Sensitive defense and national security data will never be secure until all of the companies in the supply chain -- second, third and fourth tier included -- meet the same stringent requirements of DOD itself.
More than two trillion dollars in intellectual property, trade secrets, sensor data, cryptographic information, and research and development findings is being siphoned off in cyberattacks by America’s adversaries every year. And the nation’s defense posture is being compromised.
Ironically however, the networks, systems, and data files belonging to the Department of Defense itself are widely considered to be the gold standard for safeguarding against intruders. DoD security provisions are technically demanding, involve multiple layers, are constantly maintained, and continuously upgraded.
So why is so much defense data hemorrhaging?
It’s because the department’s outside suppliers and sub-contractors – particularly smaller businesses in the second, third, and fourth tiers of the agency’s supply chains – do not have the same high levels of security as the department itself.
The reasons are understandable. Information security professionals are in high demand. Many smaller businesses are not able to compete for, or afford, such talent. Add the cost of security tools and operations, and for some, adequate security is financially out of reach. As a consequence, smaller suppliers have been called “the soft underbelly of the DoD supply chain.
You might think there’s no need to hold a small supplier of insulation used on the wires of an aircraft component to the same high level security standards as the plane’s engine maker. But foreign adversaries are good at piecing together puzzles and sensitive information about how a product’s application, if compromised, becomes one more piece of a puzzle.
And you never know what you don’t know. So when you take all those suppliers together, the puzzle picture becomes clearer. The result is that small vendors are a very real security weakness to America’s security.
However, it’s not as though government contractors are free of oversight. Prime contractors, in particular, have operated under rigorous security requirements for years. But those stringent requirements become harder to convey and enforce each step down the supply chain.
One particularly egregious case is the theft of data related to the costly 10-year development of the F-35 fighter aircraft leading to a Chinese clone of that plane in just two years. Yet it wasn’t stolen from Lockheed Martin, the plane’s prime contractor; it was taken from several lower-level subcontractors and suppliers, each a piece in the puzzle.
The Pentagon doesn’t have the option of bringing every source it requires in-house and building a security fence around them. Nor can it simply decree that no small business will be eligible to supply DoD contractors; that’s just not how things work. Virtually everyone is dependent, to some degree, on the work of other people they don’t know.
The Pentagon is keenly aware that sensitive information is being lost from its sub-tier suppliers. Starting in 2010, it began implementing a series of procedures to guard against public disclosure of what it calls “controlled UNclassified information,” or CUI. Fully classified information, on the other hand, already fell under earlier security policies – policies which frequently differ from one federal agency to another.
In 2013, an executive order was issued to harmonize requirements across executive agencies for handling and protecting sensitive but unclassified information to better manage risk.. Two years later, the National Archives and Records Administration, NARA, and The National Institute of Standards and Technology, NIST, each issued frameworks for contractors handling CUI. Then in 2016, the Defense Federal Acquisition Regulation Supplement, or DFARS, came out with a rule requiring suppliers to provide adequate security for sensitive defense information handled by their internal information systems. And in 2017, DoD mandated that suppliers comply with the NIST 800-171 framework’s 110 security controls, either by immediately satisfying a control or developing a Plan of Action and Milestones or POAM to satisfy the control in the future.
While their aims were laudatory, the results were flawed. Check-box compliance doesn’t always translate into real security. POAMs, which are pledges to do something in the future, don’t provide the same protection as implementing security controls today. Promises to implement measures are cheap; implementation itself can be expensive; businesses want to save money, not spend it. And NIST 800-171’s enforcement through self-assessment and self-reporting allowed everyone to grade themselves which didn’t turn out well either; contractors tended to be too lenient, giving themselves the benefit of the doubt, or didn’t fully understand requirements to satisfy a control.
By 2019, the need for a different approach was recognized, and a new regimen – the Cybersecurity Maturity Model Certification, or CMMC – was announced. Unlike earlier security attempts, CMMC requirements apply to all organizations, both direct and indirect, in the DoD supply chain, regardless of whether they handle CUI or not. Its provisions will be rolled out starting in 2021 through 2025, when they are expected to become fully operational. And they apply to small businesses as well as to giant contractors.
That puts many smaller companies on the spot. The time, talent, and money needed to bridge the chasm between their previous security measures and those required by CMMC is substantial. And yet, without finding a way to close that gap, access to most federal contracts would be unavailable. But there are options.
The first, would be to upgrade the current or build a new digital environment that satisfies the CMMC requirements. Doing so would typically involve bringing IT expertise onboard, investing in talent and technology, spending the time required to make all necessary modifications, and then completing the certification process before being eligible for a DoD contract award or renewal.
A second approach would be to use a managed service provider, or MSP, to outsource the IT environment and its operation. That could provide economic and timing benefits to a contractor because using an MSP – unlike in following a DIY approach – would presumably make use of existing expertise and infrastructure. The MSP would also be able to share costs among multiple clients instead of plunking them all on one user.
In some cases, a small sub-contractor may be able to “borrow” or operate within the IT infrastructure of the contractor for whom they are working, rather than using their own IT environment. Presumably the larger contractor would have already put the required protections in place, and the subcontractor’s access to the system could be limited just to their specific business with the government.
All of these options involve effort, time, and expense on behalf of the small business sub-contractor. But the net result can benefit the company and its work with other clients as well as with DoD. The fact is there are still many small companies that rank low on the cyber maturity scale.
That needs to change.
At least three-quarters of all federal contractors are small businesses. The nation’s defense depends on having access to their talents. The nation’s defense depends on their being secure.
There is still time before CMMC requirements become universal for small business owners to upgrade their security and preserve the value that these American contractors bring to our nation’s defense. DoD and Congress are sensitive to the impact of CMMC on their businesses and are exploring options to reduce the burden of achieving the minimum threshold of cybersecurity mandated to handle sensitive defense information.
NEXT STORY: Are you ready for another government shutdown?