CyberSecurity

Cybersecurity Assessment Requirements for Federal Contractors

OVERVIEW


On September 29, 2020, the US Department of Defense (DoD) released the highly anticipated interim rule (“Interim Rule”) amending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement the DoD Assessment Methodology and Cybersecurity Maturity Model Certification (CMMC). This new Interim Rule is effective November 30, 2020, in advance of promulgation of a future final rule. (DFARS Case 2019-D041; 85 FR 61505.)

IN DEPTH


NEW INTERIM COMPLIANCE OBLIGATION: COMPLIANCE CERTIFICATION UNDER NIST 800-171

The most significant change in the Interim Rule is the introduction of the new obligation for federal contractors to either self-certify or obtain a third-party assessment methodology to certify contractor compliance with cybersecurity requirements. (Click here for McDermott’s analysis.) Pursuant to the Interim Rule, beginning November 30, 2020, all contractors and subcontractors who accept contracts containing DFARS clause 252.204-7012 will need to comply with the National Institute of Standards and Technology (NIST) Assessment methodology for initial assessments, and update those assessments every three years.

This framework expands on existing requirements for federal contractors, as set forth by DFARS Clause 242.204-7012 and NIST Special Publication (SP) 800-171.

NIST SP 800-171 ASSESSMENT METHODOLOGY 

The NIST Assessment Methodology is designed to enable the federal government to assess its prime contractors and for the prime contractors to assess their subcontractors.

To qualify for new contract awards after the implementation date of the Interim Rule, contractors and subcontractors are required to have an assessment on record within the last three years (or more recently for certain contracts). (Interim Rule, 85 FR at 61506.)

The methodology provides for three types of assessments. (Assessment Methodology at 3-5.)

  • Basic. Basic Assessments are self-assessments performed by the contractor or the subcontractor against the 110 controls of NIST SP 800-171. A Basic Assessment provides only a minimum level of confidence in the resulting score because it

Continue Reading

Ongoing Vigilance and Improvements Characterize the State of Cybersecurity in 2020, New CompTIA Report Finds

DOWNERS GROVE, Ill., Oct. 1, 2020 /PRNewswire/ — Organizations are building confidence that their cybersecurity practices are headed in the right direction, aided by advanced technologies, more detailed processes, comprehensive education and specialized skills, new research from CompTIA finds.

CompTIA is the voice of the world's information technology industry. (PRNewsFoto/CompTIA)

Eight in 10 organizations surveyed for CompTIA’s State of Cybersecurity 2020 report said their cybersecurity practices are improving.

At the same time, many companies acknowledge that there is still more to do to make their security posture even more robust. Growing concerns about the number, scale and variety of cyberattacks, privacy considerations, a greater reliance on data and regulatory compliance are among the issues that have the attention of business and IT leaders.

Two factors – one anticipated, the other unexpected – have contributed to the heightened awareness about the need for strong cybersecurity measures.

“The COVID-19 pandemic has been the primary trigger for revisiting security,” said Seth Robinson, senior director for technology analysis at CompTIA. “The massive shift to remote work exposed vulnerabilities in workforce knowledge and connectivity, while phishing emails preyed on new health concerns.”

Robinson noted that the pandemic accelerated changes that were underway in many organizations that were undergoing the digital transformation of their business operations.

“This transformation elevated cybersecurity from an element within IT operations to an overarching business concern that demands executive-level attention,” he said. “It has become  a critical business function, on par with a company’s financial procedures.”

As a result, companies have a better understanding of what do about cybersecurity. Nine in 10 organizations said their cybersecurity processes have become more formal and more critical. Two examples are risk management, where companies assess their data and their systems to determine the level of security that each requires; and monitoring and measurement, where security efforts are continually tracked and new metrics are

Continue Reading

Contractors Seek Clarity On DOD Cybersecurity Rule

Law360 (September 29, 2020, 10:28 PM EDT) — Defense contractors are grappling with a new rule requiring them to implement cybersecurity programs that leaves crucial questions unanswered, including the exact information companies will be required to safeguard and how the new obligations will be worked into contracts.

The interim rule, formally published by the U.S. Department of Defense on Tuesday, explains how contractors will be assessed for compliance with the Cybersecurity Maturity Model Certification framework, the DOD’s plan that will eventually attach minimum cybersecurity requirements to all of its contract solicitations.

Improving cybersecurity standards across the DOD’s supply chain is intended to help better protect “controlled unclassified information” and…

Stay ahead of the curve

In the legal profession, information is the key to success. You have to know what’s happening with clients, competitors, practice areas, and industries. Law360 provides the intelligence you need to remain an expert and beat the competition.

  • Access to case data within articles (numbers, filings, courts, nature of suit, and more.)
  • Access to attached documents such as briefs, petitions, complaints, decisions, motions, etc.
  • Create custom alerts for specific article and case topics and so much more!

TRY LAW360 FREE FOR SEVEN DAYS

Source Article

Continue Reading

DOD Rule Requires Contractors To Focus On Cybersecurity

Law360 (September 28, 2020, 10:25 PM EDT) — All defense contractors and subcontractors will be required to implement cybersecurity programs under a rule issued by the U.S. Department of Defense on Monday as part of a plan to attach minimum cybersecurity requirements to all Pentagon contracts.

The interim Defense Federal Acquisition Regulation Supplement rule broadly sets out the standards that contractors must meet to be certified under the Cybersecurity Maturity Model Certification framework, a pending overhaul to how the DOD handles cybersecurity across its procurements.

“CMMC is designed to provide increased assurance to the department that a [defense industrial base] contractor can adequately protect sensitive unclassified information such as…

Stay ahead of the curve

In the legal profession, information is the key to success. You have to know what’s happening with clients, competitors, practice areas, and industries. Law360 provides the intelligence you need to remain an expert and beat the competition.

  • Access to case data within articles (numbers, filings, courts, nature of suit, and more.)
  • Access to attached documents such as briefs, petitions, complaints, decisions, motions, etc.
  • Create custom alerts for specific article and case topics and so much more!

TRY LAW360 FREE FOR SEVEN DAYS

Source Article

Continue Reading

Cyber-Security Companies As Military Contractors?

As identity theft continues to grow, so does the business surrounding it. Companies like life lock are becoming a sort of cyber defense contractor one might say. These cyber security companies are going to become the Blackwater’s or Academi’s of the future. With the recent 2016 U.S. election producing claims of Russian involvement in altering voting machines and even back to North Korea’s alleged hacking of Sony pictures, there is an enormous potential for profit in the latest cyber defense. The U.S. military has even opened up a branch within the Army Corps. Apparently the U.S. Army has been waging global cyber warfare against hackers for many years now according to Paul Szoldra from business insider.

Companies like Root 9B from Colorado Springs, Colorado to DF Labs from Lombardy, Italy are in the business of protecting the individual in cyberspace just as Academi does for individuals in the physical dimension. This will likely drive a heavy emphasis on cyber war between nations in the future. Where there is money in conflict there will be conflict for the money.

We may be in the beginning stages of a global cyber war with countries like Russia, North Korea, and even China. This will make for an ideal environment for these cyber contractors worldwide to exploit their talents in cyberspace and gain government contracts, locking in profits and increased market share. While the U.S. military seeks out the best cyber (white-hat) hackers in order to protect the U.S. cyberspace, the cyber security companies are doing the same and locking in the talent to also be one step ahead of rogue hackers from all corners of the world.

Another interesting aspect which may arise are conflicts between these cyberspace contractors which may go toe to toe with one another over their opposing clients. Cyber …

Continue Reading