Cyber Security


Cybersecurity Challenges Facing the Nation – High Risk Issue

The federal government needs to take urgent actions to protect federal systems, the nation’s critical infrastructure, and individual’s privacy and sensitive data from cyber threats. [January 2021]

A continuing webinar series from WPI:

Cyber Fridays @ 11:00 – 12:00 – click below to register

The Cybersecurity and Infrastructure Agency is releasing a new tool to counter supply chain cyber threats. CISA’s new guidance, in partnership with NIST, is meant to counter the threat of supply chain cyber threats like the SolarWinds breach. [April 2021]

GovCon Expert Chuck Brooks: Top Cybersecurity Trends Impacting GovCon Industry – GovCon Wire Read More [April 2021]

CMMC board preps for staff changes [March 2021]

Cybersecurity Agency Takes Over Management of .Gov Domain – The official domain for .gov websites shifted from the government’s landlord to the government’s central cybersecurity shop. Management of the internet domain reserved for government agencies and services—the .gov domain—has officially shifted from the government’s landlord to its cybersecurity agency.

Last year, Congress enacted the DOTGOV Act as part of the fiscal 2021 appropriations bill, which put a stronger focus on securing .gov websites by, among other things, moving management of the domain under the purview of the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency, or CISA. That move became official Monday.[March 2021]

DLA Intelligence publishes new controlled unclassified information policy — FORT BELVOIR, Va., Feb. 23, 2021 — Say goodbye to For Official Use Only. A Defense Logistics Agency policy published Jan. 28 by DLA Intelligence provides new guidance on labeling unclassified information that’s sensitive but doesn’t require classification. [March 2021]

WEAPON SYSTEMS CYBERSECURITY – Guidance Would Help DOD Programs Better Communicate Requirements to Contractors – GAO-21-179: Published: Mar 4, 2021. Publicly Released: Mar 4, 2021.

The Department of Defense has struggled to ensure its weapons systems can withstand cyberattacks. Since we last reported, DOD has taken some positive steps toward that goal, like conducting more cyber testing. But we found that DOD programs aren’t always incorporating cybersecurity requirements into contract language. And contractors are only responsible for meeting the terms written in a contract. Some contracts we reviewed had no cybersecurity requirements when they were awarded, with vague requirements added later. We recommended that DOD issue guidance on incorporating weapon systems cybersecurity requirements into contract language. [March 2021]

CMMC Accreditation Body must split to meet requirements of new contract. The third-party accreditation body implementing the Department of Defense‘s new cybersecurity standards for contractors will split into two entities to meet international standards mandated through a no-cost contract it signed with the department last fall. [February 2021]

SP 800-172 Published February 2021 – Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171

This publication provides federal agencies with recommended enhanced security requirements for protecting the confidentiality of CUI: (1) when the information is resident in nonfederal systems and organizations; (2) when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency; and (3) where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category listed in the CUI Registry. The enhanced requirements apply only to components of nonfederal systems that process, store, or transmit CUI or that provide security protection for such components when the designated CUI is associated with a critical program or high value asset. The enhanced requirements supplement the basic and derived security requirements in NIST Special Publication 800-171 and are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations. [February 2021]

The DoD has issued a final rule stating that the NISPOM will be codified in the CFR, effective February 24, 2021. The DoD will no longer issue DoD Manual 5220.22, and contractors will instead refer to the CFR to locate requirements for the protection of classified information. [January 2021]

Cybersecurity Challenges Facing the Nation – High Risk Issue

The federal government needs to take urgent actions to protect federal systems, the nation’s critical infrastructure, and individuals’ privacy and sensitive data from cyber threats. [January 2021]

(November 2020) Hack The Army 3.0 is set to begin. This third iteration, a collaboration between U.S. Army Cyber Command (ARCYBER), DDS, and the Army Network Enterprise Technology Command, will begin with participant registration and administration, followed by the active hacking phase that is scheduled to begin Dec. 14, 2020 and last until Jan. 28, 2021 or until funds are exhausted. ARCYBER officials are hoping to increase participation by military members, and are looking at ways to conduct more frequent bug bounty programs in the future. Learn More

Contractor Cybersecurity Requirements to affect primes, subs and suppliers

The Department of Defense issued an Interim Rule titled “Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)” on Tuesday, September 29, 2020.

The rule’s effective date is November 30, 2020 and will likely affect current and future contractors interested in conducting business with the Department of Defense either as prime contractors or as a member of the Defense Industrial Base’s supply chain when solicitations include DFARS 252.204-7012. More information here.

Implementation of the Section 889(a)(1)(B) Prohibition on Contracting with Entities Using Certain Telecommunications and Video Surveillance Services or Equipment. The purpose of this memorandum is to facilitate implementation of interim FAR rule 2019-009, published on July 14, 2020, and effective on August 13, 2020.

The National Institute for Standards and Technology released the draft of NIST Special Publication 800-172 (“NIST SP 800-172”) on July 6, 2020. This draft special publication succeeds the prior draft NIST SP 800-171B that NIST published in June 2019, and operates as a supplement to the NIST SP 800-171 controls that federal contractors generally must comply with in order to transmit, process, and store Controlled Unclassified Information (“CUI”). [August 2020]

The National Security Agency released a Limiting Location Data Exposure Cybersecurity Information Sheet (CSI) today to guide National Security System (NSS) and Department of Defense (DoD) mobile device users on how they might reduce risk associated with sharing sensitive location data. The guide summarizes how and why mobile devices expose location data and explains potential risk that comes with using them. It provides mitigations to limit the sharing of this information, but warns there is no solution to fully mitigate a mobile device from being located. [August 2020]

Multi-Factor Authentication Replaces Digital Certification and PIN Requirements for Signing Mass Mods on Aug. 8, 2020. Attention contract holders! Updates to GSA’s IT infrastructure mean changes to the way you access our Mass Mod Portal.

NIST Special Publication 800-171 Revision 2 – Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations [Feb 2020]

This publication has been developed by NIST to further its statutory responsibilities under the Federal Information Security Modernization Act (FISMA), 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems. Such information security standards and guidelines shall not apply to national security systems without the express approval of the appropriate federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130.