This series, taught by experts in the field, will walk participants through the most important issues facing government contractors as they navigate the fast-changing issues of cybersecurity. Starting with a comprehensive overview of CMMC and key regulations, and ending with a session about how to deal with cyber incidents and breach of your systems, this series will also delve into the new government contracting rules relating to cybersecurity, considerations relating to cloud computing and supply chain issues in light of today’s cyber events. This webinar series will combine teaching of the key rules with war stories from the front lines and practical advice from experienced practitioners.
Cybersecurity: What Government Contractors Need to Know
Second Thursday of the Month, 2:00-3:30pm ET
- January 11 – What are Controlled Unclassified Information and Covered Defense Information, and Why Should we Care?
- The federal government has been creating a unified approach to safeguarding sensitive, unclassified information for over a decade. The goal of this “new” Controlled Unclassified Information (“CUI”) program is to make it easier to disseminate sensitive information to federal agencies, contractors, and others who have a lawful government purpose to access the information. The CUI program has had a slow start. As a result, more than a decade after it was created, many agencies are, only now, beginning their internal implementations of the CUI program. DoD and DHS have taken the lead, but other agencies are quickly following. For example, at least ¼ of DoD contractors handle CUI, the majority of those contractors handle a specific form of CUI which is referred to as Covered Defense Information (“CDI”). DoD’s Cybersecurity Maturity Model Certification (“CMMC”) program is designed to ensure CUI, and especially CDI, is properly protected when entrusted to government contractors.
- This 90-minute session, taught by the author of two books on the topic of CUI, will enable you to better understand when information becomes CUI, how to handle CUI, how to navigate the CUI program, and how to handle common CUI-related issues. If your company is a government contractor, or you are a federal, state, or local employee who handles sensitive information, you won’t want to miss this important session!
- February 8 – Protecting Sensitive Information and Proving it Through CMMC
- The Cybersecurity Maturity Model Certification (“CMMC”) program has been in the headlines for several years now. Recent updates, including the December 26, 2023 release of a new, proposed CMMC regulation, are causing many government contractors to pay closer attention to CMMC. In this 90-minute session, taught by a founding member of the CMMC Accreditation Body, CMMC Provisional Instructor, and Certified CMMC Assessor, we will discuss the CMMC program, its relationship with Controlled Unclassified Information (“CUI”) and Covered Defense Information (“CDI”), and how to accelerate your CMMC compliance journey. We will also the role the Supplier Performance Risk System (“SPRS”), the National Institute of Standards and Technology (“NIST”) Special Publications, and other key agency provisions play in the CMMC program, with an emphasis on their implementation in the Federal Acquisition Regulations (“FAR”) and Defense Federal Acquisition Regulations Supplement (“DFARS”). We will also explore the implications of CMMC’s attestation requirements for senior company officials, recent False Claims Act cases, techniques for minimizing risk, and best practices for establishing compliance
- March 14 – Can I Put this Data in the Cloud? Should I?
- Companies are increasingly leveraging the “cloud” to augment, and even implement, their IT infrastructure. But the cloud comes with risks. As a government contractor, it is imperative that you understand the government’s rules for the use of the cloud, both when providing services directly to the government and when you’re using the cloud in your own IT systems to handle the government’s information. It is also important to understand that the requirements surrounding the use of the cloud are changing. To stay compliant, you need to keep up to date with these changes.
- In this 90-minute session, we will explore cybersecurity-related issues that accompany the use of the cloud and issues that are unique to Cloud Service Providers (CSPs). We will examine the Federal Risk and Authorization Management Program (“FedRAMP”) and the Department of Defense’s (“DoD”) January 2, 2024 memo regarding FedRAMP equivalency for contractor systems.
- April 11 – Who can you Trust? Cybersecurity Supply Chain Considerations
- Businesses don’t work in isolation. Instead, they buy goods and services from many other companies. As evidenced by the COVID-19 pandemic, disruptions in this supply chain can have immediate and crippling effects on your business. Those disruptions aren’t limited to global pandemics; they can occur due to cybersecurity issues as well. From ransomware attacks that shut down a supplier to the theft of information you entrusted to your vendor to the accessing of your systems through a breached vendor account, the interdependence of today’s businesses creates significant risks.
- In this session, taught by a lawyer and cybersecurity expert, we will explore the cybersecurity-related supply chain issues facing businesses today, and we will do so through the lens of some recent, high-profile cases including Solar Winds, Colonial Pipeline, Wipro, and more. We will also discuss emerging supply chain regulations, including those impacting the suppliers of Internet of Things (“IoT”) devices, software providers, and others. The session will also include strategies your company can take, today, to get ahead of these supply chain risks.
- May 9 – Persistence Pays Off – Cyber Threat Information Sharing and Incident Reporting/Investigation
- If you’ve ever been the victim of a cyber incident, you know that Hollywood does not due justice to the stress and anxiety that is felt by everyone involved. Everyone is focused on mitigating any damage, eradicating the bad actors, and getting the business up and running again. But that isn’t all you need to focus on. Government contractors, companies under the Security and Exchange Commission’s (“SEC”) jurisdiction, financial services organizations, and others are increasingly expected to report cybersecurity incidents to various federal and state agencies. Often in the middle of the fight against the bad guys. It is imperative that your business understand its legal and regulatory incident reporting obligations.
- In this session, we will explore some of the more recent incident reporting requirements, including those created by the SEC, DoD, and Cybersecurity & Infrastructure Security Agency (“CISA”). We will also discuss how those same agencies are using information about a given incident to help thwart other attacks, and how you can gain access to “indicators of compromise” to help your organization more quickly identify when your systems are under attack. Finally, we will discuss considerations and best practices for incident response.