3 keys to meeting DOD's security requirements
- By Ellen Sundra
- Mar 15, 2019
The Defense Department is now mandating the protection of its data and systems as part of its procurement processes. If your response plan does not cover the implementation of these cyber defense essentials, you’ll risk missing out on opportunities that could make or break your business.
Years from now, we could look back to current times as the period when military leaders took their most significant steps forward in the age of cyber vigilance. Within the last year, three developments in particular illustrate a state of heightened awareness and reaction on the part of the U.S. government and Department of Defense, along with a rather stunning depiction of what may happen if no substantial action is taken:
- With a deadline of Dec. 31, 2017, the Defense Federal Acquisition Regulation Supplement (DFARS) enforces requirements for protecting Controlled Unclassified Information (CUI), with 14 categories that must be met, including those related to access control, risk assessment, system/information integrity, identification and authentication. Established by NIST Special Publication SP 800-171, the CUI requirements are intended for use by military agencies in contracts – or in other agreements – between the agencies and non-federal organizations, and apply to all companies that provide products and services, either directly or indirectly.
- In September 2018, the Pentagon announced that it was going to work with its industry partners to “help them be as accountable for security as they are for quality,” according to statements made at the time by Deputy Secretary of Defense Patrick Shanahan. This accountability would not only apply to prime contractors, but their “lower-tier” supply chain associates. As part of enforcement efforts, the DoD is considering the launch of what’s called “red team cyber attacks” on its industrial partners, which would involve deploying a cell unit to identify weaknesses by attempting to penetrate contractors’ systems.
- A U.S. Government Accountability Office (GAO) report released the next month, October 2018, underscored the urgency for such measures. The report, titled “Weapon Systems Cybersecurity: DoD Just Beginning to Grapple with Scale of Vulnerabilities,” indicated that the DoD “faces mounting challenges in protecting its weapon systems from increasingly sophisticated cyber threats” due to “the computerized nature of weapon systems; DoD's late start in prioritizing weapon systems cybersecurity; and DoD's nascent understanding of how to develop more secure weapon systems.” The report expressed concerns about the threatened state of military contractors’ systems as well as federal ones. It states that DoD operational test teams were able to take control of systems and operations largely undetected using relatively simple tools and techniques.
“In one case,” the GAO report states, “it took a two-person test team just one hour to gain initial access to a weapon system and one day to gain full control of the system they were testing… Once they gained initial access, test teams were often able to move throughout a system, escalating their privileges until they had taken full or partial control of a system. In one case, the test team took control of the operators’ terminals. They could see, in real-time, what the operators were seeing on their screens and could manipulate the system.”
To its credit, the Pentagon is taking all of this very seriously. Contractors – whether the large primes or smaller subcontractors – must do so as well, because proof of systems/data controls are now being incorporated into the procurement evaluation process. In fact, while announcing the accountability policy in September, Shanahan described cybersecurity as the “fourth critical measure” in assessing industry partners. “We’ve got quality, cost, schedule, but security is one of those measures that we need to hold people accountable for,” he said.
In other words, if you and those within your supply chain ecosystem cannot capably demonstrate the cyber integrity of anything you introduce to the DoD – especially for projects involving weapons and/or additional mission-critical, sensitive operations – you’ll miss out on key contract opportunities and that may cripple your bottom line.
While response plans to the DoD directives must cover a wide range of relevant topics, they will prove ineffective and, as a result, self-defeating without addressing the following three essentials of a modern cyber defense strategy:
We buy traditional products and, too often, automatically assume that they’ll work for all devices and systems in “see it/control it/secure it” fashion. But this isn’t the case for weapons. Frankly, these systems are “hard” and, consequently, IT teams frequently have turned a blind eye to them, opting instead to focus on the “lower hanging fruit” elsewhere that’s easier to protect. This creates an open window for the bad guys to enter as they attempt to take over the relatively unguarded weapons areas, and move freely throughout an agency’s network. Thus, industry partners need tools that establish a higher level of absolute visibility, extending to weapons systems and those of comparable complexity.
With optimal visibility in place, you can set up 24/7/365 monitoring that sends immediate alerts whenever it detects unusual activity, i.e. why is this weapon system-connected endpoint device “talking” to a printer that’s located in a different area of the network? Why is a new and unknown piece of software accessing data kept by a desktop user in the finance department? Via continuous monitoring, you not only maintain total awareness of such developments, but you are able to instantly determine the severity of risks they represent, so you know how to react.
Once you see “something bad” in your products and services cyber ecosystem, you have to isolate and contain it. That’s what network segmentation is about – it creates an entirely separate network environment that’s designated exclusively for, in this case, weapons. This means that, within the segmented environment, only weapons-related activity is allowed. We seal off all the rest, strictly enforcing rules about what we authorize to interact within.
Throughout all sectors, leaders universally acknowledge that yesterday’s responses to cyber threats no longer suffice – not when increasingly sophisticated attacks come at them faster than ever, in growing numbers. Because its “vault” oversees an immense amount of appealing targets, the military must enforce standards that rise above the rest.
Fortunately, organizations seeking to pursue procurement opportunities with the Pentagon – regardless of their size – can ensure they hold up to an elevated state of due diligence by building a cybersecurity strategy with an unquestioned dedication to visibility, continuous monitoring and network segmentation.
Certainly, we will never see “business as usual” in play again. But we will see good companies keep their competitive value intact, thanks to this new commitment.
Ellen Sundra is a vice president at Forescout Technologies and leads the Americas Systems Engineering team.