Archives: Cybersecurity

Subscribe to Cybersecurity RSS Feed

DoD Announces the Cybersecurity Maturity Model Certification (CMMC) Initiative

The Department of Defense (“DoD”) recently announced the development of the ”Cybersecurity Maturity Model Certification” (“CMMC”), a framework aimed at assessing and enhancing the cybersecurity posture of the Defense Industrial Base (“DIB”), particularly as it relates to controlled unclassified information (“CUI”) within the supply chain. The Office of the Under Secretary of Defense for Acquisition … Continue Reading

NIST Announces and Seeks Public Comment on 800-171 Update and Related Documents

On June 19, 2019, the National Institute of Standards and Technology (“NIST”) announced the long-awaited update to Special Publication (“SP”) 800-171 Rev. 1, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, which includes three separate but related documents.… Continue Reading

Senate Armed Services Subcommittee on Cybersecurity Holds Hearing to Discuss the Responsibilities of the Defense Industrial Base

On March 26, 2019, the Senate Armed Services’ Subcommittee on Cybersecurity held a hearing to receive testimony assessing how the Department of Defense’s (“DOD”) cybersecurity policies and regulations have affected the Defense Industrial Base (“DIB”). To gain a better understanding of the DIB’s cybersecurity concerns, the Subcommittee invited William LaPlante, Senior Vice President and General … Continue Reading

Keeping Up With DoD Cybersecurity Compliance Demands

(This article was originally published in Law360 and has been modified for this blog.) On Jan. 21, 2019, Ellen Lord, the Under Secretary of Defense for Acquisition and Sustainment, issued a memorandum focused on assessing contractor compliance with the DFARS cyber clause via audits of a Contractor’s purchasing system.[1]  One intent of this guidance is … Continue Reading

Senate Reintroduces IoT Cybersecurity Improvement Act

On March 11, 2019, a bipartisan group of lawmakers including Sen. Mark Warner and Sen. Cory Gardner introduced the Internet of Things (IoT) Cybersecurity Improvement Act of 2019. The Act seeks “[t]o leverage Federal Government procurement power to encourage increased cybersecurity for Internet of Things devices.” In other words, this bill aims to shore up … Continue Reading

DoD Continues to Up the Ante on Cybersecurity Compliance for Contractors

Compliance with the security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 is only the beginning for contractors that receive controlled defense information (CDI) in performance of Department of Defense (DoD) contracts and subcontracts.  Faced with an evolving cyber threat, DoD contractors have experienced an increased emphasis on protecting DoD’s … Continue Reading

Jumping to Exclusions: New Law Provides Government-Wide Exclusion Authorities to Address Supply Chain Risks

On the eve of the recent government shutdown over border security, Congress and the President were in agreement on a different issue of national security:  mitigating supply chain risk.  On December 21, 2018, the President signed into law the Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology Act (the “SECURE Technology Act”) (P.L. 115-390).  … Continue Reading

DoD Issues Final Guidance for Assessing Contractor Compliance with NIST SP 800-171

The Department of Defense (DoD) recently issued final guidance for requiring activities to assess contractors’ System Security Plans (SSPs) and their implementation of the security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.  A draft of this guidance was made available for public comment in April 2018.  As noted in … Continue Reading

How Well Do You Know Your Supply Chain? New Policy Developments Affect Defense and Security Contractors

This post first appeared on Covington’s Global Policy Watch blog on September 7, 2018 Generating and sustaining the United States’ global economic and military superiority over more than the last half century has depended on a dominant U.S. global economic position and perpetual technological innovation. The United States has increasingly relied on a global industrial … Continue Reading

2018 DoD Cyber Strategy: The DoD Defends Forward While the DIB Must Defend its Cyber Practices

The Department of Defense (“DoD”) recently released the summary of its cyber strategy for 2018.  The 2018 DoD Cyber Strategy, which replaces the DoD’s 2015 cyber strategy, is focused broadly on “defending forward,” shaping day-to-day competition, and preparing for conflict.  But the strategy includes items that are sure to be of interest to contractors and … Continue Reading

NIST to Host CUI Information Security Workshop

The National Institute of Standards and Technology (NIST), in coordination with the Department of Defense (DoD) and the National Archives and Records Administration (NARA), will host a Workshop providing an overview of Controlled Unclassified Information (CUI) on October 18, 2018. The agenda for the Workshop shows a full day of panels, including those addressing DoD’s “Safeguarding Covered Defense Information … Continue Reading

Senate Armed Services Committee Proposes Expansive but Unclear Software Review Provisions

As the Senate approaches the end of its debate on the National Defense Authorization Act for Fiscal Year 2019, provisions of the bill regarding access to and review of information technology code deserve close attention.  These sections, if enacted, would significantly impact Department of Defense contractors and also would affect matters associated with investments subject … Continue Reading

