Category Archives: Computer Security

Secure Teleworking Guidance From National Institute Of Standards And Technology (NIST)



The National Institute of Standards and Technology has issued  advice for organizations that must communicate remotely, warning that the lackadaisical security policies of the past will no longer cut it as hackers and spies seek to take advantage of the increased attack surface created by the surge in nationwide remote work.


“Workers across the country are being sent home and told to telework as the coronavirus outbreak continues to spread. As virtual meetings and other online interactions become a reality for many federal agencies and businesses, so too do the related cybersecurity threats.

“Unfortunately, if virtual meetings are not set up correctly, former coworkers, disgruntled employees, or hackers might be able to eavesdrop,” wrote Jeff Greene, director of NIST’s National Cybersecurity Center of Excellence. “Using some basic precautions can help ensure that your meetings are an opportunity to collaborate and work effectively — and not the genesis of a data breach or other embarrassing and costly security or privacy incident.”

Greene laid out a number of suggestions for keeping virtual work discussions private and safe, most of which are simple and likely to already be specified (if not always heeded) in an organization’s existing policies.

Limiting reuse of access codes for phone meetings along with one-time PINs and multifactor authentication can help ensure that only authorized users are on more sensitive calls. For virtual or web meetings, waiting rooms and dashboards can help monitor attendees and keep track of unnamed or generic visitors. They can also help an organization keep track of who is (and isn’t) supposed to be connected.

Not every work meeting will require the use of every step. Greene encouraged organizations to use different protocols for low-, medium- and high-risk calls, and NIST developed an easy-to-use graphic to help workers determine when to use what option. More sensitive work may require tactics like distributing PINs at the last minute, identifying all attendees and then locking the meeting and ensuring that all attendees are connecting from approved devices.

The Cybersecurity and Infrastructure Security Agency has also warned that widespread telework could open up new opportunities for digital compromise. The agency put out its own security guidance last week for organizations relying on enterprisewide virtual private networks, including testing VPNs for mass usage; ensuring VPNs, network infrastructure devices and end-user devices are patched and up to date; ramping up log reviews, attack detection and incident response and recovery activities; and implementing multifactor authentication wherever possible.”

Spinning Up Telework Presents Procurement Challenges



There’s good news and bad news for agencies looking to ramp up telework in the wake of the coronavirus pandemic, according to federal contracting experts.

The good news is federal acquisition contracts are set up for quick acquisition of essential telework equipment, such as laptops or tablets, said acquisition experts FCW spoke with. The bad news could be that online scammers are watching the expanding tele-workforce with great interest.


“The emphasis on agency telework is growing, and although most agency employees are already assigned computers, there may be some hardware gaps to fill as workforces move to remote locations.

Federal governmentwide acquisition contracts, such as NASA’s Services for Enterprise-Wide Procurement, the General Services Administration’s ordering schedule and the National Institutes of Health Information Technology Acquisition and Assessment Center (NITAAC) are set up to help quickly fill laptops, tablets and other IT commodity orders, they said.

“In general, SEWP is an agile acquisition vehicle that allows for quick turn-around times for quotes and provides points of contacts for all contract holders to facilitate quick communications,” Joanne Woytek, SEWP manager told FCW. The GWAC, she said, has not seen any specific increase related to teleworking support, so far.

“For laptops, tablets, printers, agencies have purchase cards,” Alan Chvotkin, executive vice president and counsel for the Professional Services Council, told FCW. “Orders placed on SEWP and federal schedules can get responses within 24 hours,” he said, adding that speedier responses could pump up costs.

SEWP posted a warning on its webpage at the beginning of March saying delays in some order could result from stresses on the supply chain.

In an email to FCW on March 11, Woytek again noted that delivery of technology “is limited by the capacity of industry.” She said order delivery “is going to be on a case by case basis and greatly dependent on the complexity, configuration and size of an order.”

However, the demand for laptop and tablet computers from federal agencies during the next few weeks, probably won’t be too steep, said Roger Waldron, president of the Coalition for Government Procurement.

