Blog

Posts Tagged DOD

NIST and DFARS and Cyber Compliance! (oh my)

Share

You have doubtless heard and read all about the looming requirement for all Department of Defense government contractors to become compliant with Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards derived from NIST SP 800-171 Rev 1 by Dec 31, 2017- or else risk losing their contracts.  DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, will be a mandatory clause in all contracts except for contracts solely for the acquisition of COTS items.

This requirement applies to any DoD Contractor, subcontractor, and supplier ALL THE WAY DOWN THE SUPPLY CHAIN that processes, stores, or transmits Controlled Unclassified Information (CUI). Not just security contractors. Not just companies that have clearances. Not even just IT contractors.  If you have a landscaping business and you are performing work at a DOD facility, and have access to blueprints that are or may be considered CUI, you’re subject to this requirement.  CUI includes the categories outlined in the NARA CUI Registry, but as you can probably imagine, is not limited to that. your government customer can identify additional categories and data, and you as a contractor, should err on the safe side and identify potential CUI so that you can protect and segregate it just in case.

Note: civilian contractors are not subject to this requirement (there are only 15 security controls outlined in FAR part 52.204-21 compared to 109 in the DFARS clause), but that may be changing to synthesize the compliance requirements to the more complete set that the DOD/DFARS adopted.

Ultimately, it is the contractor’s responsibility to determine whether it is has implemented the NIST SP 800-171 (as well as any other security measures necessary to provide adequate security for covered defense information).   Third party assessments or certifications of compliance are not required, authorized, or recognized by DoD, nor will DoD certify that a contractor is compliant with the NIST SP 800-171 security requirements.

The protections required to protect government information are dependent on the information DoD is protecting and the kind of system on which the information is processed or stored.

There is no single or prescribed manner in which a contractor may choose to implement the requirements of NIST SP 800-171, or to assess their own compliance with those requirements.  For companies new to the requirements, a reasonable first step may be for company personnel with knowledge of their information systems security practices to read through the publication, examining each requirement to determine if it may require a change to company policy or processes, a configuration change for existing company information technology (IT), or if it requires an additional software or hardware solution.

Some resources and tools to help you determine whether you’re subject to the requirement, and what you can do next:

  1. DOD Office of Small Business Cyber resources and news – especially the 49-minute video and the presentation slides
  2. DOD Procurement Toolbox – Cyber security section (including how to approach evaluating each requirement)
  3. Georgia Tech PTAC 20-min Instructional Video
  4. A handy presentation [from a law firm] that translates the major requirements into easy-to-understand terms
  5. The Safeguarding Covered Defense Information one-pager to ease you into the basics.
  6. The Cybersecurity Evaluation Tool (CSET) that provides a systematic approach for evaluating an organization’s security posture through a step-by-step process to evaluate their control system and information technology network security practices.  The tool will allow you to select a standard (e.g. NIST SP 800-171) – and CSET will generate specific questions to those requirements and present you with assessment results.
  7. A  Self-assessment guide when you’re ready for the deep dive
  8. OSD Memorandum: DPAP Guidance for DoD Acquisition Personnel that instructs DOD buyers how to implement and evaluate vendor cyber compliance (and since it’s going to be an evaluation factor in source selection, you need to know what your customers expect).
  9. For subcontractor and supplier reference – Lockheed Martin’s notice to its supply chain that you may find informative and applicable regardless of who your prime is.
  10. And if you heard the rumors of possible delay and were wondering if they have merit — sadly, no.

PTAP counselors can help you walk through these steps. While we’re not technical experts on network security, we could help you walk through the self-assessment and determine what steps you need to take to bring your business up to compliance.

 

 

 

 

Posted in: Uncategorized

Leave a Comment (0) →

Department of Defense Waiving SAM registration requirements for emergency response vendors

Share

Due to the emergency situation caused by the hurricanes, contracting offices are using authority to waive the requirement for SAM registration in purchases that directly support the emergency response.  If you’re helping a vendor who is not yet registered in SAM but needs a CAGE code, the expedited process instructions are below. 

