Information security maturity has never been more important. In the wake of the COVID-19 pandemic, the catalyzation of digital transformation and the ripple effects on businesses ensuring a strong cyber security posture and risk management program is essential for the new year. Too often, organizations will turn to technology investments to help enhance their security, however, as technologies have become increasingly capable, we are seeing that there is no way to use technology to protect against human error. Regulations are beginning to reflect this realization; with the Cybersecurity Maturity Model Certification (CMMC) being a landmark standard that incorporates both process and practice maturity when gauging the maturity level of a Department of Defense contractor’s security program.

Accounting for People and Process as well as Technology

As we move into a new year, organizations are still working to support the new paradigm of work that the pandemic ushered in. Specifically, security and risk teams have been working to update policies and procedures to support the rapid rise of remote work (a trend on the horizon but much like other trends accelerated by the pandemic,…

Read More…

The Defense Information Systems Agency will outsource most network management, cybersecurity, and technical services functions serving 22 at Defense Department agencies to a single contractor , according to a final request for proposals released on Dec. 8.

Defense Enclave Services, with its massive scope and implications for the future of the Pentagon’s IT acquisition strategy, is the subject of this week’s Top 20 Opportunities. The contract will have a maximum dollar value of $11.7 billion over a possible 10-year lifespan.

DISA officials had planned to release the final RFP in September, but delayed the process to give DOD chief information officer Dana Deasy time to complete a review of the program. The agency intends to evaluate bids throughout the spring and summer of 2021 and make an award decision in the first quarter of fiscal 2022.

Potential bidders have until Feb. 8 to respond to the RFP.

4th Estate Network Modernization

DES will serve as the primary vehicle for the Pentagon’s planned 4th Estate Network Optimization (4ENO) program, referring to the 22 civilian-led agencies, collectively known as the “fourth estate.” They include DISA, the Defense Logistics…

Read More…

Defense

Making software more than ‘IT thing’

• By Lauren C. Williams
• Nov 15, 2020

 

Software modernization has a branding problem, and it’s going to take more than the colloquial culture shift to speed up the Defense Department’s adoption of modern tech capabilities.

“Part of the marketing of this is to make sure that being good at software escapes the domain of IT people and really gets thought of in the context of making us more effective at warfighting,” Peter Ranks, the deputy CIO for information enterprise, told FCW.

“The real challenge for the leadership, I think, is not to just latch on to the tech piece of this, but to really be willing to dig in and have the sustained focus to kind of impact culture,” Ranks said.

But the bureaucracy isn’t built for software’s rapid development, increased demand and security needs — something that played a major role during the Defense Department’s response to tech needs spurred by the pandemic and teleworking.

“We’ve…

Read More…

As military and defense industry leaders came together in October for the AUSA Annual Meeting & Expo, they learned about the new and innovative systems available to the nation’s military. Many of these systems will be smart, connected weapons, which give our fighters a greater advantage on the battlefield. But they also pose serious cybersecurity risks that must be addressed. 

Indeed, in a report released by the Government Accountability Office nearly two years ago, it was revealed that DOD security researchers gained access to nearly all major weapons systems currently in use and under development. Once, because the system was still using the default password visible through an open-source search. In another instance, researchers were able to disable an entire weapons system without detection, later to learn the system crashed so often on its own that it was difficult for officials to detect a breach. Perhaps most concerning is that one test team found that only one of 20 previously identified vulnerabilities had been fixed. 

These are shocking lapses in cyber hygiene that could have real-world consequences. These weaknesses should not be difficult to address; changing the…

Read More…

As companies and organizations evaluate their attack surface, they know to look at their own systems and infrastructure to defend against threats and manage vulnerabilities. However, what about their critical partners and the supply chain? With up to 80% of cyber-attacks now beginning in the supply chain, breaches at even the smallest vendors can have big consequences for enterprise level operations. The problem of supply chain cybersecurity has become so pressing that the United States Department of Defense is rolling out the Cybersecurity Maturity Model Certification (CMMC) as a means to help secure the defense industry. Prime contractors and subcontractors will have to achieve CMMC compliance to do business as part of a DoD contract. The Primes are also expected to take a greater responsibility to ensure that subcontractors are implementing the appropriate security practices and compliance with the DoD standard.

One problem in securing the supply chain is where the organizational responsibility lies. Many different departments of an enterprise work with the supply chain and other critical partners, but there’s no one person or team held accountable.