Agencies, however, should be working diligently to “level set” their computer and network needs for the coming weeks, as well as keep informed on their existing IT contracts and how to leverage GWACs, such as SEWP, to back fill last-minute IT and IT commodity needs.

Even though agencies will probably have the resources to get any necessary computers for new telecommuters, another acquisition expert said they face a sneaky obstacle — telework-savvy cyber adversaries.

Bad actors are on the lookout for new teleworkers, as those workers open up a vulnerability to protected networks, said Evan Wolff, a partner at Crowell & Moring, who co-chairs the firm’s Privacy & Cybersecurity Group and is a member its Government Contracts Group.

Targeted phishing emails and other cyber crime techniques could be a challenge for federal IT managers with increasing numbers of telecommuters, Wolff told FCW in an interview.

Federal IT managers, he said, may not have appropriately secure infrastructure in place to lock down all communications. Additionally, simple things, such as shared living space with non-government employee roommates, could also present issues, if the federal teleworker has a sensitive post, he said.

“We’re already seeing a focus on customized phishing” aimed at non-government telecommuters as the coronavirus spreads, said Wolff. That wave of targeted remote worker phishing email is probably coming to new federal telecommuters too.

“Bad actors understand a target’s leadership and the types of appropriate email” that could temp them into taking the bait, he said.”

Securing the 5G world

Image: (peshkov/Getty Images)


5G is set to revolutionize the mobile communications industry — offering high data rates, low-latency and ubiquitous connectivity with levels of reliability not previously seen.

As software-centric, virtualized networks change the communications landscape, delivering on the promise of 5G will require diligence and comprehensive security testing.


“This will enable new services and use cases that go far beyond communication between individuals. The rapid progression of 5G deployments has huge potential for connecting economies at scale, while simultaneously exposing potential vulnerabilities that must be addressed.

Shift to software-centric, virtualized networks changing the communications landscape

To deliver higher performance and lower cost, 5G networks are leveraging technologies that are software-centric and virtualized, moving from custom hardware to software components running on commercial off-the-shelf (COTS) hardware. This increase in software content across 5G deployments continues to fuel an exciting faster development pace. But with this comes some challenges since these 5G technology innovations are also expanding the attack surface of the system. While 5G core network functions are making use of a new and different software architecture, common technologies like HTTP and REST APIs that are well known are replacing proprietary interfaces of the past. All of these things increase the potential for cybersecurity attacks and vulnerabilities.

Network Function Virtualization (NFV) will deliver far more scalability than traditional platform approaches. NFV relies on a software stack and infrastructure where network functions execute. While virtualization has significant advantages in terms of scalability and efficiency of the underlaying hardware resources, moving to a software platform that is made up of many different components from many different vendors, often including open-source, increases the risk of a vulnerability being exploited that could compromise the entire system. Additionally, with 5G network slicing, which makes extensive use of virtualization techniques, guaranteeing slice isolation and preventing data leakage between slices are key for the security of the 5G networks.

Another core assumption with 5G is related to the proliferation of connected devices that will become an essential part of our daily lives. 5G will enable new use cases, where an agreed upon quality of service is required to support the reliability, throughput, or latency requirements associated with critical infrastructures and real-time systems. While there are standards available (or being developed) to mandate and evaluate security across different sectors like automotive, health, utilities, etc., there is lack of standardization for general IoT devices. The effect of poorly secured devices, proliferated across the network, can easily disrupt essential and nonessential services enabled by 5G.

5G networks are incredibly complex and the deployment of infrastructure elements at the edge, make them more difficult to secure. Network operators faced with the complexity of these systems may rely on a third party for the configuration and management of their networks, giving administration privileges to potential adversarial actors. Poorly configured systems may compromise the networks, independent of the definition and use of security functions defined in the standard.

Delivering on the promise of 5G will require security diligence

The global technology ecosystem is taking steps to ensure we have a hardened infrastructure and has made significant progress. Governments are carefully analyzing the security risks of 5G networks and systems. In the EU, the NIS Cooperation group completed a coordinated risk assessment of the cybersecurity of 5G networks, followed by a threat landscape for 5G by ENISA (European Agency for Cybersecurity). Similar studies and activities are taking place in other regions. At the same time, the mobile communications industry has developed a Network Equipment Security Assurance Scheme (NESAS), jointly defined by 3GPP and GSMA, to facilitate improvements in security levels across the mobile industry. NESAS uses a comprehensive approach to assess the product development life cycle, as well as security test cases defined by 3GPP SA3 for network equipment.

