Department of Defense Ups the Ante with CMMC

“America is engaged in cyber warfare, where the threat today will be different tomorrow.  We need critical thinking about our nation’s fundamental cybersecurity practices, ” said Katie Arrington, CISO for Acquisition and Sustainment at the United States Department of Defense (DoD).  She is also the primary driver and spokesperson for DoD’s new initiative to protect its vast supply chain of over 300,000 vendors, the Cybersecurity Maturity Model Certification (CMMC)

According to Arrington in a recent podcast, the lack of proper cybersecurity and resulting data exfiltration cost the US government an estimated $600 billion a year, much of it going to state actors leveraging US intellectual property for their own purposes.  There’s clear (and tangible) evidence of this theft.

Arrington and others have determined that previous practice of self-attestation of National Institute of Science and Technology (NIST) 800-171 is not good enough.  While the controls are relevant and necessary, self attestation is difficult, because it’s hard to be self-critical when you think you’re doing the best you can. In 2018 Ellen Lord, Under Secretary of Defense for Acquisition and Sustainment, said that we need a “trust but verify” construct to secure supply chains effectively.

Reports about cybersecurity readiness in supply chains, such as MITRE’s Deliver Uncompromised and Navy Cyber Security Review have also decried the lack of fundamental cyber security practices, such as stale certificates, publicly exposed Internet servers, and misconfigured RDP servers.  

These demands for better cybersecurity couldn’t come at a more crucial time, accentuated by upcoming technologies that will make attacks much more effective and pervasive.  In this same podcast, Ms Arrington noted that highly sophisticated technologies will become commercially available by 2025, making it easy for attackers to break passwords and to devise new, complex attack vectors.

Therefore, the CMMC is designed to instill critical thinking about cybersecurity at the lowest levels of the supply chain as quickly and inexpensively as possible.  Arrington believes that all contractors should be able to adhere to CMMC’s most basic level, as it costs little for small companies to certify at Level 1 (approximately $3k). 

At an RSA keynote session last week, New Department of Defense “Up or Out” Cybersecurity Standards Coming Fast, Admiral James Stavridis echoed the construct’s simplicity by calling CMMC a “karate belt system” for the defense industrial base (DIB).  He likened CMMC Level 1 to a white belt and levels 4 and 5 for as a black belt.

Urgency for better cybersecurity has also led to a rush to publish CMMC guidelines with an expectation of certifying 1500 contractors (10 contracts for 150 each) by the end of 2020 and 7500 more in 2021.  However, it will take great teamwork and execution across the DoD, the DIB and the high-tech industry. Along with the CMMC Accreditation Body and Defense Industrial Base Sector Coordinating Council, Exostar recently announced a working group to ensure that primes down to small businesses certify at the appropriate levels.

This expediency of getting it out the door has also purposefully narrowed the scope to just on-prem environments to start, as discussed in Robert Metzger’s paper, “Cyber Safety in the Era of Cyber Warfare”.  But as Ms Arrington stated in the above mentioned podcast, “the CMMC should not become a checklist.  It should be a tool that we can constantly tweak as the threat changes. We need to tweak our thinking around them.  You’ll never be 100% secure. If anyone tells you that, they’re selling you a false bill of goods.”

At Expanse, we share this point of view – especially when dealing with cloud and Internet based assets in an operations-oriented supply chain risk management (SCRM) program. It’s one thing to secure your known on-premise assets, but mapping unknown Internet Assets via Expanse’s discovery and mapping capabilities to minimize your attack surface is quite another.  And of course, operationalizing securing and remediating unknowns becomes even more important as primes and their subs vie for ‘black belt’ status – or CMMC Level 4/5. 

Expanse software currently supports 12 of the 17 CMMC domains either directly or through partner integrations.  The chart below describes how Expanse automatically discovers and enriches data about publicly facing Internet Assets on a continuous basis.  From a cyber maturity perspective, Expanse asset inventory data and risk alerting align to maturity of practice for the most critical suppliers in the DIB.

To learn more about CMMC, visit the DoD’s CMMC and CMMC AB sites. If you happen to be in Washington DC in June (data TBD), please register for Executive Mosaic’s event.  Katie Arrington and Matt Kraning, Expanse’s Co-Founder/CTO, will discuss CMMC readiness.