Corporate legal may…

Read More…

The DoD Reporter’s Notebook is a weekly summary of personnel, acquisition, technology and management stories that may have fallen below your radar during the past week, but are nonetheless important. It’s compiled and published each Monday by Federal News Network DoD reporters Jared Serbu and Scott Maucione.

DoD’s in-air, on ground testing indicates commercial aircraft present low risk for COVID transmission

In the midst of pandemic, all available evidence shows it’s a very good idea to keep oneself away from large gatherings of other people and to avoid unnecessary travel. But if you really need to go somewhere, it’s extraordinarily unlikely that you’ll contract the virus during a plane flight.

That’s according to a just-finished study by U.S. Transportation Command and the Defense Advanced Projects Research Agency, which officials say is the largest study of airborne particles in airplanes that’s ever been conducted.

Defense officials launched the research to help determine the risks of moving service members and their families aboard contracted commercial aircraft — most commonly…

Read More…

Get inside Wall Street with StreetInsider Premium. Claim your 1-week free trial here.

SAN DIEGO, Sept. 16, 2020 (GLOBE NEWSWIRE) — Kratos Defense & Security Solutions, Inc. (Nasdaq: KTOS), a leading National Security Solutions provider, announced today that it is offering CMMC pre-certification advisory services to commercial organizations and Department of Defense (DoD) contractors seeking CMMC compliance. CMMC advisory services currently include strategic and operational consulting services, gap assessment and remediation services, and documentation services.

As Mark Williams, Vice President, Kratos Cybersecurity Services explained: “Unlike most organizations offering CMMC Advisory services, Kratos is one of the first and largest FedRAMP third party assessment organizations (3PAO), is a member of the Defense Industrial Base (DIB) and sells to the DoD.  As a result, we have a unique understanding and insight into how CMMC requirements impact DIB organizations and what can/should be done to satisfy these requirements.” FedRAMP is a U.S. government-wide certification program in which all cloud service providers (CSPs) must be authorized to provide cloud services…

Read More…

Gone are the days when Cybersecurity Maturity Model Certification (CMMC) was the issue keeping us up at night. Now that COVID-19 coverage has overtaken the news cycle and upended government and businesses alike, it has been hard to focus on anything else but coronavirus. But, according to the Department of Defense (DoD), the show must go on despite the disruption coronavirus has caused to the workforce. In fact, CMMC milestones and deadlines are still being executed on a tight clip.

Many already viewed the process of trying to meet or assess their level of compliance as a financial burden which is now compounded by operating with a largely remote workforce. However, in light of increased cyber attacks against government networks and the private sector, implementing CMMC requirements – especially now – may actually be a blessing. CMMC requires government contractors to achieve certain cybersecurity standards in order to qualify for contract awards. But these standards are also designed to protect the networks of government contractors too regardless of the goods or services they provide to the Defense Industrial Base (DIB).

In reality, the much anticipated CMMC is good…

Read More…

For Defense Department chief information officer Dana Deasy, digital transformation was never just about the cloud.

This is why making the Air Force’s dev/sec/ops program, known as Platform One, a DoDwide enterprisewide service is an important milestone.

Deasy said Platform One will make it easier for the military services and defense agencies to modernize applications.

“My office recently designated one of the most mature dev/sec/ops platforms within the department, the Air Force Platform One, as an enterprise service which has the effect of making this capability broadly-available across the DoD. That designation also links directly into the software acquisition policy released by Acquisition and Sustainment that encourages both the uses of dev/sec/ops and adoption of existing enterprise services,” Deasy said during a briefing with reporters on July 30. “While we tend to focus on technology when we talk about software, it is important to acknowledge that progress is delivering — delivering capability more rapidly will depend as much on non-technical enablers such as changes to acquisition policy, cyber risk…

Read More…

Since the start of the pandemic, DoD official Katie Arrington, the acquisition office’s CISO and the public face of the DoD’s effort, has kept in close touch with Defense Industrial Base (DIB) stakeholders via online conferences to provide continual updates and clarifications.

The CMMC program will require all DoD contractors to undergo assessment and third-party certification^[1] of their cybersecurity posture to be awarded a DoD contract. The tiered certification program includes five levels corresponding to the sensitivity of the controlled unclassified information (CUI) a contractor will handle under a particular contract.

Accreditation Body in Place, Assessor Certification Underway

Rolling out the requirements will be a slow and measured process. The DoD has handpicked the first 10 requests for information (RFIs) that will include CMMC requirements, scheduled to appear in October after the official acquisition rule is changed. The requests for proposals (RFPs) will follow later this year, and the first contract awards are expected in…

Подробнее…