Dods New Cybersecurity Requirements For Contractors
by Berenzweig Leonard, LLP | Jun 30, 2020 | Government Contracts
Starting in September, the Department of Defense will demand that bidders on DoD contracts meet higher cyber security requirements. And bidders will no longer be able to self-certify their compliance. Below are high-level questions guiding you on what you need to know.
What are these higher cyber requirements?
The higher cyber security requirements are in the Department of Defenses new Cybersecurity Maturity Model Certification framework . This framework is intended to be incorporated into the Defense Federal Acquisition Regulation Supplement and will be used as a requirement for all Department of Defense contract awards. The CMMC framework will serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place among the entire DoD supply chain.
DoD contractors must be certified at one of the five levels and must meet the contract requirement at the time of bid submission. The level of the CMMC certification required is dependent upon the type and nature of information flowed down from the prime contractor and/or the government client. The DoD will set the certification level designation for each contract at the time of releasing the solicitation.
The C3PAO will verify whether the government contractors internal processes and procedures have met the appropriate level of cybersecurity requirements and procedures for their business.
New Cybersecurity Requirements For Government Contractors
Effective June 15, 2016, a new rule recently published by the US Department of Defense , General Services Administration , and National Aeronautics and Space Administration will require federal government contractors to apply 15 basic cybersecurity safeguarding requirements and procedures to protect their information systems. All safeguarding requirements are based on security requirements published in the National Institute of Standards and Technologys Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.
Report Cyber Security Incidents Early And Often
This includes informing the Australian Cyber Security Centre of any cyber security incidents that could potentially threaten Australian Government information. Seeking assistance early can mitigate or reduce a potentially dangerous and embarrassing compromise. By immediately informing the ACSC, assistance can be provided without delay and will contribute to safeguarding Australian Government information.
You May Like: Entry Level Government Jobs Las Vegas
B Objectives Of And Legal Basis For The Rule
This rule establishes a requirement for contractors to have a current NIST SP 800-171 DoD Assessment and the appropriate CMMC level certification prior to contract award and during contract performance. The objective of the rule is to provide the Department with: The ability to assess at a corporate-level a contractor’s implementation of NIST SP 800-171 security requirements, as required by DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting and assurances that a DIB contractor can adequately protect sensitive unclassified information at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain.
1. NIST SP 800-171 DoD Assessment Methodology
The NIST SP 800-171 DoD Assessment Methodology provides a means for the Department to assess contractor implementation of these requirements as the Department transitions to full implementation of the CMMC, and a means for companies to self-assess their implementation of the NIST SP 800-171 requirements prior to either a DoD or CMMC assessment.
2. The CMMC Framework
Viii Paperwork Reduction Act
The Paperwork Reduction Act of 1995 provides that an agency generally cannot conduct or sponsor a collection of information, and no person is required to respond to nor be subject to a penalty for failure to comply with a collection of information, unless that collection has obtained OMB approval and displays a currently valid OMB Control Number.
DoD requested, and OMB authorized, emergency processing of the collection of information tied to this rule, as OMB Control Number 0750-0004, Assessing Contractor Implementation of Cybersecurity Requirements, consistent with .
DoD has determined the following conditions have been met:
a. The collection of information is needed prior to the expiration of time periods normally associated with a routine submission for review under the provisions of the PRA, to enable the Department to immediately begin assessing the current status of contractor implementation of NIST SP 800-171 on their information systems that process CUI.
Upon publication of this rule, DoD intends to provide a separate 60-day notice in the Federal Register requesting public comment for OMB Control Number 0750-0004, Assessing Contractor Implementation of Cybersecurity Requirements.