However, given the increase in the attack surface, the level of emphasis on the security must be intensified, especially compared with previously deployed generations of mobile communications systems.

The security industry offers many categories of security assessment tools including endpoint, penetration test, vulnerability scanning, fuzzing, and identity and access management solutions. All of these should be collectively used to validate all aspects of the communications infrastructure.

Comprehensive security testing will become paramount

Even though 5G standards will improve the security mechanisms over previous generations, there will still be areas that require further work to achieve and maintain secured 5G systems. The complexity of 5G networks require proper configuration and management of the security aspects, as well as tighter security for third parties managing the networks, ultimately making for stricter control of the supply chain.

The increase in software content of 5G networks and the massive increase of IoT devices will drive a need for enhanced security controls. This must be a key area of focus for the industry as 5G scales. Security standards and best practices guides are becoming available for different sectors, covering all software development stages, from architecture and design to coding, testing, and release. With the evolving landscape of vulnerabilities and threats, companies will need to carefully consider and adopt continuous security testing using automated tools that are regularly updated to the latest threats.”

Navy Establishes 6th “Tech Bridge” Office For Partnering With Industry And Academia

Image: Secretary of the Navy


The Navy is setting up a new office dubbed the Palmetto Tech Bridge in Charleston, South Carolina, to focus on developing innovative technologies.

The effort is part of a set of “tech bridges” the service is creating under the Naval Information Warfare Center to develop partnerships among industry, academia and the services.


“The upcoming Palmetto Tech Bridge will be the sixth office. Other locations include: Newport, Rhode Island; Keyport, Washington; San Diego; Orlando, Florida; and Crane, Indiana.

Michael Merriken, director of the Palmetto Tech Bridge, said the office will be concentrating on autonomous systems, cybersecurity and communications. Specific problem sets will be determined by the Navy, he noted.

Cmdr. Sam “Chubs” Gray, director of Tech Bridges, said the centers are a platform that each of the regional offices can utilize to better connect to different resources. The service wants to tap into Charleston’s advantages, such as the city’s academic community and technology sector, Gray noted.

Charleston’s community will be particularly useful for exploring 5G technologies, Merriken said. The service hopes that will allow it to leverage industry input early in the technology development process.

“5G is a great example of a technology that’s really being led by industry,” he said. “This is where Tech Bridge really comes into play. We want to have that ability to connect with industry and collaborate with them.”

Because some of the Tech Bridge participants will be members of industry, many of the technologies may be dual-use systems that will be profitable for commercial companies as well, Merriken noted.

“We work with these solution sets to then build this product that eventually goes to the warfighter, and then the commercial folks can take that technology and then build it into some product that they can use,” he said.

Initially, researchers will be examining artificial intelligence solutions for network diagnostics, he said.

Merriken said developers are still examining specific locations for the Tech Bridge in Charleston. However, the Navy hopes to find a building that fosters teamwork with features such as meeting rooms and quiet rooms, he said.

“We’re looking for a space that we can have these people collaborate and work together,” he said.”

Amazon’s “Ring” On The Congressional Privacy Hot Seat



The House Oversight and Reform Subcommittee on Economic and Consumer Policy, asked for a range of information, including copies of all agreements the company has reached with local governments going back to 2013, details on integration of any facial recognition tools and instances where law enforcement has requested video footage from Ring.


“The Subcommittee on Economic and Consumer Policy is writing to request documents and information about Ring’s partnerships with city governments and local police departments, along with the company’s policies governing the data it collects,” Krishnamoorthi wrote.  “The Subcommittee is examining traditional constitutional protections against surveilling Americans and the balancing of civil liberties and security interests.”

