The costs and consequences of malicious cyber-activity are impossible to put a price tag on, as bad actors pose threats in all aspects of our personal, public and political lives. And the stakes are only rising both here at home and globally. In my upcoming RSAC 2020 keynote with my colleague, Juliette Kayyem, former assistant secretary at the US Department of Homeland Security, we’ll address the latest in global cybersecurity threats, the geopolitical and cyberwar-fighting challenges our nation faces, and the vulnerability of the 2020 US presidential campaigns and election.
We’ll also dig deep into the security of the US Defense Industrial Base (DIB)—that is, the 300,000-plus contractors and suppliers who do work for the Department of Defense (DoD). In particular, we’ll focus on a sweeping DoD initiative to harden the DIB’s cybersecurity in the face of challenges from economic competitors and nation-state adversaries. The DoD has recently put this $1 trillion sector of the US economy on a fast track to higher cybersecurity standards with an “up or out” program known as Cybersecurity Maturity Model Certification (CMMC).
The DoD’s Vast Attack Surface
The DoD is keenly aware of the vast attack surface it presents and, indeed, is attacked 40 million times a day via the internet. DoD has identified its supply chain—comprised of approximately 300,000 companies within the DIB—as one of its primary areas of cybersecurity risk. That includes our nation’s largest defense contractors down to small-shop suppliers of sub-components and parts.
Just one example suffices to illustrate our vulnerabilities: A hacker—a rogue bad actor or a state-sponsored one, perhaps—could penetrate poorly defended servers and files, and introduce subtle changes to the specifications on advanced stealth materials, altering the defensive radar profile of new fighters and causing potentially catastrophic outcomes.
Clearly, when it comes to securing our nation’s massive defense supply chain, we cannot be satisfied with the status quo.
CMMC: New Framework on the Fast Track
The DoD knows what it needs to do and is acting fast with CMMC.
CMMC introduces new cybersecurity standards on top of existing ones and maps them to five levels of cybersecurity maturity. Each level has a defined set of required practices and processes that all defense contractors will have to live up to. Practices range from basic cyber-hygiene at Level 1 to advanced cyber-hygiene at Level 5. Process levels range from performed at Level 1 to optimized at Level 5.
Companies that hope to handle controlled unclassified information (CUI) will need to achieve at least CMMC Level 3. CUI is information that requires safeguarding or dissemination controls pursuant to federal law, regulations and government-wide policies. At CMMC Level 3, for example, CUI stored on digital media such as servers, phones and laptops must be protected by cryptographic mechanisms not only while in transit or in use but also while at rest. All backups of CUI at any storage location need to be protected, too. CMMC also calls for new email protections such as asymmetric cryptography. All of these CMMC requirements can be met by the gold standard of 100% end-to-end encryption to protect email, files and data.
Every one of the 300,000 companies in the DoD’s supply chain will need to be audited and certified at the CMMC level appropriate to the work they want to do for the DoD. And this change is happening fast: beginning in October 2020, RFPs associated with critical DoD programs and technologies will incorporate CMMC-level requirements that will be used as the basis for “go/no-go” decisions for awarding contracts.
CMMC is moving from concept to implementation at a remarkable speed. Katie Arrington, CISO for the Office of the Under Secretary of Defense for Acquisition, is the force behind the launch of CMMC and the DoD’s effort to rein in its cybersecurity vulnerability. I’m looking forward to hearing her speak at RSAC 2020, too.
As a retired Admiral and former Supreme Allied Commander of NATO, I’m thrilled with the DoD’s push to defend against cyberattacks that threaten US advantages in the military, technological and commercial realms. I believe that CMMC or something like it is essential to all types of sectors, from financial services to healthcare to university research. And I’m proud that the DoD is taking the lead in this critical work.