Point(s) of Contact
Pamela Hamilton / FSO
843.327.3273
pamela@appliedsecurityknowledge.com
Richard Carmichael / ITPSO
678.221.7834
rcarmichael@laochservices.com
DoD Hotline
dodig.mil/hotline / 800.424.9098
SOURCE: ClearanceJobs by Lindy Kyzer – August 9, 2021
New policy requires federal employees and contractors who will be working on site at federal facilities to fill out a form listing their vaccination status. With hot COVID cards already available some may be tempted to fake their vaccination status in order to get into their government office. But the Biden Administration's Safe Workforce FAQ includes special warning for those who may be tempted to lie about their vaccination status:
Federal employees who make a false statement on the Certification of Vaccination form could be subject to an adverse personnel action, up to and including removal from their position. It is also a federal crime (18 U.S.C. § 1001) for anyone to provide false information on the form. Falsification could also affect continuing eligibility for access to classified information or for employment in a national security position under applicable adjudicative guidelines.
Eligibility to access classified information is based largely on an individual's trustworthiness. Lying in any capacity is a top reason for security clearance denial, outlined via the personal conduct adjudicative criteria. Lying in the course of a security clearance background investigation generally takes the form of lying on the SF-86. But lying on any government form – even one requesting vaccination status – could certainly result in security clearance denial, as well.
SOURCE: Federal Trade Commission by Seena Gressin – February 5, 2021
Some of you are celebrating your second COVID-19 vaccination with the giddy enthusiasm that's usually reserved for weddings, new babies, and other life events. You're posting a photo of your vaccination card on social media. Please — don't do that! You could be inviting identity theft.
Your vaccination card has information on it including your full name, date of birth, where you got your vaccine, and the dates you got it. When you post it to Facebook, Instagram, or to some Sticker with an orange background. It says, other social media platform, you may be handing valuable information over to someone who could use it for identity theft.
Think of it this way — identity theft works like a puzzle, made up of pieces of personal information. You don't want to give identity thieves the pieces they need to finish the picture. One of those pieces is your date of birth. For example, just by knowing your date and place of birth, scammers sometimes can guess most of the digits of your Social Security number. Once identity thieves have the pieces they need, they can use the information to open new accounts in your name, claim your tax refund for themselves, and engage in other identity theft.
SOURCE: Federal News Network by Justin Doubleday – November 1, 2021
The Biden administration is moving forward with new personnel vetting principles intended to simplify and streamline how the government evaluates people for sensitive positions and security clearances.
The personnel vetting guidelines have been circulated throughout agencies and are currently in the queue for signature by the Office of the Director of National Intelligence and the director of the Office of Personnel Management, according to Valerie Kerben, senior policy adviser with the ODNI, speaking at an Oct. 27 National Industrial Security Program Policy Advisory Committee (NISPPAC) meeting.
The forthcoming guidelines are part of the ongoing Trusted Workforce 2.0 initiative to reform background investigation and security clearance processes. They are based on a "federal personnel vetting core doctrine" published in the Federal Register in January.
"The Federal Government must effectively optimize the resources, information, and technology to support the goal of a trusted workforce to conduct the business of the Federal Government," the doctrine states. "Personnel vetting assesses the trustworthiness of individuals based on the core characteristics to protect people, property, information, and mission, as they relate to the particular purpose."
SOURCE: Nextgov by Mariam Baksh – November 4, 2021
The CMMC program will be temporarily suspended while DOD officials revise the requirements. CROCOTHERY/ISTOCK
The Defense Department is significantly scaling back a program it rolled out last year to validate the cybersecurity of its suppliers through third-party audits and is halting its implementation until the changes are official.
The program was supposed to be implemented over a five-year period with the ultimate goal of requiring every defense contractor in possession of certain controlled but unclassified information to obtain a certificate from a third-party assessor indicating their adherence to the Cybersecurity Maturity Model Certification standard. A number of programs within DOD were selected to pilot the program this year. Now, the Pentagon says it is looking to streamline the program—into CMMC 2.0—and make it more collaborative with industry in two new rulemakings through the Code of Federal Regulations.
"Until the CMMC 2.0 changes become effective through both the title 32 CFR and title 48 CFR rulemaking processes, the department will suspend the CMMC piloting efforts, and will not approve inclusion of a CMMC requirement in DoD solicitations," reads a notice set to publish Friday in the Federal Register. "The CMMC 2.0 program requirements will not be mandatory until the title 32 CFR rulemaking is complete, and the CMMC program requirements have been implemented as needed into acquisition regulation through title 48 rulemaking."
SOURCE: Federal News Network by Justin Doubleday – November 26, 2021
While it could be months or even years before the Cybersecurity Maturity Model Certification is a requirement in defense contracts, Pentagon officials are considering financial rewards and other incentives to get contractors to improve their network defenses before CMMC 2.0 becomes reality.
The Defense Department announced major changes to the CMMC policy earlier this month, effectively removing the requirement for the majority of contractors to get a certification as a condition of an award. Instead, companies that handle less sensitive contract information will only need to submit an annual self-attestation that they're following network security practices.
The Pentagon says the changes will reduce costs and complexity for thousands of small and medium-sized contractors.
DoD is also making changes to the CMMC standards and collapsing the model into three levels, down from the previous five. DoD will also allow companies in some cases to defer some requirements for up to 180 days after contract award.
SOURCE: Reuters by Kanishka Singh – October 29, 2021
A Russian national appeared in a U.S. federal court on Thursday after he was extradited from South Korea to Ohio to face charges for his alleged role in a cybercriminal organization, the U.S. Department of Justice said.
Vladimir Dunaev, 38, was a member of a cybercriminal organization that deployed a computer banking trojan and ransomware suite of malware known as "Trickbot", the Justice Department said.
"Trickbot attacked businesses and victims across the globe and infected millions of computers for theft and ransom, including networks of schools, banks, municipal governments, and companies in the health care, energy, and agriculture sectors," Deputy Attorney General Lisa Monaco said.
SOURCE: Bleeping Computer by Bill Toulas – November 5, 2021
US defense contractor Electronic Warfare Associates (EWA) has disclosed a data breach after threat actors hacked their email system and stole files containing personal information.
The company claims the breach's impact was limited but confirmed that the threat actor managed to exfiltrate files containing sensitive information.
As detailed in a notice to the Montana Attorney General's office, EWA discovered that a threat actor took over one of their email accounts on August 2, 2021.
The firm noticed the infiltration when the hacker attempted wire fraud, which appears to be the primary goal of the actor.
"Based on our investigation, we determined that a threat actor infiltrated EWA email on August 2, 2021. We were made aware of the situation when the threat actor attempted wire fraud," reads EWA's data incident notification.
SOURCE: Federal Trade Commission by Amy Hebert – November 10, 2021
You've probably heard: this holiday season, it might be harder to find the gifts you're looking for. So, many of us might be looking for alternatives, like buying gifts locally — or maybe from online marketplaces or sites you find through your social media accounts, online ads, or by searching online. If that might be you heading online, here are some things you can to do to avoid a scam or negative experience:
What if something still goes wrong? Try to work out problems with the seller. If that doesn't work, report them to the marketplace. If you paid by credit or debit card, file a dispute with your credit or debit card company. Read What To Do if You Were Scammed for more on what to do if you paid a scammer.
And report fraud, scams, or bad business practices to the FTC at ReportFraud.ftc.gov.
SOURCE: Federal Trade Commission – May 2021
You want your donations to count, so it's important to do some research before giving to a charity. Here are some things you can do to learn more about a charity and avoid donating to a scam.
Expanded topics are explained in the complete article...
