WHAT WE'RE READING

Aerial view of the United States Pentagon, the Department of Defense headquarters in Arlin

CPO MAG: US DEFENSE CONTRACTORS FAILING TO MEET CMMC REQUIREMENTS, 48% HAVE “SEVERE” VULNERABILITIES

June 8, 2021

CNBC: THE HACKER GROUP THAT WENT AFTER ONE OF APPLE’S SUPPLIERS FOUND A NEW VICTIM

June 16, 2021

FINANCIAL TIMES: RANSOMWARE HACKERS NOW BIGGER CYBER THREAT TO UK THAN HOSTILE STATES

June 15, 2021

WASHINGTON POST: HACKERS HIT JBS, THE WORLD’S LARGEST MEAT PROCESSOR

June 1, 2021

WASHINGTON POST: BIDEN ADMINISTRATION ISSUES EXECUTIVE ORDER IN WAKE OF PIPELINE ATTACK

May 13, 2021

THE HILL: DEFENSE CONTRACTOR HONEYWELL FINED $13M FOR SHARING DOCUMENTS WITH CHINA, OTHER COUNTRIES

May 6, 2021

Resources: Resources and Tips

THREAT INTELLIGENCE REPORTS

KASEYA REVIL SUPPLY-CHAIN RANSOMWARE ATTACK

By Fortress Information Security, July 7, 2021

The July 2, 2021, ransomware attack on managed service provider (MSP) Kaseya is still ongoing. Kaseya has stated they are deploying an update for their Virtual System Administrator (VSA) that patches the flaw used by the attackers, allowing the company to bring their Software as a Service (SaaS) back online. The attacker, REvil, has asked $70 million for a universal decryption key. There are rumors that REvil has reduced the asking price and may go even lower. However, it is unlikely at this point that Kaseya will pay the ransom, which may cause REvil to shift focus onto the individual clients affected by the attack.

Download

SOL ORIENS DATA BREACH

By Fortress Information Security, June 15, 2021

In May 2021, Sol Oriens, a subcontractor for the Department of Energy (DOE) who works with the National Nuclear Security Administration (NNSA), was the subject of a cyberattack which originated from the known ransomware group REvil. Specific details surrounding how the attack was executed, including the initial intrusion vector, are unknown at this time. The attackers were able to steal employee names, social security numbers, pay rates, a contracts ledger, and information related to employee training programs, all of which were posted on the dark web. While more sensitive information does not appear to have been exfiltrated, this incident highlights the threat posed by breaches affecting critical suppliers of U.S. government entities.

Download

Resources: Files

THE REGULATORY ENVIRONMENT

Supply chain risk-management is critical for industry and government alike. Policymakers have long been concerned with supply chain threats posed by secondary and tertiary suppliers. This has spurred a new wave of expansive regulatory action in the United States that is likely to continue for the foreseeable future.

Here are two regulations that federal government contractors cannot ignore:

Resources: List

PROHIBITED TELECOMMUNICATIONS

NDAA Sec. 889 requires government contractors to certify the products they sell the government are not supplied by certain Chinese companies:

Part A prohibits the government from obtaining (through a contract or other instrument) certain telecommunications equipment (including video surveillance equipment) or services produced by covered entities and their subsidiaries and affiliates

Part B prohibits the government from contracting with any entity that uses certain telecommunications equipment or services produced by the entities listed in the statute.

CMMC CYBERSECURITY

The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department of Defense's industry partners' networks.