Ring reportedly works closely with local governments and police departments to promote its surveillance tools and has entered into agreements with cities to provide discounts on Ring products to their residents in exchange for city subsidies.  Reports also indicate that Ring has entered into agreements with police departments to provide free Ring products for giveaways to the public.

Ring reportedly tightly controls what cities and law enforcement agencies can say about Ring, requiring any public statement to be approved in advance.   In one instance, Ring is reported to have edited a police department’s press release to remove the word “surveillance.”

“The Subcommittee is seeking more information regarding why cities and law enforcement agencies enter into these agreements,” wrote Krishnamoorthi.  “The answer appears to be that Ring gives them access to a much wider system of surveillance than they could build themselves, and Ring allows law enforcement access to a network of surveillance cameras on private property without the expense to taxpayers of having to purchase, install, and monitor those cameras.”

The Subcommittee demands Amazon provide information about these partnerships dating back to January 1, 2013.”

Pentagon Intellectual Property And Enterprise Tool Challenges

Image: DAU


The Pentagon is in the midst of releasing a flurry of guidance related to its new adaptive acquisition framework. The public got its first look at the software pathway early in January when a Navy official informally released the interim guidance.

Besides the usual bureaucratic challenges of documentation and approval, two highlights could make or break the Pentagon’s ability to move fast on software.


“Like the middle-tier acquisition pathway, the budding software pathway is exempted from the regular requirements and milestone review processes. But software programs must still submit abridged requirements documents through a parallel, but “expedited,” approval process. Similarly, an acquisition strategy and set of metrics must be submitted in lieu of formal milestone reviews.

Intellectual property

A crucial component of the acquisition strategy is a plan for intellectual property (IP). As the recently released intellectual property policy specified, IP plans emphasize “the criticality of long-term analysis and planning during the earliest phases of the program.” Long-term planning is required for IP so that specified terms and pricing can be set up front, for such things as who owns the data, whether third-parties can modify the code, and which interfaces will be used. But if used improperly, it could lock in technical plans at the expense of course correction.

The IP process may run against the stated intentions of the software pathway policy — that programs use agile development methods. Some of the values from the Agile Manifesto include: responding to change over following a plan; collaboration over contract negotiation; and working software over comprehensive documentation. The requirement of defining all IP needs upfront runs counter to the values of agile.

If software is supposed to be incrementally released, then the definition of IP needs and pricing should also be an iterative exercise. Otherwise, the Pentagon’s IP policy would in practice necessitate a waterfall planning process. Developers would have to execute within the constraints of the IP plan.

Enterprise tools

The challenges of defining — and the unresolved problem of pricing — IP rights may be alleviated by a second highlight of the interim software policy: enterprise tools. Using government-owned infrastructure and platforms, many parts of the software program do not need to be recreated and separately priced. Firms can compete primarily on the application layer.

Building on enterprise tools like a government cloud, for example, would have saved the Pentagon from its IP struggle with Lockheed Martin over F-35 sustainment data. The company claimed ownership of data collected by the Automated Information Logistics System and stored on its premises. Data reports delivered to the government had Lockheed’s proprietary markings.

The U.S. Air Force has taken the lead in standing up enterprise tools for the services. Chief Software Officer Nicholas Chaillan is in the process of releasing the Unified Platform layer upon which applications can be built and deployed. The Air Force has increased funding for its Unified Platform and related elements from just over $55 million in fiscal 2019 to a request of nearly $100 million in 2020.

The Unified Platform will in turn run on government cloud solutions, which will incorporate the forthcoming Joint Enterprise Defense Infrastructure, or JEDI, contract expected to run $10 billion over the next 10 years.

Chaillan explained. “You go to big companies, they have infrastructure cloud team, they have a platform team, you don’t have each software team building the entire stack from scratch. They can reuse all these existing enterprise capabilities in terms of testing and security.”

Enterprise tools help minimize the amount of effort, and thus IP planning, required of individual software efforts. By reducing the cost of building and operating new applications, more modularized software can be written by competing suppliers. It increases participation from companies of all sizes.

With viable alternatives not only in development, but in operations, tugs and pulls of the market may reveal efficient pricing for IP without lock-in effects from sole-source providers. In other words, the government will be less reliant on lifecycle planning and cost data.