Draft DoD Guidance on SSPs and NIST SP 800-171 – Impact on Bid Protests and Ongoing Contract Performance

On April 24, 2018, the Department of Defense (DoD) issued a Notice and Request for Comment on draft guidance that DoD proposes for assessing contractors’ System Security Plans (SSPs) and their implementation of the security controls in NIST Special Publication (SP) 800-171. This includes assessments as part of source selection decisions and during contract performance. DFARS … Continue Reading

Department of Homeland Security Secretary Kirstjen Nielsen Proposes “More Forward-Leaning Posture” for Federal Government in Cybersecurity

On April 17, 2018, Department of Homeland Security (DHS) Secretary Kirstjen Nielsen delivered a keynote address at the RSA Conference.  A copy of her prepared remarks is available here.  Secretary Nielsen’s remarks highlighted efforts by DHS to address the evolving cybersecurity threats to our country’s critical infrastructure. Secretary Nielsen set the stage by describing the … Continue Reading

NIST Releases Updated Cybersecurity Framework

Pursuant to Executive Order 13636, the National Institute of Standards and Technology (“NIST”) established the Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, a technology-neutral, voluntary, risk-based cybersecurity framework that includes standards and processes intended to align policy, business, and technological approaches to addressing cybersecurity risks. Four years later, NIST has released an updated version … Continue Reading

NIST Seeks to Assist Contractors in Assessing SP 800-171 Compliance

Late last month, the National Institute of Standards and Technology (“NIST”) released a set of documents for public comment that are aimed at helping contractors assess and implement compliance with NIST Special Publication (“SP”) 800-171, which establishes the standards for protecting Covered Defense Information (“CDI”), among other forms of Controlled Unclassified Information (“CUI”). First, NIST … Continue Reading

DHS Cybersecurity Legislation Advances Through Capitol Hill

Earlier this week, both chambers on Capitol Hill took steps that would increase the Department of Homeland Security’s (DHS) role in the area of cybersecurity.  On the Senate side, the Senate Homeland Security and Governmental Affairs Committee approved a DHS reauthorization bill that included amendments to rename and reorganize the DHS National Protection and Programs … Continue Reading

Latest NIST Draft Report a Call to Action for Federal Agencies and Private Companies

Inflection Point for IoT In a relatively short amount of time, the adoption of the Internet of Things (IoT) and its applications — from smart cars to the myriad of interconnected sensors in the General Service Administration building reminiscent of HAL 9000 from 2001: A Space Odyssey — has rapidly proliferated, providing significant opportunities and … Continue Reading

DFARS Cyber Rule – What Questions Should Contractors Ask Themselves in the New Year?

[The referenced article was originally published in Law360.] Since August 2015, defense contractors have been on notice that they were required to implement the security controls in National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171 no later than December 31, 2017 on covered contractor information systems. Although the focus has been on meeting … Continue Reading

NIST Holds Webcast to Discuss Updates to Cybersecurity Framework

On December 20, 2017, the National Institute of Standards and Technology (“NIST”) held a live webcast to discuss the draft updates to the Framework for Improving Critical Infrastructure Cybersecurity (“the Cybersecurity Framework”) and the Roadmap for Improving Critical Infrastructure Cybersecurity (“the Roadmap”). Although the webcast is not currently available online, NIST plans to publish a … Continue Reading

NIST Releases Updated Draft of Cybersecurity Framework

On December 5, 2017, the National Institute of Standards and Technology (“NIST”) announced the publication of a second draft of a proposed update to the Framework for Improving Critical Infrastructure Cybersecurity (“Cybersecurity Framework”), Version 1.1, Draft 2. NIST has also published an updated draft Roadmap to the Cybersecurity Framework, which “details public and private sector … Continue Reading

NIST Releases New Draft Publication Designed to Assist Contractors In Assessing Compliance with NIST SP 800-171

Ahead of the upcoming December 31, 2017 deadline for federal defense contractors to implement National Institute of Standards and Technology (“NIST”) Special Publication 800-171 (“SP 800-171”), NIST has released a new draft publication designed to assist organizations in assessing compliance under SP 800-171, Draft Special Publication 800-171A, Assessing Security Requirements for Controlled Unclassified Information (“CUI”) … Continue Reading

DoD Class Deviations Allow for Greater Contracting Flexibility in Times of Crisis

The Department of Defense (“DoD”) has issued two Class Deviations that provide defense agencies with greater flexibility when procuring in times of crisis. These Class Deviations allow for the use of simplified acquisition procedures and excuse certain procurement obligations when DoD is responding to a cyber-attack or providing relief in support of domestic or international … Continue Reading
LexBlog