DOD estimates the annual public reporting burden for the information collection as follows:
Read Also: Government Jobs Sacramento
Feeling Stressed About Dfars Cybersecurity Compliance
Did you know that Totem knows first-hand how stressful these cybersecurity requirements are for government contractors? Totem was born from our parent company Haight Bey and Associates, a small DoD Prime Contractor. Even with cybersecurity as one of our core capabilities, the NIST 800-171 regulation left us scrambling to comply with limited resources. After months of searching and not finding a great solution we decided to start our compliance journey in-house. It didnt take long before our contracting peers were reaching out to us for help. We quickly found that we had a strong passion to keep small businesses compliant so they could continue their work with the DoD. This was the start of our Totem Offerings.
Now with the introduction of the Cybersecurity Maturity Model Certification along side of the NIST 800-171 cybersecurity requirement we are finding government contractors are even more stressed and confused. With our decades of experience securing government IT systems and managing our own NIST 800-171 compliance, we are dedicated to simplify these cybersecurity requirements for you.
Secure Enough To Contract The Australian Government
For most businesses, winning a government contract is a big deal. Months of tender writing and meetings are about to pay off. But is a lack of cyber security putting your hard work and contract at risk? And if you win the contract, are your IT systems safe from professional hackers looking for a back-door into government systems?
The Australian Government, through the Australian Cyber Security Centre , has warned contractors about a significant increase in cyber activity being reported by government contractors in Australia and overseas. The ACSC noted that contractors have become high priority targets for cyber activities.
One example is Australian defence shipbuilding contractor Austal, which announced in November 2018 that its Australian business had detected a breach of the companys data management system by an unknown offender.
As more information becomes digital and is shared with third-parties, the threat to government contractors and subcontractors is increasing.
Read Also: Trucking Grants
Privacy Requirements For Government Contractors
To help control cyber security risks, the Australian Government requires that any organisation which enters into a contract with an Australian Government agency is subject to the Privacy Act, Notifiable Data Breach scheme and the Australian Privacy Principles. Importantly, privacy laws extend beyond contractors to subcontractors.
For most organisations with an annual turnover of $3 million or less, the Privacy Act does not usually apply. However, this is not the case when the organisation is or was a party to a Commonwealth contract.
If there is a breach of the Privacy Act, The Office of the Australian Information Commissioner has extensive powers to obtain information and to take evidence under oath. If the breach has caused irreparable damage or complaints cannot be conciliated, the Commissioner can impose a variety of penalties, including financial compensation.
Fortress & Govmates Teaming Helps Small And Emerging Businesses Navigate Complex Cyber & Regulatory Environment
Orlando, FL, September 23, 2021 -Today Fortress Information Security and govmates, a technology scouting platform, launched a partnership to improve supply chain cybersecurity for companies providing products and services to the federal government. Pairing Fortressâ ability to identify, flag, and provide data to support remediation of supply chain vulnerabilities with govmatesâ approach to collaboration and rapid identification of innovative technologies, the partnership will help small and emerging businesses safely and profitably compete in the national security industrial space.
ââPresently, the federal government, large integrators, and traditional defense primes rely more and more on partners and subcontractors for critical products and services. Information, communications, and operational technology users rely on interconnected systems to provide solutions to business and government challenges alike. The resultant outcome is an increased vulnerability to network intrusions, hacks, and more sophisticated cyber-attacks. When a supply chain is compromised, its security can no longer be trusted. This has become one of the most significant challenges facing government and business leaders in the current market.
– Stephanie Alexander, govmates
– John Cofrancessco, VP for Government, Fortress Information Security.
Read Also: Highest Paying Jobs For History Majors
Specific Requirements For Contractors
In recent years, several federal agencies, including the Department of Defense and NASA, have issued acquisition regulations that impose new cybersecurity requirements on contractors. The top five requirements that your organization should be familiar with are listed below:
1. Federal Information Security Modernization Act2. FAR 52.204-213. DOD Defense Federal Acquisition Regulation Supplement clause 252.204-70124. NIST 800-1715. The emerging CMMC requirement for defense contractors
Given the highly technical nature of each one of these regulations, policies, and emerging trends, it is important to review each one of these subjects in detail.
