Cyber Security

Cybersecurity Challenges Facing the Nation – High Risk Issue

The federal government needs to take urgent actions to protect federal systems, the nation’s critical infrastructure, and individual’s privacy and sensitive data from cyber threats. https://www.gao.gov/key_issues/ensuring_security_federal_information_systems/issue_summary


A continuing webinar series from WPI:

Cyber Fridays @ 11:00 – 12:00 – register at www.wispro.org 


CMMC Accreditation Body must split to meet requirements of new contract. The third-party accreditation body implementing the Department of Defense‘s new cybersecurity standards for contractors will split into two entities to meet international standards mandated through a no-cost contract it signed with the department last fall. https://www.fedscoop.com/cmmc-ab-requirements-sow-training-assessing/ [February 2021]


SP 800-172 Published February 2021 – Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171

This publication provides federal agencies with recommended enhanced security requirements for protecting the confidentiality of CUI: (1) when the information is resident in nonfederal systems and organizations; (2) when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency; and (3) where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category listed in the CUI Registry. The enhanced requirements apply only to components of nonfederal systems that process, store, or transmit CUI or that provide security protection for such components when the designated CUI is associated with a critical program or high value asset. The enhanced requirements supplement the basic and derived security requirements in NIST Special Publication 800-171 and are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations. https://csrc.nist.gov/publications/detail/sp/800-172/final [February 2021]


The DoD has issued a final rule stating that the NISPOM will be codified in the CFR, effective February 24, 2021. The DoD will no longer issue DoD Manual 5220.22, and contractors will instead refer to the CFR to locate requirements for the protection of classified information.  https://www.federalregister.gov/documents/2020/12/21/2020-27698/national-industrial-security-program-operating-manual-nispom [January 2021]


Cybersecurity Challenges Facing the Nation – High Risk Issue

The federal government needs to take urgent actions to protect federal systems, the nation’s critical infrastructure, and individuals’ privacy and sensitive data from cyber threats. https://www.gao.gov/key_issues/ensuring_security_federal_information_systems/issue_summary [January 2021]


(November 2020) Hack The Army 3.0 is set to begin. This third iteration, a collaboration between U.S. Army Cyber Command (ARCYBER), DDS, and the Army Network Enterprise Technology Command, will begin with participant registration and administration, followed by the active hacking phase that is scheduled to begin Dec. 14, 2020 and last until Jan. 28, 2021 or until funds are exhausted. ARCYBER officials are hoping to increase participation by military members, and are looking at ways to conduct more frequent bug bounty programs in the future. Learn More


Contractor Cybersecurity Requirements to affect primes, subs and suppliers

The Department of Defense issued an Interim Rule titled “Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)” on Tuesday, September 29, 2020.

The rule’s effective date is November 30, 2020 and will likely affect current and future contractors interested in conducting business with the Department of Defense either as prime contractors or as a member of the Defense Industrial Base’s supply chain when solicitations include DFARS 252.204-7012. More information here.


Implementation of the Section 889(a)(1)(B) Prohibition on Contracting with Entities Using Certain Telecommunications and Video Surveillance Services or Equipment. The purpose of this memorandum is to facilitate implementation of interim FAR rule 2019-009, published on July 14, 2020, and effective on August 13, 2020.


The National Institute for Standards and Technology released the draft of NIST Special Publication 800-172 (“NIST SP 800-172”) on July 6, 2020. This draft special publication succeeds the prior draft NIST SP 800-171B that NIST published in June 2019, and operates as a supplement to the NIST SP 800-171 controls that federal contractors generally must comply with in order to transmit, process, and store Controlled Unclassified Information (“CUI”). [August 2020]


The National Security Agency released a Limiting Location Data Exposure Cybersecurity Information Sheet (CSI) today to guide National Security System (NSS) and Department of Defense (DoD) mobile device users on how they might reduce risk associated with sharing sensitive location data. The guide summarizes how and why mobile devices expose location data and explains potential risk that comes with using them. It provides mitigations to limit the sharing of this information, but warns there is no solution to fully mitigate a mobile device from being located. [August 2020]


Multi-Factor Authentication Replaces Digital Certification and PIN Requirements for Signing Mass Mods on Aug. 8, 2020. Attention contract holders! Updates to GSA’s IT infrastructure mean changes to the way you access our Mass Mod Portal.


NIST Special Publication 800-171 Revision 2 – Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations [Feb 2020]

This publication has been developed by NIST to further its statutory responsibilities under the Federal Information Security Modernization Act (FISMA), 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems. Such information security standards and guidelines shall not apply to national security systems without the express approval of the appropriate federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130.