The hostile infiltration of Defense Industrial Base (DIB) devices and networks due to a cyber attack poses a danger to U.S national security. National security issues increase the value of data protection for manufacturers in defense. They transmit and receive controlled unclassified information (CUI) and covered defense information (CDI) about service requirements, software, and quality of machinery as they partner for security product research, design, production, and delivery.
Considering this confidential information is being moved along a complicated and highly distributed supply chain, these companies may become vulnerable to intellectual property (IP) theft and cyber attacks. In addition to posing a national security risk, cyber attacks can inflict substantial economic and reputational harm to defense contractors, interrupting distribution networks and leading to overruns in costs and schedules.
Cyber Challenges to the DIB
Cybersecurity weaknesses within the DIB prevail and current efforts to address them are not enough. Two major weaknesses include the absence of a widely clear and detailed image of the threat landscape confronting the DIB and the lack of initiatives to quickly identify and minimize the risks to DIB networks and devices.
Within the defense industry, rivals operate in the cyberspace across numerous sectors and domains. This indicates that while a sophisticated cyber threat may attack several entities within the DIB, any targeted entity can only watch the rival— their capacity, tools, approach and threat patterns — as it functions on its own resources, if at all. However, the Department of Defense needs a clear and consistent view of where, how and why they operate to gain perspective into the rivals as strategic organizations.
Such differences give fuel to a significant suggestion made by the Cyberspace Solarium Commission. The suggestion is that Congress, by statute, must mandate companies within the DIB to engage in sharing of threat-intelligence through a network that will be maintained at the department component level. This requirement must be part of the conditions of the DIB companies’ contract with the Department of Defense (DoD).
There are some existing programs for intelligence sharing, but they are inadequate. For instance, the department's Cyber Crime Center and the DIB Cybersecurity Initiative are mostly optional, even though some compulsory reporting criteria exist for DIB organizations. Additionally, current systems appear to favor major prime contractors having the capability to communicate and process intelligence about risks. However, smaller and subprime contractors play crucial roles in the distribution chain, and gaps within such institutions can have rippling negative implications.
Finally, the Department of Defense appears to lack a comprehensive tracking of its distribution chain, which may include non-US suppliers. There are no compulsory reporting provisions requiring that prime contractors reveal their subcontractors' identities to the department, which can have serious implications on the DOD’s cybersecurity. This is evident in the failure of NIST 800-171 self-assessments.
Failure of NIST 800-171 Self Assessments
Department of Defense (DoD) contractors are expected to have sufficient protection to secure CUI, partly through the implementation of the 110 security checks listed in Special Publication (SP) 800-171. This is mandated by a clause.
As DFARS 7012 also requires primary contractors to circulate the NIST 800-171 application provision to all their subcontractors and vendors having access to controlled unclassified information (CUI). Additionally, their adherence to the provision must be tracked at all stages of the supply chain.
The DoD updated the DFARS with some modifications in 2016 and directed contractors to fully implement NIST SP 800-171 by December 31, 2017.
The DoD evaluated ten contractors with DoD contracts estimated to be worth $1 million in the summer of 2019 to determine the security measures they had put in place to secure DoD CUIs. The evaluations found that security measures were not being systematically enforced for CUI-containing networks and systems. The most common security vulnerabilities found included the following:
CUI placement on unregulated removable media
Failure to address known security and network weaknesses
Lack of multi-factor authentication (MFA)
It is reasonable to think that all ten companies would come through the audit unscathed. However, in reality nine of them stumbled and each was reported to be lacking in eight out of ten basic safety tests.
When large DoD contractors, all probably with dedicated protection and IT personnel, performed so poorly in terms of basic safety management, how would smaller organizations with less support do when measured against regulations requiring the implementation and management of sophisticated safety technology? Not so well, if you follow common sense. The onus is on DoD to help the smaller DIB contractors to address the factors contributing to failure in NIST 800-171 self-assessments of large DoD contractors. The Cybersecurity Maturity Model Certification (CMMC) initiative can help do that.
The Role of CMMC in Improving CUI Security within the Supply Chain
An initiative of the OUSD (A&S), the CMMC evaluates and integrates multiple information security guidelines and best practices. It also tracks these controls and procedures through various maturity levels ranging from simple information hygiene to sophisticated cyber security.
The CMMC initiative builds on the existing trust based regulation (DFARS 252.204-7012) by incorporating a validation element into the cybersecurity risk management framework. The objective is to make CMMC affordable and financially feasible to allow its implementation by small business contractors at lower levels of CMMC and the intention is to carry out audits and lower risk to the government through accredited independent third party entities.
Microsoft's CMMC Acceleration Program
However, one important element is going to the usage of secure cloud. This not only includes IaaS, PaaS but also SaaS services like Microsoft 365. A large number of the DIB need to seriously evaluate these options - consider cloud native to minimize their footprints and consider serious architectural isolation.
To prepare for DoD’s new Cybersecurity Maturity Model Certification (CMMC), several of Microsoft’s clients and partners, which includes users of both Azure and Azure Government, have requested the company provide more detail about how to brace for audits due to commence in 2020 and beyond.
A major goal of Microsoft is to continue improving cybersecurity across the DIB using sophisticated cybersecurity tech, checks and risk management practices to allow its cloud customers to acquire Microsoft's security controls and ultimately, CMMC certifications.
This article was authored by managing director and co-founder of Quzara, Saif Rahman. It was originally published on June 12, 2020 on LinkedIn.