What Do These Cybersecurity Requirements Look Like For Prime Government Contractors
The vast majority of, if not all, DoD prime contractors process some sort of Controlled Unclassified Information and must abide by these cybersecurity requirements. Prime contractorsprimeshave historically had a difficult time extracting from their DoD program management offices exactly what information is considered Controlled Unclassified Information. Thats because the DoD hasnt adopted the Controlled Unclassified Information process as efficiently as it could have.
For a while, it was up to the primes to guess what information was considered Controlled Unclassified Information. Of late however, DoD contractor officers have begun including language in solicitations and contracts specifying what information is considered Controlled Unclassified Information. It currently looks like the cybersecurity requirement for government contractors possessing CUI will be CMMC Level 3, 4, or 5.
When the process is perfected, all contracts will include a Security Classification Guide or equivalent, which dictates classification, marking, and handling requirements for all information types processed under the contract. If, as a prime, your contract does not currently provide an SCG, ask for oneits the DoDs duty to provide one.
Recommended Reading: Polk Real Foreclosure
New Cyber Guidelines Out For Government Contractors
Sign up for our newsletter.
NOTE: This story first appeared on FCW.com.
It’s no secret that foreign nations have recognized that one of the best pathways to hacking and stealing U.S. government technology is by targeting its industrial base. Foreign countries are targeting and compromising U.S. contractors so frequently that the Department of Defense asked the National Institute of Standards and Technology to develop custom security guidance to address the problem.
A draft version of that new guidance publicly released June 19 lays out 31 new recommendations for contractors to harden their defenses and protect unclassified government data that resides on their networks from advanced persistent threats or government-sponsored hackers. Such data can range from Social Security numbers and other personally identifying information to critical defense program details.
The recommendations include processes like implementing dual-authorization access controls for critical or sensitive operations, employing network segmentation where appropriate, deploying deception technologies and establishing or employing threat-hunting teams and a security operations center to continuously monitor system and network activity.
In addition to the NIST guidelines, DOD has also taken steps to beef up participation in information sharing programs and rolled out new cybersecurity certification standards for its contractor base in recent months.
Manage Consent Preferences
Cybersecurity Executive Order Establishes Framework To Strengthen Cybersecurity Elements Of Federal Government Contracts
The Situation: On May 12, 2021, President Biden issued an “Executive Order on Improving the Nation’s Cybersecurity,” which calls for “bold” and extensive action designed to update and standardize requirements and procedures relating to cybersecurity and Federal Government contracts.
The Result: The Executive Order establishes an aggressive and detailed plan for rapidly strengthening the ability of the Federal Government and its contractors to detect and respond to cyber incidents.
Looking Ahead: Federal Government contractors should anticipate a swift rollout of proposed changes and updates to cybersecurity requirements and be prepared to meet these new requirements as they are released.
In the wake of persistent and increasingly sophisticated malicious cyber attacks, President Biden issued an “Executive Order on Improving the Nation’s Cybersecurity” aimed at strengthening cybersecurity in the public and private sectors. As part of this effort, the Executive Order sets forth a framework and specific guidelines for updating and standardizing cybersecurity requirements and procedures relevant to Federal Government contractors. This summary focuses on those directives.
The Executive Order establishes three parallel tracks designed to strengthen and standardize cybersecurity requirements in connection with Federal Government contracts.
Sharing Cyber Threat Information and Collaborating with Response Agencies
Standardization of Cybersecurity Contract Language
You May Like: Government Benefits For Legally Blind
Minimizing Cyber Risks For Our Clients And Partners
As technology becomes even more critical to the acquisition process, cybersecurity is at the forefront of everyones mind.Booz Allen is taking steps to ensure that our data and internal systems are protected and compliant with applicable laws and regulations. We also must ensure that the data within our subcontractors’ control, and transmitted by our subcontract to others, is protected and compliant with these same laws and regulations.
It is critical that our subcontractors can protect all forms of sensitive data. As a firm, we are taking a proactive approach to minimize cybersecurity risks to our national security and government clients. Prime Contractors that are not compliant with these cybersecurity requirements risk losing further contracts awards, as well as possible impacts to existing contracts.
