From a quick assessment on what has been published thus far on the CMMC regulation and its overall goal, it appears that contractors lack of information security will no longer be tolerated by the DoD. Beginning with the introduction of the new regulation to the public in January of 2020, it is expected that new contractual requirements will include CMMC starting in June of 2020, and enforcement for current contractors starting in September of 2020. The current proposed structure for achieving the CMMC level of security is somewhat advanced, but not unprecedented. One the more significant moves for this effort is the requirement that entities will be audited by an independent 3rd party, prior to any certification being awarded. The audit will likely require evidence to be presented to show that the correct level security controls are present and functioning as required. Despite this regulation being new, it will likely be comprised of current NIST controls, as chosen by the DoD.
Given the nature of the Federal Information Security Modernization Act (FISMA), which is to protect all federal data, by means of the NIST controls, it is hard to conceive of any other security framework being used to meet the goals of CMMC. Even here, at the assurance level for the security controls, we find an interesting item for auditors, as they will be required to attest to the accuracy of their findings. This step is likely in place to link auditors directly to an organization in the event of control failure or data breach. As such, it appears that the audit process will be evidence intensive, with audit artifacts and audit trails being required to demonstrate compliance with the selected controls.
So, how did we get here? After a review by the DoD, it was determined that only 1% of contractors actually have some form of proper data protection in place, which naturally gives rise to concerns over the military’s highly sensitive data being secured against other nation-states that wish to obtain it. These nation states and their activities are collectively known as the ‘advanced persistent threat’ (APT), as they are looking to obtain the targeted data, at almost any cost, including working to infiltrate systems for years. Additionally, there is the threat from criminal actors who are pursuing this data so that it can be sold on the black market to the highest bidder. Either of these attackers represent a significant threat to military contractors, mainly due to the lack of appropriate information security controls being put in place.
Recently, the Department of Defense (DoD) announced a new initiative for the information security component of defense contractors, sub-contractors and the supply chain for DoD projects. This regulation is coming forward with the goal of securing the complete supply chain for the DoD which has had historical issues with keeping sensitive data secure. Currently, DoD contractors and subcontractors are under obligations to protect the data they are entrusted with by having an information security program in place which deploys the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 security controls. Despite those obligations, contractors have consistently had issues with protecting the military data entrusted to them, resulting in data exposure and breaches.
The concerns over data security materialized in stark reality when a civilian contactor was breached early in 2018, resulting in the exposure of more than 600 gigabytes of highly sensitive information to China by their cyberattack efforts. This breach significantly impacted the US Navy’s Sea Dragon project for the submarine fleet and the overall capability for conducting subsurface warfare operations. The exposure also included the breach of the electronic warfare library for that project, which contains a notable amount of highly classified data, as the name implies. What cannot be understated is the value of that data loss, as it represents untold years of accumulated United States hard won knowledge and expertise in several matters of science, research, and advancement from associated discoveries. It appears that, due to this breach and others like it, and the assessment of the poor computer security posture of DoD contractors, the DoD has been forced to take a stance of “no tolerance” for gaps within information security programs.
This breach and other incidents like it demonstrate that civilian contactors have not taken appropriate actions to properly deploy information security controls to protect DoD data. This is not a defense sector or DoD only issue, as the loss of intellectual property (IP) across the nation has been an ongoing event for a number of years, with the public only recently gaining a small insight to this major issue. What needs to be understood is the impact of the loss of the country’s IP to the rest of the globe, due to the apparent complete lack of concern regarding securing company owned systems and data. For some, the idea of IP loss is difficult to grasp or to put in easy-to-understand terms, however we can put some measurement to it over the past several years. From reports, the loss of IP has a measurable financial impact, with estimates placing the financial cost from stolen IP at $600 billion in lost revenue for the United States. That includes several billions of dollars being lost to counterfeit goods that compete on not only the domestic market, but the international market as well.
As we move forward in the digital age, the critical nature of having secured IT systems is becoming more and more glaring. It seems clear that the information security factor will continue to have a large impact on all business sectors, with the military industry being the first to be called on to fully secure their systems. It is very likely this trend will expand outward, as people continue to express overwhelming concern over their personal data and how systems and applications are collecting and monitoring actions and activities. Companies that decide to get ahead of this significant problem are showing a commitment to long-term investment that should have positive impact on not only profit, but also revenue in the years to come.
Once full details on CMMC are made available, we will look to post a blog that gives a clearer definition as to what the CMMC requirements entail.