrington, rivals cost the US an estimated $600 billion per year and 5G will multiply that number exponentially by 2025. As a result, Arrington believes the cybersecurity maturity model certification (CMMC) is actually intended for small businesses. (ibid)

CMMC grades company cybersecurity on a scale of one (least secure) to five (most stringent). Small businesses must comply with a tiered rating structure. So a company offering cleaning services may need only comply with CMMC level one while an engineering firm is held to level four

Arrington says that CMMC levels the playing field. Old compliance standards allowed companies to perform their contracts while working on their plan of action to become technically acceptable. This left sensitive systems that require additional security controls vulnerable and with weak spots. Many small businesses do not have the resources to obtain a high CMMC level, ultimately limiting competition in the marketplace; others fear the costs will be so high, that small companies will be priced out of the marketplace and limit their ability to compete on government contracts. 

The most recent Navy breaches targeted contractors without classified information per se, but taken in total the data disclosed sensitive capabilities. This is exactly what the CMMC framework addresses. (ibid)

Requests for proposals are expected to include CMMC requirements, as early as fall 2020.

Questions about CMMC requirements? Give us a call.