By building on government-owned infrastructure and platform layers, applications can be modularized and priced incrementally. That will help bring the business team into a culture that supports agile developers. Enterprise tools may then help move the software acquisition pathway away from “water-agile-fall” and toward a real agile development process.

Investments in enabling tools and technologies can accelerate program developments. They should be given higher funding priority as programs in themselves. If enterprise tools are built, the question remains whether the services and contractors will adopt them.”

Secret Service Launching Private-Sector Cyber Crime Council

Image: U.S. Secret Service (Twitter)

The 16-member federal advisory committee (FAC) will be the first one ever for the investigative unit, which focuses on financial crimes such as counterfeiting, card-skimming and other forms of fraud.


“Previous FACs all have been established for the Secret Service’s more widely known protection mission, which provides security for U.S. presidents and other dignitaries.

Invitations for the FAC were sent earlier this month. Jonah Hill, a senior cyber policy advisor at the Secret Service, who will be executive director of the board, declined to name the other members of the FAC during an interview with CyberScoop. The move comes as the Secret Service — like most high-level law enforcement agencies — is trying to adapt as crooks move from one digital tool to the next.

“Cybercriminals are constantly changing their tactics and their targets … law enforcement must be equally persistent in our efforts to combat these ever-evolving criminal groups,” Secret Service Deputy Director Leon Newsome told CyberScoop.

The goal is to help the investigative unit “think outside of the box” in fighting cybercrime and how the Secret Service trains to combat it, Hill said.

“What we’re trying to do is get a diverse set of viewpoints and experience and expertise from industry, from academia, from state and local government, really to kind of get a holistic picture of some of the threats we face and some of the approaches the Secret Service can take to combat those threats,” he said.

Hill said the FAC’s members were selected to represent a wide array of experiences. Some of the invited are former Secret Service leaders, he said, and others are law enforcement officers, computer scientists and experts on network security, malware, ransomware, criminal trends, business email compromise, identity theft and credit card theft.

Hill declined to comment on what members of other federal agencies, if any, would participate in meetings. (The Secret Service is part of the Department of Homeland Security.) The first meeting will probably be this summer, he said, after which the board is expected to meet twice annually.

Transnational cybercrime

One area of attention is likely to be foreign governments’ practice of tapping of talented cybercriminals to do their bidding, which has presented challenges for U.S. crime-fighters as they seek to coordinate with law enforcement entities abroad to take down transnational groups.

“There’s a growing trend of a confluence between nation-state criminal actors, whether those actors are acting at the behest of government, or for the protection of government, or if governments are turning a blind eye to them,” Hill said. “To the extent that this group can help us navigate those waters we will certainly turn to them for their guidance.”

Hill declined to say which nation-state hackers the Secret Service wants the CIAB to provide guidance on explicitly.

Encryption issues and more

The Secret Service is also seeking outside expertise to help it maneuver U.S. government tech-policy changes that may be on the horizon. The Trump administration’s concerns about end-to-end encryption of email and messaging software, in particular, has stirred up the perennial debate in recent months about what to do when criminals “go dark” online. The White House, Congress, federal law enforcement agencies and Silicon Valley powerhouses like Facebook and Apple all have a stake in the debate.

“It’s really [about] understanding, helping us work through as the encryption debate advances … helping us prepare for whatever changes in either encryption law or industry approaches to encryption,” Hill told CyberScoop. “However those debates evolve, we want to be prepared to meet the challenge.”

The Secret Service doesn’t intend to advocate one way or the other on encryption, Hill said; the board will track other policy issues that affect the agency’s investigations, including privacy rules and data breach notification requirements, he said.”

Small Business Focus – Cyber Security Maturity Model Certification (CMMC)



Forthcoming cybersecurity controls are designed to help DoD and small business work together to protect sensitive data and help industry comply in a fairer way depending on the types of systems they’re asked to defend.


“Small businesses are increasingly being targeted digitally by nation states, according to Department of Defense officials, who say more must be done specifically to evaluate and reinforce the security of contractors battling cyberattacks.

