CDI Founder Greg Fordham has authored more than 70 articles on government contracts, computer forensics and security, and electronic discovery. Below are some of his best known government contract articles that are available for download.
When it comes to computer security and protecting the data contained on them, our attention is often focused on forces from outside the organization. Even the NIST 800-171 security controls imposed on contractors by the requirements in DFARS 4.7300 and the clause at DFARS 52.204-7012 invovling safeguarding Controlled Unclassified Information (CUI) are more outwardly focused than internally focused. There are several reasons for this. One is that many computer threat assessments quantify attacks from outside the organization as much more numerous than attacks from within. Another is that there have been many large data compromises from forces outside the organization.
Despite those numbers, there are mitigating factors that should also be considered. One is that many hackers just like the challenge. Consequently, while there are a lot of attacks, the damage is often minimal because the hacker lost interest or did not know what to do next once the penetration was perfected.
By contrast, the number of internal threats is usually a much smaller number. Nonetheless, forces within the organization are likely a bigger threat than forces from outside. One need look no further than the cases involving Bradley Manning and Edward Snowden to realize just how much more significant an internal compromise can be than an external one.
Not all internal based compromises are the result of malevalent insiders. Indeed, there are two other situations where insiders are cause for data compromise.
The first situation where insiders are a considerable risk, other than malevalent actors, is that even the large hacks that come from outside are often the result of an unwitting security compromise by an insider. In other words, an insiders is the unwitting victim of a physhing or social engineering exploit. Thus, the reason that there should be more concern about employee based compromise is not simply that one needs to protect themselves from the malevolent employee but that they must also protect themselves against the unwitting employee that falls prey to a malevolent outsider.
The second situation where insiders are considerable risk, other than malevalent actors, is that successful hacks also occur when human error has misconfigured some device on the network which leaves the network vulnerable to attack. In either of these latter two situations, the employee based computer compromise is equally problematic.
The following sections discuss the 10 steps to protect your network from employee based computer compromise.
Prior procurement practices of the federal government reflect its intoxication with protecting the public fisc. Cost based pricing, excessive management interference, and malicious prosecution are all examples of the tools that it created to discharge its duties. In the end, however, all that occurred was that it ended up squandering precious resources.
As a cure for this ailment. regulatory provisions have been considerably revised to streamline the procurement process so that the government can escape the consequences of its own vanity and benefit from commercial items and practices in prescribed situations. While this offers great prospects, the government nonetheless retains many of its elitist philosophies, since cost based pricing, excessive management interference, and malicious prosecution remain the status quo unless the commercial item practices are adopted for the procurement.
The following sections discuss the 10 steps to protect your network from employee based computer compromise.
Located in Atlanta Georgia federal government contract expert consultant gregory fordham explains the requirements and applicability of the Cost Accounting Standards (CAS). This article explains applicaility of Cost Accounting Standards (CAS) to individual contracts, determination of Cost Accounting Standards (CAS) full or modified coverage for particular contracts, preparation, submission and settlement of Cost Accounting Standards (CAS) disclosure statements, Cost Accounting Standard (CAS) cost impact proposals for voluntary changes or non-compliance issues, assessment of Cost accounting Standards (CAS) cost accounting practice compliance, cost structure optimization to maximize revenue on government contracts, and assistance resolving Defense Contract Audit Agency (DCAA) audit findings alleging non-compliance with Cost Accounting Standards (CAS) requirements.
Located in Atlanta Georgia federal government contract expert consultant Gregory Fordham explains the requirements of the truth in negotiations act (now known as the truthful cost or pricing data act) and the FAR part 15 requirements for a contractor to provide cost or pricing data. In the process he explains common mistakes made by contractors as well as when cost anlaysis is performed, price analysis is performed and when other than cost or pricing data is performed.
Contractor business systems, which include a contractor's accounting, estimating, and purchasing systems, along with three others, produce critical data that contracting officers use to help negotiate and manage defense contracts. These systems and their related internal controls act as important safeguards against fraud, waste, and abuse of federal funding. As a result, the federal and defense acquisition regulations impose standards for how contractor business systems should operate and then require require the review of these systems when review thresholds are reached. These system reviews are the Contractor Puchasing System Review (CPSR), Material Management and Accounting (MMAS) System Review, Earned Value Management (EVM) System Review, Estimating System Review, Accounting System Review, and the Property Management Review.
The Defense Contract Management Agency (DCMA), through Administrative Contracting Officers (ACO), generally has responsibility for deciding whether contractor business systems are acceptable and then either approving or rejecting as unacceptable contractors’ business systems. The reviews and audits themselves, on which ACO decisions are based, are conducted, depending on the businsess system being reviewed, by Defense Contract Management Agency (DCMA) reveiw teams or auditors from the Defense Contract Audit Agency (DCAA).
