SAM.gov Wants to Get to Know You Better. Much Better.

Dear SAM.gov Administrators,Decorative image of cyber lock

Like Your Privacy? Want to be a Government Contractor? Take your pick…because these are now mutually exclusive choices.

NextGov reported last week that the Government Services Administration (GSA), which operates everyone’s favorite data aggregator, www.SAM.gov, is going to require every entity registered to provide the name of a real human being as the Account Administrator.

Apparently there are fake accounts and / or false names being used for SAM.gov registrations.

You may recall that SAM.gov started requiring all entities to submit notarized certification letters to establish or renew a registration a few years ago.

Then we all had to create a new account via www.Login.gov and use those credentials to access SAM.gov.

Apparently, that wasn’t sufficient so now they’re requiring each SAM Account Administrator to provide a copy of their driver’s license, social security number, and a valid phone number. The data will be cross-referenced with the issuing agency for validation.

Oh, and GSA says they won’t store the data either in SAM.gov or Login.gov.

The rollout started on October 1st this year – but apparently there isn’t yet a hard deadline established.

So, SAM Account Administrators take note and prepare to sacrifice a bit more of your personal info.

Read the full article if you want to know more.

Phishing, Malware, State Sponsored Hacks…DoD Demands Data Security from its Government Contractors

According to some estimates, more than 70% of DoD data resides on contractor networks. Given the ever-growing security risk posed by cybercriminals, the DoD has developed a new set of standards called Cybersecurity Maturity Model Certification (CMMC) to help protect Government contractors and their data from cyberattacks.

What is it?

CMMC is a new certification that addresses the cybersecurity processes used by contractors and subcontractors to perform work on Government contracts. The certification process assesses a contractor’s cybersecurity procedures and practices with respect to defined levels of maturity (CMMC Level 1-5). The assessment is conducted by an outside third-party assessment team.

Why is it Important?

In a word – hackers. As we see in the news every day, commercial companies, state, and federal Government agencies (including DoD) are continually being targeted by hackers – individuals, criminal organizations, or nation state actors. Just recently – on Dec 13th, 2020 – the U.S. Treasury admitted it had been breached by a foreign government backed cyberattack. Government data is targeted and exploited, so safeguards must be implemented and updated to stay ahead of threat actors. CMMC seeks to ensure that Controlled Unclassified Information (CUI) and Covered Defense Information (CDI) is adequately protected.

Who is affected?

Basically, all contractors and subcontractors that work on DoD programs will be required to have some level of certification (at least Level 1). Each contract will specify the CMMC level required for the prime contractor and subcontractors.

What is the timing?

DoD released the initial set of CMMC standards on January 31, 2020. CMMC language has already started appearing in Requests for Proposals (RFPs) and Requests for Information (RFIs). The DoD will implement a phased rollout of CMMC with 15 pilot programs in FY2021, increasing in number each year until FY2025. All new DoD contracts will require an appropriate level of CMMC certification by 2026. Existing contracts up for renewal will reflect the CMMC level required by the contracting authority.

What does this mean for me and my company?

CMMC will be implemented soon, so if you currently work, or plan to work, on DoD programs then you need to be ready. Review the initial release of the CMMC standards to gain a comprehensive understanding of its stipulations. Discussions with the DoD agency or prime contractor should give some insight into which level certification may be required for existing contracts. Future RFIs and RFPs will include CMMC requirements. You need to be prepared ahead of time – don’t be excluded from a bid because you failed to meet the CMMC requirements!