Defense Cybersecurity: Protecting Controlled Unclassified Information Systems

The Department of Defense (DOD) has reported implementing more than 70 percent of four selected cybersecurity requirements for controlled unclassified information (CUI) systems, based on GAO’s analysis of DOD reports (including a June 2021 report to Congress) and data from DOD’s risk management tools. These selected requirements include (1) categorizing the impact of loss of confidentiality, integrity, and availability of individual systems as low, moderate, or high; (2) implementing specific controls based in part on the level of system impact; and (3) authorizing these systems to operate. As of January 2022, the extent of implementation varied for each of the four requirement areas. For example, implementation ranged from 70 to 79 percent for the cybersecurity maturity model certification program DOD established in 2020, whereas it was over 90 percent for authorization of systems to operate. Please click here to read more.

The Cyber Incident Reporting for Critical Infrastructure Act of 2022: An Overview

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), signed into law by President Biden in March 2022 as part of the Consolidated Appropriations Act of 2022, will require companies operating in critical infrastructure sectors to report covered cyber incidents within 72 hours of the companies’ reasonable belief that a cyber incident has occurred and report ransom payments within 24 hours after a payment is made. Please click here to read more.

When Agencies Should Settle for Less: Brand Name Bid Protests

U.S. agencies regularly tell prospective contract bidders that they must provide a certain brand name product in their proposals—or that only one supplier has the right item—resulting in some companies claiming to be unfairly excluded from competing.

A recent Government Accountability Office decision upholding a defense agency’s request for hollow pins used in Army helicopters made by Boeing Co. illustrates how agencies get leeway on brand name restrictions. Click here to read more.