It is imperative that our suppliers are aware ofthe requirements related to DFARS 252.204-7012, NIST SP 800-171, and the Cybersecurity Maturity Model Certification process.
Cybersecurity Maturity Model Certification
The Cybersecurity Maturity Model Certification program is a multi-level process to verify that DoD cybersecurity requirements have been implemented. All entities within the defense supply chain will be required to have at least a Level 1 certification, issued by the CMMC-Assessment Body , by 2026. Any entity that handles DoD controlled unclassified information will need to have at least a Level 3 certification.
Don’t Miss: Polk County Fl Forclosure
A Gov’t Contractor’s Road Map To Biden Cybersecurity Order
This will affect developers, resellers and users of software extending well into the commercial marketplace.
WhenFollowing input from industry in the coming months, expect new NIST guidelines on software supply chain security by November within 180 days of the executive order. Throughout this summer, expect significant attention to key definitions and standards, including the definition of critical software.Within one year of the executive order mid-May 2022 designated agencies shall recommend to the FAR Council new rules regarding software security, including certification requirements. And following these FAR amendments, agencies shall begin the removal of noncompliant software for purchase by federal agencies.There can be little doubt that this executive order is an ambitious use of executive power to address a serious and continuing threat to our national security. While the devil is in the details, and the rollout will take some time, government contractors and their suppliers should plan ahead and take advantage of the opportunity to evaluate their exposure, comment on the rulemaking, and prepare to bring to bear the resources they will need to operate in a new compliance environment.
A Gov’t Contractor’s Road Map to Biden Cybersecurity Order, by Justin A. Chiarodo and Sharon R. Klein, was published in Law360 on June 11, 2021.
Top Five Cybersecurity Requirements For Government Contractors
Government Business Development | Government | 6 Min Read
The General Services Administration is responsible for managing a myriad of IT security programs, which help government agencies implement IT policies that promote public safety and enhance resiliency of the governments systems and networks. In order to do business with the federal government, or any branch of government for that matter, it is important to first understand the guiding principles and regulations set in place.
The FAR, better known as the Federal Acquisition Regulation, serves as the uniform policy and procedure for acquisition by all executive agencies. FAR was established in 1947 as a part of the Armed Services Procurement Regulation and was codified in Title 48 of the Code of Federal Regulations in 1984 to create a uniform structure for many federal agencies. However, the FAR has recently been subject to significant changes to reflect and implement changes made by recent law.
Cybersecurity threats are ever-growing in todays marketplace, and it’s especially important for your organization to be aware of the emerging trends. Federal contractors, rather than executive agencies themselves, are often subject to attacks due to the access of federal information, data, and software. Just last month, a Customs and Border Protection subcontractor was subject to a hack that exposed traveler photos and license plates, resulting in unhappiness from the CBP, GSA, and United States Congress.
Read Also: Government Contracts For Box Trucks
Cybersecurity Recap For Government Contractors Part 1 Of : Bidens Cybersecurity Executive Order
As 2021 draws to a close, we wanted to share a recap of some of the most important cybersecurity developments we covered this past year along with some suggestions on what companies should expect in 2022. This is part one of a four-part series.
On May 12, the Biden Administration issued its much anticipated Executive Order on Improving the Nations Cybersecurity, which with over 55 deliverables has been the driving force behind may of our updates this year. In addition to many internal government initiatives, the EO calls for new data security and incident reporting regulations, publication of requirements for secure software development practices, and establishment of criteria for consumer labeling programs for software and Internet of Things devices. You can review our initial article on the EO here, and some additional related articles here , here , here , and here .
Putting it into Practice What to expect in 2022: The next EO deliverables are due in February 2022 and relate to solidifying practices for enhancing the security of the software supply chain, and publicizing criteria for the software and IoT consumer labeling programs. Additionally, companies that do business with the federal government should be keeping an eye out for new proposed rules that likely will increase instances in which information about cyber threats and incidents must be shared with the Government by certain providers.