- March 21, 2024 -

Welcome to the new Cyber Newsletter, a monthly publication from the Wisconsin Procurement Institute (WPI),

Wisconsin Apex Accelerator

If your organization needs assistance meeting Federal or Department of Defense cyber security requirements, contact Marc Violante, Director of Federal Market Strategies at marcv@wispro.org, or Matt Frost, Government Contract Specialist at mattf@wispro.org

Have you checked the date of your latest DoD self-assessment? How about the date of the assessment for your suppliers and subcontractors?

DoD self-assessments are required to be conducted by DoD contractors, suppliers and subcontractors and uploaded to the Supplier Performance Risk System (SPRS). Additionally, self-assessments must be less than three years old unless a lesser time is specified in the solicitation. See DFARS 252.204-7019.

Companies at any level whose self-assessment was completed and posted to SPRS and is greater than three years are not eligible for contracts, “subcontracts and other contractual instruments, including subcontracts for the acquisition of commercial products or commercial services (excluding commercially available off-the-shelf).” DFARS 252.204-7020

Additionally, all companies whose SPRS score is not 110 are required “to have or to make progress on a plan to implement NIST SP 800-171 requirements.”  “Parking” one’s cyber efforts after completing the initial assessment or an update is not approved or appropriate. Failure of a company which hold DoD contracts to actively improve its SPRS score, “may be considered a material breach of contract requirements.” See DoD USD A&S dtd June 16, 2022.

To remain eligible for DoD contract awards as either a Prime contractor of as a subcontractor, companies need to continue to improve their cyber security and upload the most current scores to the SPRS system before any score date exceeds three years.

Companies that would like assistance with creating and updating their System Security Plan, Plan of Action or in conducting the DoD Basic Self-Assessment should contact WPI by email at cybersecurtiy@apexaccelerator.com WPI can also provide assistance with creating your SPRS account and uploading the required information.

The process takes time so don’t wait and miss out on an opportunity!

DIBBs Access

Current and prospective DLA contractors take heed. DLA monitors all access to cFolders and flags any activity that violates the terms of conditions. Unfortunately, companies unknowingly have violated these conditions. Two accessed cFolders from locations outside of the United States and two companies accessed cFolders using a VPN. Additionally, one company accessed cFolders via Proxy server which effectively masked the location and identity of user.

In all these instances, each company received a letter from DLA and access to cFolders was terminated. There is a process to regain access privileges and these companies took advantage of that process. In one instance, the actions were deemed so egregious, that the letter stated the company would be permanently banned from cFolder access.

It is my understanding that the company was able to make a case and its access privileges were restored. However, given the nature of the issue, I would not expect this company to receive another chance.

All companies seeking to conduct business with DLA need to take time and have all employees who may use cFolders or its information review the Terms and Conditions for using and accessing information in DLA’s cFolders.

These criteria extend beyond the requirements of DFARS 252.204-7012 and NIST 800-171 r2.

Remember, TDPs frequently contain sensitive information such as CUI, JCP and ITAR.

As noted above, violating the user agreement can at a minimum lead to a user’s (company’s) DIBBS privileges being revoked permanently or in the best case, until they are restored via executing a formal signed agreement.

Specific requirements include:



1. Accessing DIBBS (cFolders) using a VPN or Proxy server which masks the user’s identity. VPNs may be more common than one would believe. A VPN may be on a laptop or on used by a network. Either way, it doesn’t matter. All cFolder activity is monitored. DLA does not begin with a warning letter. The user may attempt to log into cFolders and they can’t. Then DLA’s letter arrives.
2. Various entities such as businesses, organizations and even schools may utilize proxy servers. DLA does not look to see who the owner is. DLA looks to see if an authorized user’s identity is masked. If the answer is Yes, then that user has violated DLA’s terms and conditions of service and DLA will take formal action.
3. Don’t attempt to access cFolders from outside the United States. Many TDPs contain export controlled information or information which falls under ITAR restrictions. Given the penalties involved with mishandling these types of information, having one’s access to cFolders terminated may be the least of one’s concerns.
4. Be familiar with the handling and sharing restrictions of the data contained in cFolders. Do not guess as to what the requirements are or treat it as routine information.

Don’t overlook DoD Instruction 5200.48 Controlled Unclassified Information (CUI)

This document establishes policy, assigns responsibilities, and prescribes procedures for CUI throughout the DoD in accordance with Executive Order (E.O.) 13556; Part 2002 of Title 32, Code of Federal Regulations (CFR); and Defense Federal Acquisition Regulation Supplement (DFARS) Sections 252.204-7008 and 252.204-7012.

While most of the requirements specifically apply to DoD. Section 5 specifically addresses industry requirements and section 5.1 begins “There is a shared responsibility between the DoD and industry, when established by contract, grants, or other legal agreements or arrangements, in the identification, creation, sharing, marking, safeguarding, storage, dissemination, decontrol, disposition, destruction, and records management of CUI documents and materials.”

