This post is co-written by Terry Lehman
Nation Under Attack
As American combat pilots scream across the sky flying an F-35, the finest fighter jet in the world, they may have to engage a Chinese cousin, the J-20. The NSA reported sophisticated cyber security attacks allowed the adversaries in China to steal critical information bit by bit.
The F-35 plans did not fall into Chinese hands by hacking a single computer or company. No, instead thousands of cyber attacks were launched against the networks of small government contractors who moved plans and files, such as key radar information, back and forth between emails and servers.
A lot of data. Government estimates, based on plea deal of a convicted Chinese spy suggest that since 2008 China has stolen terabytes of data and schematics from the F-35 and F-22 stealth fighter jet programs.
Chinese cyber criminals, working for the Chinese army, raided the computer systems of Boeing and many subcontractors to steal key national intelligence one bit of data at a time. Adversaries t then reassembled information from many sources. These efforts did not stop with the F-35. In fact according to a Government Accountability Office:
“The Department of Defense (DOD) faces tens of millions of attempted malicious cyber intrusions per year as adversaries seek to take advantage of the department’s reliance upon computer networks.”
Defense Industrial Base
Our soldiers do not stand on the front line of cybercrime. More often the target for these attacks focuses on the 300,000 contractors who make up the Defense Industrial Base (DIB). According to the Cybersecurity & Infrastructure Security Agency DIB is the” industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements.”
Basically if more companies in the DIB took steps to protect data, even just adding two factor or multi factor authentication many of the F-35 secrets would not have reached Chinese adversaries.
Dangers of Cyber Crime
According to the Federal Bureau of Investigation cyber crime involves cyber activity that threatens and compromises U.S. networks, steal financial and intellectual property, and put critical infrastructure at risk. These attacks put every sector of the economy under threat.
In fact according to the 2016 Global State of Information Security Survey cyber crime has increased 38% since 2014. The impacts of these attacks strain our economy. Victims of successful attacks have reported downtime (46%), loss of revenue (28%), reputational damage (26%), and loss of customers (22%). The threat of cyber crime costs private companies $400 billion every year and Juniper Research estimates this cost reached two trillion dollars last year.
The attacks on the defense industrial database have escalated to the point of daily warfare fought on network systems across the globe. According to Ellen Lord, the undersecretary of defense for acquisition and sustainment, “It’s no secret that the U.S. is at cyber war every day.”
The Honorable Ellen Lord continued, “Cybersecurity risks threaten the industrial base, national security, as well as partners and allies.” In fact the Department of Defense estimated stolen data cost the DIB over 700 billion dollars in 2015. In fact the Government Accountability Office reported DoDfaces tens of millions of attempted malicious cyber intrusions per year as adversaries seek to take advantage of the department’s reliance upon computer networks.”
A private and public partnership must harden the networks across the DIB to ensure adversaries to not weaken our nation through cyber warfare. BI Director Christopher Wray, in Senate testimony noted “An important part of fighting back against our foreign adversaries in the cyber realm is offense as well as defense.”
In recognition that prior efforts to protect the DIB from cyberwarfare have failed the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) has developed the Cybersecurity Maturity Model Certification (CMMC) framework. This new effort represents the largest cybersecurity public/private partnership in US History. Development of the CMMC involved i DoD stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDCs), and the DIB sector.
What is CMMC?
In 2019 the Department of Defense announced the creation of the Cybersecurity Maturity Model Certification (CMMC) to replace the self reporting of cyber hygiene that used to govern the DIB. The CMMC puts an end to self-assessment and requires a third party assessor to verify the cybersecurity maturation level.
All DoD contractors must comply with the Federal Acquisition Regulation (FAR) and the Defense Acquisition Regulation Supplemental (DFARS). These regulations require companies to meet specific security standards from the National Institutes Standard of Technology. If a company connects to the Government network they must meet the NIST 800-53 standards. Companies not connected to a network were required to self certify that they met the 110 controls, actions to increase cyber hygiene as laid out in NIST 800-171.
The CMMC builds off of NIST 800-171 but also includes controls from other cybersecurity frameworks. Where CMMC differs is in both the maturation model and the role of third party assessors. The CMMC defines 17 domains of cyber hygiene that are comprised of 43 capabilities. These capabilities get institutionalized through 171 practices across five levels of maturation.