Located in Atlanta Georgia federal government contract and computer security and forensic expert consultant Gregory Fordham examines the six contractor business system reviews and explains the general purpose for these reviews, the thresholds triggering when contractors will be subjected to them, how they are administered and conducted, the nature of a significant deficiency warranting disapproval of a contractor's business system, and how contractors can improve their chances at passing these reviews, minimizing an adverse effect, and how to respond to adverse reports.
When one considers the two choices of using in-house resources or using an outside consultant to investigate an intrusion, data breach, or potential cyber incident under the new DoD rule, two factors loom large. First, by their own admission in the recent Ponemon Institute survey, over half of the in-house security professionals are not adequately equipped to handle the unique challenges of a network intrusion and data compromise. Equally shocking is that these results are not an isolated aberration. Indeed, the firm of Ernst & Young had similar results in their 2013 Global Information Security Survey. Specifically, they found that, “Information Security Departments continue to struggle with a lack of skilled resources and support.” In fact, 50 percent of respondents in the Ernst & Young survey “cited a lack of skilled resources as a barrier to value creation.”.
Second, over 70 percent of the respondents in recent Ponemon Institute survey think it will take them a year or more to fully understand the scope and consequence of the intrusion. Of course, management does not have that kind of time to determine the cause and assess the impact.
Consequently, if you are in senior management of a government contractor whose data was just compromised, there are four reasons why you should get help from an outside consultant in general and Celestial Defense in particular.
Located in Atlanta, Georgia federal government contract expert consultant gregory fordham explains the requirements and process for preparing, submitting, and settling Request for Equitable Adjustments (REA) for constructive contract changes under various contract clauses like the changes clause, differing site conditions, defective specifications, excessive inspection or interference, unsuitability of government furnished property or information, delay claims using Eichleay formula for delays caused by protests after award, deliquency in getting notice to proceed, delinquency in receiving government furnished property or information and many other kinds of contract delays. The article identifies numerous fatal mistakes that contractors make when preparing their request for equitable adjustment.
Neither the 2013 nor the 2015 and 2016 DFARS rules contains penalties for contractors whose information systems do not comply with the rules’ requirements. In fact, there is not even a penalty for cyber incidents mentioned in any version of the rules, at least with respect to safeguarding CUI or even a cyber incident. In fact, the rules indicate that a cyber incident is not by itself evidence that a contractor failed to meet the requirements imposed by the rules.
Not only are there not any expressed penalties, there are no pre-award representations or certifications either. Rather, it is just required that the contractor comply with the rules’ requirements and the contractor is advised that by submitting its offer it is representing that it will comply with the safeguarding requirements.
There are no requirements for a contractor to claim that its information system actually complies with the requirements of the new rule or has been certified as complying with the rules or any other such claim. As a result, there is no requirement that the contractor’s system comply with the rule prior to award or have the ability to comply with the rule prior to award. All that is required is that the contractor comply with the rule at time of award and during performance.
All of three of the rule iterations, the 2013, 2015 and 2016 versions, require contractors to report a “cyber incident”. There are no other reporting requirements such as whether a contractor’s systems actually comply with the security standards.
Not only are there not any expressed penalties, there are no pre-award representations or certifications either. Rather, it is just required that the contractor comply with the rules’ requirements and the contractor is advised that by submitting its offer it is representing that it will comply with the safeguarding requirements.
Whether a contractor’s system meets the various system standards is likely a very subjective determination, however. The various security controls are broadly worded. In addition, there simply are no hard and fast rules about how they are to be achieved or how compliance should even be measured. In fact, the only thing that likely is measurable is whether or not the contractor has experienced a “cyber incident”. A cyber incident is defined identically in all versions of the rules as, “actions taken through the use of computer networks that result in an actual or potentially adverse effect on an information system and/or the information residing therein.” Remarkably, the definition of a cyber incident is not very helpful when determining a contractor’s reporting requirements. After all, what is an adverse effect, whether actual or potential?
Unlike the rules governing classified data, which function to protect all classified data, the new rules do not apply to all unclassified data. Rather, they apply to only certain unclassified data that has been identified as worthy of protection. Thus, even though the new clauses are required in every defense contract, their requirements for security controls and incident reporting are triggered only if the covered data resides or transits through the contractor’s information systems. Consequently, a first step to understanding the requirements of the rule is understanding to what kinds of data the controls and security standards apply. Amazingly, the types of data to be protected are different for the 2013, 2015 and 2016 versions of the DFARS rule. The difference is both obvious and immediate since it appears in the first paragraph of the scope section, DFARS 4-7300(a) of the respective rules.
Located in Atlanta Georgia federal government contract expert consultant gregory fordham explains the requirements for preparing, submitting, and settling a standard FAR part 49 and FAR part 12 commerical item termination settlement proposal when a contract is terminated for convenience or was improperly terminated for default and converted to a termination for conveience. In the process he explains common mistakes made by contractors as well as important concepts such as the loss ratio calculation, subcontractor settlement process, profit negotiations, recovery of termination costs and special unamortized costs such as loss of useful value.