To this end, section 3.6 (b) identifies training requirements that include industry – “in accordance with this issuance, every individual at every level, including DoD civilian and military personnel as well as contractors providing support to the DoD pursuant to contractual requirements, will comply with the requirements in Paragraph 3.6.f of this issuance for initial and annual refresher CUI training.”

Cybersecurity Update

Items of note:

On February 26, NIST released its Cybersecurity Framework 2.0.

This document is designed for all businesses: large and small and at any level of cyber maturity.

The framework builds on the existing five elements of past frameworks – Identify, Protect, Detect, Respond and Recover. This updated version adds a sixth element to the framework – Govern (Governance).

“Governance activities are critical for incorporating cybersecurity into an organization’s broader enterprise risk management (ERM) strategy. GOVERN addresses an understanding of organizational context; the establishment of cybersecurity strategy and cybersecurity supply chain risk management; roles, responsibilities, and authorities; policy; and the oversight of cybersecurity strategy.” CSF 2.0 page 3

The design of the document is not to specify steps that companies should take. Rather, the document provides outcomes to achieve. Section 4 provides the following tools - Informative References, Implementation Examples, and Quick Start Guides.

For companies which may be required to comply with DFARS 252.204-7012 and NIUST 800-171 r2, CSF 2.0 is not a substitute or an additional set of requirements. In fact, CSF 2.0 does not reference CUI, DFARS 252.204-7012 or NIST 800-171. However, DIB companies may find some of the resources to be informative and helpful as they implement DFAR requirements.

Two area that are mentioned on several occasions are the idea of managing Risk and Securing a Company’s Supply Chain. So, this document may help members of the DIB in those two areas.

Additionally, DoD published a new Final Rule in the Federal Register on Tuesday, March 12. This rule does not create additional cybersecurity mandates for members of the DIB. This rule expand eligibility of DIB businesses to apply to and take advantage of DoD cyber information.

DoD’s CS program has been in place for approximately ten years. However, only cleared companies, those which held active facility/security clearances were eligible to participate.

This rule will assist businesses access DoD information about threats, cyber activity and other information. The goal is to provide a mechanism to inform businesses and provide training to assist businesses understand how to use the information.

The rule does include requirements such as applying for access, creating new PIEE account and other. However, the burden is viewed as minimal.

The rule will go into effect on April 11, 2024.

Finally, on March 11, 2024 - Added a memorandum to the Policy and Forms page, "Clarifying Guidance on CUI Training Requirements." This memorandum states the CDSE-developed CUI course is the official DoD CUI training course and will be used for initial CUI training. Additionally, it is available for annual refresher training.

Call WPI to conduct a Tabletop exercise – 

Your cyber-team has informed you that the company has been impacted by a “reportable cyber-incident.”

As a DoD contractor, the clock has started. You have 72 hours to investigate and submit your report to the DIBNET.

Here are several questions:

1. Do you have a cyber-incident plan?
2. Who will lead the investigation?
3. What initial actions are required? Have they been taken?
4. Are the necessary resources available?
5. Are you prepared to take a forensic image of the network and store it for the required time?
6. Are external resources required? Are they immediately available?
7. Does the company have a medium assurance certificate required to make the report.

If you would like to run a Tabletop exercise at your business please contact WPI and speak with Matt Frost at mattf@wispro.org

FEATURED EVENTS

DLA and Industry:

Partnering together to enhance the supply chain and mission readiness

April 3, 2024

8:30 - 11:30 am

Oshkosh Waterfront Convention Center

1 N Main St, Oshkosh, Wisconsin 54901

GUEST SPEAKERS

• Susan Depies-Styer, COL U.S. Army, Director, Land Supplier Operations, DLA Land and Maritime, Columbus, Ohio 
• DLA Small Business Representative

April 10, 2024

MSOE Dwight and Dian Diercks Computational Science Hall

1025 N Milwaukee St, Milwaukee, WI 53202

Join the Wisconsin Procurement Institute (WPI) Board of Directors, Wisconsin federal contractors, Federal agency and prime contractor representatives at this year’s in-state Wisconsin Federal Contractor Forum (WFCF).

Presented in partnership with NDIA Great Lakes

Updated information will be posted to wifedforum.org

May 16, 2024

Fox Valley Technical Collge DJ Bordini Center

5 N Systems Dr Appleton, WI 54914 

Doing business with the Department of Defense presents great opportunities but also complex challenges. In order to be successful, the Defense Industrial Base must keep current with ever changing regulatory requirements, industry trends, and DoD priorities.

Whether you’re a current or prospective DoD prime or subcontractor, you won’t want to miss the updates and discussions presented by a mix of Government and Industry experts.

Join Wisconsin’s DOD contractors and subcontractors for this annual event. This in-person event will be held in Appleton, WI at the FVTC D.J. Bordini Center.

• Be sure to follow WPI on social media (Facebook, LinkedIn, X) for regular updates on events, news and opportunities.