“Katie Arrington, chief information security officer at the office of the undersecretary of defense acquisition, said CMMC is still on track despite hurdles created by the ongoing COVID-19 pandemic that has roiled the world.
“We are on track, but we’re having to retool some of the training because the actual inspections … [do] have to happen,” she said. “The actual audit has to be done on site.”
“Work on the Defense Department’s highly anticipated set of new cybersecurity standards — known as the Cybersecurity Maturity Model Certification version 1.0 — is still on track despite the ongoing COVID-19 pandemic, said an official in charge of the effort April 22.
The new rules, which the Defense Department rolled out earlier this year, are meant to force the defense industrial base to better protect its networks and controlled unclassified information against cyberattacks and theft by competitors such as China. The rules will eventually be baked into contracts, and the Pentagon had targeted including them in requests for information as early as this summer on pathfinder programs.
Under the plan, CMMC third-party assessment organizations, known as C3PAOs, will be trained and approved by a new accreditation body. They will have to certify that a company has met the CMMC standards before it can win contracts. CMMC features different levels, with the level 1 standards being the least demanding and level 5 the most burdensome.
“We are on track, but we’re having to retool some of the training because the actual inspections … [do] have to happen,” she said. “The actual audit has to be done on site.”
The Pentagon is working on ways around that, she said during a webinar called “Protecting Small Business in a COVID-19 Environment” hosted by Project Spectrum, which is part of the Cyber Integrity Initiative and is supported by the Pentagon’s Office of Small Business Programs.
“We’re still on track,” she said. “We’re still doing the pathfinders. We’re working through those. We’re still on target to release some initial RFIs in June with the CMMC in it so we can all kind of get a feel for it.”
Additionally, the Pentagon still plans to get the first class of C3PAOs rolling out in late May or early June, she said.
The biggest sticking point will be conducting in person audits, as is required, Arrington said.
“Until we get the directive from the president and from Secretary [of Defense Mark] Esper with the DoD we have our stay-at-home orders,” she said. However, “the work hasn’t stopped and we’re still doing our absolute best to stay on track.”
Last week, speaking during a Bloomberg Government webinar, Arrington said potential delays of a couple of weeks would be insignificant to the overall program. “A two-week push on something is not going to … have a massive impact to our rollout of this,” she said. “I don’t think it’s going to be impactful to the schedule. I think maybe we’ll have a two, three week slip on actually doing the first audits, the pathfinders, but nothing of significance.” Auditors may have to wear masks or social distance while conducting their work, she said.
Meanwhile, Arrington noted that businesses should consider implementing the first level of the CMMC requirements now to protect themselves as more employees in the defense industrial base work from home.
“CMMC level one are 17 controls, no cost, that you can implement today that can help you be secure,” she said. “Waiting isn’t an option for any of us right now.” She also stressed the importance of good cyber hygiene, and recommended that employees frequently change their passwords and be mindful of spearphising attempts. “Do your best to be diligent and remember that … the weakest link is where the adversary will come in,” she said. “Don’t be the weakest link.”
Nathan Magniex, a senior cybersecurity expert at Project Spectrum, also noted during the webinar that contractors should be wary of conducting meetings on the popular video platform Zoom.
“I would not use it as a business owner,” Magniex said. “There are certain red flags. There are connections with China that are concerning especially for the defense industrial base.”
“In an OTA, in the technical specs, they can actually call it [Cybersecurity Maturity Model Certification (CMMC)] out and say what they want,” said Katie Arrington, DOD’s chief information security officer for acquisition during an April 29 NextGov webinar on CMMC.
OTAs are meant to speed the government buying process and allow DOD to buy new capabilities faster by allowing officials to sidestep competitive bidding in certain cases. But there’s ample worry of potential overuse, which could invite congressional scrutiny.
Arrington’s comments come as DOD has begun pushing for the use of OTAs to find and execute on solutions that can help treat or prevent the spread of coronavirus. Ellen Lord, DOD’s acquisition chief, issued a memo in early April to ease the OTA process by delegating contracting authorities to heads of agencies and combatant commanders during the pandemic.
For example, the Army issued $100,000 contracts for innovative ventilator solutions that could be deployed in rural settings as part of its xTech COVID-19 Ventilator Challenge. The ongoing contest aims to produce 10,000 ventilators suitable for field operation in eight weeks and uses OTAs.
As for cyber concerns, Arrington said because OTAs operate “outside” the Federal Acquisition Regulation and largely benefit small businesses, which can be the most vulnerable when it comes to cybersecurity, CMMC is even more important.
“That’s where we need to ensure that we’re putting those levels of CMMC in,” she said. “If you’re doing some grant work, we do need to make sure the institution or the department or the network that you’re doing this work on understands the risk…Everybody’s vulnerable.”