“We’re losing,” said Katie Arrington, special assistant to the assistant secretary of defense for acquisition for cyber within the office of the undersecretary of defense for acquisition and sustainment, speaking Oct. 7 at an AFCEA-hosted event.

Arrington explained that adversaries cost the country $600 billion a year and that, with 5G on the horizon, that amount must be multiplied by “umpteenth” in 2025 given the near-unlimited bandwidth for cyber campaigns technology promises. As a result, Arrington said, the forthcoming cybersecurity maturity model certification (CMMC) was designed specifically for small businesses.

The CMMC is a framework that grades company cybersecurity on a scale of one (least secure) to five (most stringent). What small businesses will be asked to do is comply with a tiered rating system depending on the systems they’ll be working on.

What this means is if a company is working on janitorial services, they may only need to comply with level 1 of CMMC as opposed to level 3, which is equivalent to NSIT 800-171 regulations, or level 4 that is reserved for exquisite systems.

In the past, there was a two-tiered system for small businesses to be compliant, Arrington described. A company could be compliant with 80 controls under NIST 171 and have a Plan of Actions & Milestones (POA&Ms) to do the other 30, while another company could be doing all the 110 controls and both are technically acceptable.

“That isn’t right, because our adversaries aren’t taking a cup of coffee and saying, ‘I’m going to come back to you when your POA&M is done,’” said Arrington. “They’re walking through those POA&Ms like they’re Swiss cheese.”

As a result, Arrington made the case that the CMMC is really about leveling this playing field and protecting sensitive systems that require additional cybersecurity controls.

Some have noted that these new requirements, while meant to protect the defense industrial base against loss from external forces, could hit smaller companies harder within the market.

“This would have severe unintended consequences on small businesses that do not have the resources and sophistication to obtain a high CMMC level, producing market entry barriers and limiting competition,” the Professional Services Council said in a Sept. 25 letter to DoD following the September draft release of the CMMC.

“Until we see the whole scope of who it’s going to apply to and why it’s going to apply to them, it could impact a lot of small companies,” Alexander Major, partners and co-leads for government contracts at McCarter & English LLP, told FCW following the same draft release.

Major’s co-lead, Franklin Turner, also told FCW that Arrington’s assertion that the CMMC would cost only a few thousand dollars is “utterly foolish,” adding it would “likely be an impediment” for small companies.

However, as Arrington and others have pointed out, top nation states are targeting these smaller companies, necessitating the initiative. Trying to sympathize with the audience, Arrington touted her background contracting with utilities, water and weather services where she herself was guilty of poor cybersecurity practices as a program manager.

“I knew where the weather was, the water was and the electric was. It was all on my laptop,” she said.

She did much of her work at coffee shops because, “I needed to network and I needed to communicate with my peers to drive new business and I needed to be seen, because as a small business you have a lot of people who telework from home.”

But even using a VPN to tunnel into work accounts has the potential to be exploited, Arrington acknowledged. “I was taking everything around me in the pipe.”

Recent events have put a spotlight on the fact data doesn’t have to be classified to be sensitive. Several Navy breaches — largely attributed to China — targeted contractors that were determined to have information that wasn’t itself classified, but in aggregate disclosed sensitive capabilities. It is the increase in campaigns to exploit a higher percentage of lower-level vulnerabilities that the CMMC framework addresses.

“Our adversaries are not trying to get at us at the … top of the nuclear triad,” said Arrington. “You don’t have the aperture to defend yourself against a nation state and we don’t want you to. I need to be able to help you protect us because when 80 percent of my data lives on your network, it’s no longer a you or a me — it’s a we thing. This is a we problem.

“I need to know exactly what I’m asking you to protect and at what level. Right now, you’re all just doing a bunch of different disparate things, but there’s not a level set. [Cybersecurity] controls do not equal requirement,” Arrington continued.

It is expected that in fall 2020 CMMC requirements will be included in requests for proposals and will be a go/no go decision.”

VA Developing Cyber Careers Program Filling Gaps In Workforce

Image: Purdue University Global


The Cyber Workforce Management (CWM) plans to identify work roles across every single position within VA and its IT office and establish qualification requirements for each role that all of government can use..”