Author Fordham presents a compelling and well thought-out 10-page article that advocates there is no basis for offsetting Eichleay overhead with amounts received as markups on change orders. In presenting his thesis, Fordham examines the issue from three perspectives. First, he examines the percentage markup method as required in the Federal Acquisition Regulations (FAR) and Cost Accounting Standards (CAS). Second, he examines the mechanics of the Eichleay formula and the variables used for making the computation. Finally, he examines the decisions by the General Services Board of Contract Appeals and by the Federal Circuit in Wickham Contracting where both the Board and the Court rejected the government’s decrement to the Eichleay value for overhead recovered in priced changes.
This article first appeared in The Procurement Lawyer, Spring 2004, Vol. 39, No 3, American Bar Association Section of Public Contract Law, and is available by request only.
DoD’s expanded interest in data security for unclassified information follows an expanded government wide interest in protecting unclassified information. In fact, the federal government’s interest in safeguarding unclassified information has grown dramatically since 2000, at least unclassified data on its own systems. In 2000, the primary direction for the protection of unclassified information was memorialized in OMB Circular A-130, which focused on the management of federal information resources. Since 2000 there have been several significant initiatives related to cyber security in general and Controlled Unclassified Information (CUI) in particular.
The DoD’s process for extending CUI requirements on its contractors began with a proposed rule in 2011 that was then made a final rule in August 2013. This was before NARA, the executive agent for CUI, ever issued any rules or standards, although NARA had requested NIST to develop a set of security standards. It was also before NARA had promulgated any of its own rules governing federal contractors, although it had indicated that a single FAR [Federal Acquisition Regulation] wide rule would likely be proposed in 2016. In fact, a final rule was published in May 2016 that added requirements to FAR 4.1900, 7.105, 12.301 and the contract clause at FAR 52.204-21, 52.213-4, and 52.244-6.
Under all versions of the DFARS rules contractors are required to provide adequate security to safeguard the covered data. The security systems and controls, that are used by the contractor to adequately safeguard covered data, are required to meet certain minimum standards that are prescribed by the contract clauses.
The 2013 rule requires only 51 security controls from the NIST SP 800-53 standard. Those standards are to be applied, however, only to its own systems. Thus, even though the definition of a contractor information system is quite broad, as discussed previously, these controls only apply to the contractor’s own information systems.
The 2015 and 2016 versions prescribe standards for both contractor information systems as well as cloud computing service providers. With respect to contractor information systems the 2015 and 2016 versions impose the NIST SP 800-171 security standards. The NIST SP 800-171 standards contains 109 controls which can be mapped to 124 of the NIST SP 80-53 standards.
With respect to cloud computing service providers under the 2015 and 2016 versions, the applicable standards are different for cloud service providers used by DoD versus those being used by a contractor. For those cloud providers serving DoD the requirements are those described in the Cloud Computer Security Requirements Guide (CCSRG), which follows a DoD modified version of the FedRAMP version 2 Moderate baseline. The CCSRG applies when contractors are providing cloud computing services directly to DoD.
The 2016 version of the rule also applied cloud computing standards to cloud service providers used by contractors. In that situation, the CCSRG was not specified. Rather, the 2016 rule simply required the FedRAMP modified baseline requirements.
Wickham Contacting is the case where the Federal Circuit proclaimed the Eichleay formula as the only means for computing unabsorbed overhead (delay damages) for Federal government contracts. In this 20 page article, author Fordham reviews the history of delay claim quantification in government contracts as well as the damages theory and explains how the court's decision in Wickham undermines equitable analysis.
This article first appeared in The Clause, December 1995, The Board of Contract Appeals Bar Association, and is available by request only.
Contractor business systems, which include a contractor's accounting, estimating, and purchasing systems, along with three others, produce critical data that contracting officers use to help negotiate and manage defense contracts. These systems and their related internal controls act as important safeguards against fraud, waste, and abuse of federal funding. As a result, federal and defense acquisition regulations require DoD to take steps to review the adequacy of these business systems and to ensure that contractors correct identified deficiencies.
The Defense Contract Management Agency (DCMA), through Administrative Contracting Officers (ACO), generally has responsibility for deciding whether contractor business systems are acceptable and approving or rejecting as unacceptable contractors’ business systems. The reviews and audits themselves, on which ACO decisions are based, are conducted, depending on the businsess system being reviews, by Defense Contract Management Agency (DCMA) reveiw teams or auditors from the Defense Contract Audit Agency (DCAA).
Located in Atlanta Georgia federal government contract and computer security and forensic expert consultant gregory fordham examines the six contractor business system reviews and explains the general purpose for these reviews, the thresholds triggering when contractors will be subjected to them, how they are administered and conducted, the nature of a significant deficiency, and how contrctors can improve their chances at passing them, minimizing an adverse effect, and how to respond to adverse reports.