“It’s a new year — and a new cybersecurity regime for vendors working on defense contracts is coming.
The Defense Department has been steadily working on its new unified standard, the Cybersecurity Maturity Model Certification (CMMC), and is expected to release a final version and a list of accrediting bodies in January. But while companies shouldn’t wait until things are finalized to prep for certification, many are stuck.
“CMMC is going to be law of the land,” Corbin Evans, the director of regulatory policy for the National Defense Industrial Association, told FCW, yet “folks are a little hesitant to make any major moves.”
Evans said a proposed rule to amend the Defense Federal Acquisition Regulation is expected this summer to solidify language and regulatory authority to include CMMC to contracts and that it’s possible “they may try and stretch and amend the FAR itself.”
He added that many of NDIA’s 1,600 corporate members haven’t determined where they fall in CMMC or what level they will seek.
One of the most prominent concerns at this early stage is the reliability of auditors. Like with any certification, it’s important that CMMC have metrics that are consistent across the board.
DOD recently announced that Ty Schieber, the senior director for executive education at the University of Virginia’s Darden School Foundation, will head a 13-member governing body for the organization charged with certifying auditors.
A DOD spokesman told FCW that CMMC requirements will begin showing up in presolicitation documents around June 2020, and in the corresponding requests for proposals in September.
Eric Crusius, partner at Holland & Knight who focuses on government contracting, said CMMC could discourage businesses “that don’t want to get into a new certification requirement” — especially those with emerging technologies. He’s also worried that the DOD could use the requirements to “artificially limit competition,” he said during a Jan. 7 webinar on CMMC hosted by NeoSystems.
“If their favorite contractor has a level four, even if it’s level three work, maybe [DOD will] set the RFP at a level four to kind of get those other contractors out of the way,” Crusius said.
Higher certification levels could also be seen as a way for DOD officials to protect themselves, he speculated.
“DOD officials, agencies may be just as worried and want to have the best of the best as far as cybersecurity compliance goes,” Crusius said, and “artificially make [a proposal] a level four when it’s really only called for a level two, not necessarily because they want to limit competition but just want to protect themselves.”
What to expect
“What’s different here is that it’s not a self-certification anymore; it’s a third-party validation,” Alan Chvotkin, executive vice president and counsel of the Professional Services Council, told FCW said.
Cyber assessments from different auditors that are unequal to one another is a worry for Chvotkin because it could affect whether the accrediting body and each certifier is respected and reliable. Almost like getting an appraisal, the ideal is that there would be little to no variation regardless of who certified it.
“It’s not from a company standpoint, it’s what metrics, training, processes assessors will use. How do you validate?” Chvotkin said.
The establishment of the accreditation body as well as the release of the final version of CMMC are expected in January. But companies shouldn’t wait, he said.
“Companies should already have some level of compliance,” Chvotikin said. Companies with government contracts should start preparing now, he suggested, using the latest CMMC draft as a guide.
“I’d be very surprised if 1.0 is substantially different than 0.7,” Chvotkin said. “If I had a single message, [it’s]: Don’t wait until the final is done and all the Is are dotted and Ts are crossed to get started.”
Another reason to prepare early is that CMMC will likely be adopted by federal civilian agencies in the future.
“While the civilian agencies have not glommed on to CMMC, if it’s successful, they’re not going to be far behind,” Chvotkin said. “They’re looking at ways of doing something similar,” as many have already adopted the NIST standard.
Johann Dettweiler, director of operations at Talatek, a certified auditor for the Federal Risk and Authorization Management Program, said on the NeoSystems webinar that writing things down is the first step.
“Even if you’re trying to achieve level one, there’s nothing wrong with getting stuff down on paper, starting to develop practices, policies, procedures, and, and getting those out to all your personnel so they’re aware of them,” he said.
But while preparing for CMMC might seem daunting, Dettweiler said it’s okay to be imperfect.
“You don’t have to be perfect, but just basically give it the best shot and then help and rely on the auditors to help you out further,” Dettweiler said. “If you have failings, you’re not meeting some of the requirements, that doesn’t necessarily mean that you’re not going to achieve the certification level you’re after. There’s always a process.”
Right now, there’s no requirements for certified auditors, which could delay implementation, Dettweiler said.
“The accreditation body hasn’t been selected yet, which means there’s no requirements for certified auditors,” he said. “If they’re already looking as early as June to start issuing certification levels for the RFI, that’s maybe a little bit — probably not true in their actual timeline.”
“However, that doesn’t mean that you shouldn’t get started on this. All the information you have out there is there to get started on working on this.”
“Microsoft and the Hewlett Foundation are preparing to launch a nonprofit organization dedicated to exposing the details of harmful cyberattacks and providing assistance to victims in an effort to highlight their costs, CyberScoop has learned.“
“Known to its organizers as the “Cyber Peace Institute,” the nonprofit is expected to debut in the coming weeks, according to multiple sources who have discussed it with the organizers.