(information on selling to disaster response agencies)

Subject: Obtaining CAGE codes for vendors responding to the Hurricanes

Hello everyone – obviously we expect that there will be many offices responding to the hurricanes with emergency purchases where SAM registration is waived per FAR 4.1102(a)(3)(iii) and part 18.102.  We want to get the below instructions out for how you can still help your vendors obtain CAGE codes (if they don’t already have one) that are required per FAR 4.1804 for other than micro-purchase actions:

1 – Go to https://cage.dla.mil

2 – Choose ‘Request or Update a CAGE Code’ and hit Begin on the next page

The user will then be taken through a series of pages where they provide the data necessary to set up a CAGE code, but before they get to those elements, they have to answer a few more questions.  In order for the CAGE website not to just direct them to go register in SAM, the users need to answer exactly as follows:

  1. Question – Do you have a registration for this same entity in process at System for Award Management (SAM)?  Answer – No
  2. Question – Do you plan to receive contract payments or grants from the U.S. Government?  Answer – No
  3. Question – Are you a NON-U.S. entity (government or commercial)?  Answer  No (note – if the entity really is foreign, answer Yes, but realize that the user will be directed to contact his/her home country codification bureau)
  4. Question – Are you requesting a new CAGE Code?  Answer – Yes
  5. Question – Do you have a previous business?  Answer – No
  6. Question – Please choose your Entity Type   Answer either – (1) U.S Commercial Company/Firm, Organization or Government Entity (non-federal) OR (2) Sole Proprietor Business
  7. Question – Please choose a Primary Purpose for this CAGE   Answer -Other
  8. Question – Please describe the primary purpose for this CAGE  Answer – Provide Urgent Hurricane Irma Support (or Harvey or Jose as appropriate)

From here on, the user is just providing their name, address, etc.information.  Should be simple from here.

Be aware – when a user requests a CAGE code be established via this method (instead of through registering in SAM), it goes into manual processing at DLA in Battle Creek.  It’s very important that the user enter ‘hurricane’ in the purpose field after they choose other.  The CAGE team is going to search for that term in each request that comes in and move those to the top to be worked.

For non-GPC actions, it’s important that the vendor get a CAGE code assigned and it be included in the contract when its distributed to ensure that their eventual payment is streamlined and not held up for manual action.  Note also that without a valid CAGE code, an action will fail Procurement Data Standard (PDS) validations.

If these are going to be on-going contracts (such as reconstruction), it would behoove the vendors to eventually actually get registered in SAM (they can use the CAGE code that will be assigned in this process when they do so) even if they’re not technically required to do so because the contract was initially exempted due to the emergency.  Being registered in SAM will just make the whole invoicing and payment processes run a bit smoother if the contract lasts for a while.

Lisa Romney, Defense Procurement and Acquisition Policy Office of Acquisition Technology and Logistics

 

Posted in: Resources

Leave a Comment (0) →

No, you can’t just “Apply” to the Mentor Protege Program

Share

The long-anticipated, much applauded, expanded SBA All Small Mentor Protege Program is here.

So what?  What does it mean to your small business?   How do you take advantage of it?

Well, let’s talk about the mechanics.

Mentor Protégé Program (MPP) is an agreement between typically a large business (mentor) and a smaller business (protégé) whereby the mentor provides:

  • Management and Technical Assistance
  • Financial Assistance
  • Contracting Assistance
  • Trade Education
  • Business Development Assistance
  • General and/or Administrative Assistance

(source: SBA)

to the protégé, essentially investing resources into the company’s growth and infrastructure.  It’s not a direct government-to-small-biz program: there’s no application that small businesses fill out to ‘get in’ – but there is a checklist.  It’s an agreement between two businesses that is regulated and approved by either the SBA (for civilian agencies) or the DOD. (note, the DOD Mentor Protege Program was NOT affected by the new SBA rule – they have their own).

The reason large businesses are incentivized to become mentors is:

  1. Civilian agencies – ‘credit’ program: agencies will give “credit” to mentors when considering for awards.  This can also help mitigate gaps in subcontracting requirements for them. mentors can get credit depending on agreement, if their protégé wins work independently as well (because the implication is that the mentor’s help was instrumental in getting the company ready)
  2. DOD – reimbursement agreements. DOD does credit agreements, but some DOD agencies will give dollars directly to the mentor to invest in the protégé.  The financial benefit is obvious to both – the mentor isn’t spending internal resources helping the protégé, but rather the DOD’s money.

Epilogue: how can we help?  Virginia PTAP’s affiliated organization, the George Mason Mentor Protege Program (Mason MPP) helps mentors execute and manage the agreements. Mason MPP starts with a needs assessment of the proposed team (Note: they not do “matchmaking” or finding a mentor for a business), then they’ll craft an agreement that will pass the government agency’s muster (all MPP agreements have to be approved by a federal agency).  Then Mason MPP will help the mentor deliver the technical assistance on the mentor’s behalf.

Posted in: Resources

Leave a Comment (0) →