A secure supply chain is the best defense for federal data

Sensitive defense and national security data will never be secure until all of the companies in the supply chain -- second, third and fourth tier included -- meet the same stringent requirements of DOD itself.

More than two trillion dollars in intellectual property, trade secrets, sensor data, cryptographic information, and research and development findings is being siphoned off in cyberattacks by America’s adversaries every year. And the nation’s defense posture is being compromised.

Ironically however, the networks, systems, and data files belonging to the Department of Defense itself are widely considered to be the gold standard for safeguarding against intruders. DoD security provisions are technically demanding, involve multiple layers, are constantly maintained, and continuously upgraded. 

So why is so much defense data hemorrhaging? 

It’s because the department’s outside suppliers and sub-contractors – particularly smaller businesses in the second, third, and fourth tiers of the agency’s supply chains – do not have the same high levels of security as the department itself.

The reasons are understandable. Information security professionals are in high demand. Many smaller businesses are not able to compete for, or afford, such talent. Add the cost of security tools and operations, and for some, adequate security is financially out of reach. As a consequence, smaller suppliers have been called “the soft underbelly of the DoD supply chain.

You might think there’s no need to hold a small supplier of insulation used on the wires of an aircraft component to the same high level security standards as the plane’s engine maker. But foreign adversaries are good at piecing together puzzles and sensitive information about how a product’s application, if compromised, becomes one more piece of a puzzle.

And you never know what you don’t know. So when you take all those suppliers together, the puzzle picture becomes clearer. The result is that small vendors are a very real security weakness to America’s security.

However, it’s not as though government contractors are free of oversight. Prime contractors, in particular, have operated under rigorous security requirements for years. But those stringent requirements become harder to convey and enforce each step down the supply chain. 

One particularly egregious case is the theft of data related to the costly 10-year development of the F-35 fighter aircraft leading to a Chinese clone of that plane in just two years. Yet it wasn’t stolen from Lockheed Martin, the plane’s prime contractor; it was taken from several lower-level subcontractors and suppliers, each a piece in the puzzle.

The Pentagon doesn’t have the option of bringing every source it requires in-house and building a security fence around them. Nor can it simply decree that no small business will be eligible to supply DoD contractors; that’s just not how things work. Virtually everyone is dependent, to some degree, on the work of other people they don’t know.

The Pentagon is keenly aware that sensitive information is being lost from its sub-tier suppliers. Starting in 2010, it began implementing a series of procedures to guard against public disclosure of what it calls “controlled UNclassified information,” or CUI. Fully classified information, on the other hand, already fell under earlier security policies – policies which frequently differ from one federal agency to another.

In 2013, an executive order was issued to harmonize requirements across executive agencies for handling and protecting sensitive but unclassified information to better manage risk.. Two years later, the National Archives and Records Administration, NARA, and The National Institute of Standards and Technology, NIST, each issued frameworks for contractors handling CUI. Then in 2016, the Defense Federal Acquisition Regulation Supplement, or DFARS, came out with a rule requiring suppliers to provide adequate security for sensitive defense information handled by their internal information systems. And in 2017, DoD mandated that suppliers comply with the NIST 800-171 framework’s 110 security controls, either by immediately satisfying a control or developing a Plan of Action and Milestones or POAM to satisfy the control in the future.

While their aims were laudatory, the results were flawed. Check-box compliance doesn’t always translate into real security. POAMs, which are pledges to do something in the future, don’t provide the same protection as implementing security controls today. Promises to implement measures are cheap; implementation itself can be expensive; businesses want to save money, not spend it. And NIST 800-171’s enforcement through self-assessment and self-reporting allowed everyone to grade themselves which didn’t turn out well either; contractors tended to be too lenient, giving themselves the benefit of the doubt, or didn’t fully understand requirements to satisfy a control.

By 2019, the need for a different approach was recognized, and a new regimen – the Cybersecurity Maturity Model Certification, or CMMC – was announced. Unlike earlier security attempts, CMMC requirements apply to all organizations, both direct and indirect, in the DoD supply chain, regardless of whether they handle CUI or not. Its provisions will be rolled out starting in 2021 through 2025, when they are expected to become fully operational. And they apply to small businesses as well as to giant contractors. 

That puts many smaller companies on the spot. The time, talent, and money needed to bridge the chasm between their previous security measures and those required by CMMC is substantial. And yet, without finding a way to close that gap, access to most federal contracts would be unavailable. But there are options. 

The first, would be to upgrade the current or build a new digital environment that satisfies the CMMC requirements. Doing so would typically involve bringing IT expertise onboard, investing in talent and technology, spending the time required to make all necessary modifications, and then completing the certification process before being eligible for a DoD contract award or renewal. 

A second approach would be to use a managed service provider, or MSP, to outsource the IT environment and its operation. That could provide economic and timing benefits to a contractor because using an MSP – unlike in following a DIY approach – would presumably make use of existing expertise and infrastructure. The MSP would also be able to share costs among multiple clients instead of plunking them all on one user. 

In some cases, a small sub-contractor may be able to “borrow” or operate within the IT infrastructure of the contractor for whom they are working, rather than using their own IT environment. Presumably the larger contractor would have already put the required protections in place, and the subcontractor’s access to the system could be limited just to their specific business with the government.

All of these options involve effort, time, and expense on behalf of the small business sub-contractor. But the net result can benefit the company and its work with other clients as well as with DoD. The fact is there are still many small companies that rank low on the cyber maturity scale.

That needs to change.

At least three-quarters of all federal contractors are small businesses. The nation’s defense depends on having access to their talents. The nation’s defense depends on their being secure.

There is still time before CMMC requirements become universal for small business owners to upgrade their security and preserve the value that these American contractors bring to our nation’s defense. DoD and Congress are sensitive to the impact of CMMC on their businesses and are exploring options to reduce the burden of achieving the minimum threshold of cybersecurity mandated to handle sensitive defense information.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.