The Office of the Under Secretary of Defense for Acquisition and Sustainment defines maturation as, “set of characteristics, attributes, indicators, or patterns that represent capability and progression in a particular discipline.” The CMMC contains five levels of maturation.
|1||Performed||Basic Cyber Hygiene|
|2||Documented||Intermediate Cyber Hygiene|
|3||Managed||Good Cyber Hygiene|
Third party assessors, who must complete coursework and obtain a certification will then measure what maturity level a contractor has met. An organization must demonstrate the institutionalization of the process and the utilization of the practices. Furthermore the maturation model is cumulative, meaning a contractor must demonstrate they have met the practices and processes of lower levels as well.
Development of the Cybersecurity maturation model has reached its final stages before going live. Groups of provisional assessors have completed course work. Licensed companies have entered an approved marketplace and as of November 2020 the licensed training partners awaited finalization of certification exams.
By the year 2025 all DoD solicitations will require companies to hold CMMC certification. This means that over 300,00 companies and universities who touch sensitive data must rely on third party assessors to determine their maturation level. The more sensitive and mission ready the sata the higher the level required.
DFARS Interim Rule
Since December 13, 2017 companies could lose DoD contracts due to lax cybersecurity. Yet until recently DFARS requires organizations to self assess. Companies had to to provide documentation on meeting the 110 controls of NISt 800-171 by collecting artifacts into a Body of Evidence.
A Body of Evidence contained three major items. The first a Systems Security Plan describes a company’s infrastructure such as the hardware and software utilized. The Plan of Action and Milestones (POAM) documented any shortcomings and described a remediation plan. A company would also submit their procedures and policies as part of the Body of Evidence.
DFARS required a contractors POAM to get shared with the DoD. A major change in the CMMC is the removal of POAM and having third party rather than self assessments.
Yet with total compliance of the CMMC not required until 2025 how do we protect the trillions of dollars of data currently vulnerable across the DIB? In October of 2020 the Office of the Under Secretary of Defense for Acquisition and Sustainment published an interim rule as an update to Defense Acquisition Regulation Supplemental.
This interim rule, currently under public review will go into effect immediately. DIB contractors need to take immediate action to learn about the interim rule and the difference between the CMMC assessments.
(This post is a pre-publication and draft of chapter one of a handbook I and Terry Lehman will publish on completing the Basic level self-assessments that comply with the DFARS Interim rule 252.204-7019 and the medium and high levels of 252.204-7020 and 7021 while also preparing for a CMMC future. We welcome feedback and corrections.) .
Carnegie Mellon University and The Johns Hopkins University Applied Physics Laboratory (2020). CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC). Version 1.02. Department of Defense under Contract No. FA8702-15-D-0002.
DOD Focuses on Minimizing Cyber Threats to Department, Contractors. (2016, September). Retrieved October 11, 2020, from www.defense.gov/Explore/N… Federal Bureau of Investigation. (2020) Cyber Crime — FBI. Retrieved October 18, 2020, from www.fbi.gov/investiga… FBI Strategy Addresses Evolving Cyber Threat. (2020, September 16). Retrieved October 11, 2020, from www.fbi.gov/news/stor…
Global, P. (2014). The Global State of Information Security® Survey 2016. On-line] Available: https://www. pwc. com/gx/en/issues/cyber-security/ informationsecurity-survey. html [Jul. 4, 2017].
Gonzales, D., Harting, S., Adgie, M. K., Brackup, J., Polley, L., & Stanley, K. D. (2020). Unclassified and Secure: A Defense Industrial Base Cyber Protection Program for Unclassified Defense Networks. RAND ARROYO CENTER SANTA MONICA CA SANTA MONICA United States.
Gordon Lubold and Dustin Volz, “Chinese Hackers Breach U.S. Navy Contractors,” Wall Street Journal, December 14, 2018.
Government Accountability Office. (2020) GAO-17-512, Defense Cybersecurity: DOD’s Monitoring of Progress in Implementing Cyber Strategies Can Be Strengthened - 686347.pdf. Retrieved October 18, 2020, from file:///Users/jgmac1106/Downloads/686347.pdf
Michael Brown and Pavneet Singh, China’s Technology Transfer Strategy: How Chinese Invest-ments in Emerging Technology Enable A Strategic Competitor to Access the Crown Jewels of U.S. Innovation, U.S. Department of Defense, Defense Innovation Unit Experimental (DIUx), January 2018
Plea Agreement, United States v. Su Bin, No. SA CR 14-131 (C.D. Cal. Mar. 22, 2016), www.justice.gov/opa/file/… download.