“The Department of Veterans Affairs is developing a cybersecurity career program to fill gaps in the NICE Cybersecurity Workforce Framework.

VA’s Office of Information Security stood up a Cyber Workforce Management (CWM) program across the broader Office of Information and Technology (OIT), which determined existing NICE Framework roles didn’t meet all of VA’s mission needs. The NICE framework, developed by the National Initiative for Cybersecurity Education, prescribes knowledge, skills, abilities and tasks (KSATs) to work roles like a cyber defense analyst.

“There are gaps in the framework. Medical is not in there, med cyber — jack of all trades, master of medical devices,” Stephanie Keith, CWM program manager, said during a panel discussion at the 2020 Health IT Summit. “But where are the cybersecurity aspects of that? At VA we’re looking at how we develop what that work role looks like.”

“I’m not about unique requirements for an agency,” Keith said. “I’m about federal national standards.”

CWM is also standing up a cyber training academy pilot to teach employees baseline skills associated with the work roles. Baseline skills for, say, a cyber defense analyst should be the same at every agency so they’re portable, Keith said.

Training for new work roles covering positions like healthcare technology managers and informaticists should happen at the device level, not the network level, she added.

VA employees further removed from technical positions still require cyber training as well in areas like early detection and zero trust, said Paul Cunningham, chief information security officer at VA.

“We’re never going to get medical teams to be primarily cybersecurity. It’s not their mission; we shouldn’t expect it,” Cunningham said. “But we should make it very easy for them to help us as first-line defenders recognize when things are not operating correctly.”

Contractors Showing Low Recognition Of Upcoming DOD Cyber Standards

Image; Vimeo CUICK TRAC – CMMC

The Defense Department has been planning for nearly a year to update its cybersecurity certification framework [Cybersecurity Maturity Model Certification (CMMC)] for vendors who handle its sensitive information.

A new survey published by Tier 1 Cyber found only 24 percent of the responding defense contractors could accurately identify the CMMC acronym in the survey.”


“Overall, the survey found contractors have “gotten the message” on the importance of cybersecurity, but few have implemented mitigation efforts to the imposing threats, Tier1 Cyber CEO Bret Cohen told FedScoop.

The survey was conducted in November and solicited responses from a random sample of 150 government contractors with revenues of more than $15 million annually. Two-thirds of the respondents were DOD contractors with the vast majority employing more than 1,000 people.

The defense industry is targeted by state and rogue actors seeking to obtain sensitive national security data. To strengthen the military supply chain, the DOD launched CMMC as a top-down cybersecurity review and new framework to ensure compliance with cyber standards for all contractors.

The Cybersecurity Maturity Model Certification will replace the National Institute of Standards and Technology standards for cybersecurity as it is phased into the contracts later this year. Currently, contractors only need to self-certify NIST compliance. That will change under CMMC, with all companies in the DOD supply chain needing a third-party accredited authenticator to certify their level of cybersecurity compliance on a five-level scale. The security level will comport with the type of data contractors are given, with highly classified material only being awarded to high-level certified contractors.

The process could take up to a year, most of which will be while companies assure the “maturity” of their network security, Cohen said. Beyond initial certification, contractors will also need to continuously ensure security compliance; they risk losing certification in the event of a breach, according to the DOD’s frequently asked questions page on CMMC.

The upcoming rules are not the only thing respondents displayed a lack of knowledge on. Cohen was also surprised by the low levels of trust DOD contractors say they have for third-party vendors. Only 12 percent of the defense contractors surveyed said they trust their vendors, an apparent weak link in the chain. Cohen interpreted that as evidence that contractors aren’t concentrating on their vendors’ security or, worse, just don’t know the state of their third-party vendors’ security.

Other contractors surveyed showed little implementation of cyber mitigation efforts beyond “water cooler conversation” about the topic. Many employees’ personal devices lacked security software, and training was not a regular practice for many of the contractors surveyed.

Cohen said he anticipates other government agencies to adopt models similar to CMMC and the DOD’s implementation will likely continue on track, despite his company’s survey finding limited understanding among contractors.”