The institute aims to investigate and provide analytical information on large-scale attacks against civilian targets, assess the costs of these attacks and give security tools to both individuals and organizations that will help them become more resilient, according to a description of the nonprofit provided during a session at the 2019 B-Sides Las Vegas cybersecurity conference.
“We have a shared global responsibility to prevent the Internet from becoming ‘weaponized’ by increasing attacks by criminal groups and state actors alike,” the description reads. “We already have global organizations to tackle physical emergencies and now we need new ones to help with their counterparts in cyberspace.”
Besides Microsoft and the Hewlett Foundation, supporters include Facebook, Mastercard and the Ford Foundation.
The idea for the Cyber Peace Institute appears to be similar to previous ideas publicly presented by Microsoft President Brad Smith. Smith has previously called for a “Digital Geneva Convention,” where governments would form an independent organization that would “investigate and share publicly the evidence that attributes nation-state attacks to specific countries,” according to a blog post he wrote in 2017.
But the institute has been keen to appear independent from any one company involved in funding the venture, a source familiar with Smith’s thinking told CyberScoop.
“From the very beginning they had this idea of an international organization along the lines of the [International Atomic Energy Agency], a model of an independent, third party that would be beholden to no government,” the source familiar with Smith’s thinking said. “They wanted to be depoliticized and somehow factual … If it ended up looking and feeling and being perceived as a Microsoft objective, it won’t achieve its objectives.”
The Hewlett Foundation has pledged $5 million over the course of five years to the institute, a source familiar with the decision told CyberScoop. Facebook has pledged $250,000 to the cause, according to a source familiar with funding conversations. Microsoft, Mastercard, and the Ford Foundation have also pledged an unknown amount of money.
Although the broad goals of the nonprofit are clear, the institute is still working out details of its operations, according to multiple sources who have been in conversations with the organizers. It’s still unclear where the institute will obtain the data it will use for analysis, how it will assist victims and how many people it can actually help.
The funders and organizers of the nonprofit, through a spokesperson, declined to provide comment for this story.
In private meetings over the past year, organizers have faced skepticism about the institute’s mission, particularly on how the group will fit into the current cybersecurity landscape, one expert who attending the meetings told CyberScoop. Aside from the basic constructs, debates have ranged from how and whether the organization should attribute attacks, to where the group will pull data for its analysis, one attendee said.
Over the course of the meetings, the nonprofit reframed its goal from “attribution” to “accountability,” in part to possibly avoid naming a specific threat group when it provides analysis on cyberattacks, a source familiar with the conversations told CyberScoop. It was not clear if this has been decided, but one of the nonprofit’s goals, as described online, is to assess how attacks “transgress international norms of responsible behavior in cyberspace.”
It was also not clear if it had been decided whether the institute will aggregate threat intelligence reports that have already been published or if staff will be hired to conduct research, meeting attendees told CyberScoop.
The debate around the nonprofit’s goals highlights how many competing pressures are at play when it comes to developing cyber norms and calling out harmful behavior. Over the last 15 years, cybersecurity firms have made a name for themselves by calling out nation-state linked behavior in cyberspace.
Mandiant, since acquired by FireEye, issued its landmark report linking APT1 with China’s People’s Liberation Army for stealing American businesses’ secrets in 2013. CrowdStrike attributed the 2016 breach into the Democratic National Committee to Russian hackers. Kaspersky, a Moscow-based software company, released a report in 2018 that exposed an active, U.S.-led counterterrorism cyber-espionage operation.
Additionally, the U.S. government has upped its efforts to publicly attribute attacks to specific countries. In 2017, it attributed the WannaCry ransomware attack to North Korea. In 2018, the U.S. Department of Justice indicted Chinese hackers linked with APT10 for targeting 45 U.S. companies and government agencies. The DOJ also indicted nine Iranian hackers for a state-sponsored attack against 144 universities last year.
All of these efforts led some involved with the institute’s planning efforts wondering where the organization would fit in among the public and private attribution work.
“I’m not sure [the institute has] the capability … or funding numbers … to duplicate what FireEye and Symantec and others have, or for that matter what the [National Security Agency] has,” one source who attended institute brainstorming sessions told CyberScoop.
Chris Painter, the former top cyber diplomat at the U.S. State Department, told CyberScoop that while public attribution can deter some adversaries, other groups don’t respond well to being called out.
“Attribution itself is valuable. Sometimes attribution can act as a deterrent. But some countries you really can’t name and shame,” said Painter, who has been involved in some of the discussions regarding the institute.
Carbon Black’s Chief Cybersecurity Officer Tom Kellermann, who has been invited to planning meetings related to the institute, told CyberScoop that although he supports the idea, he doesn’t know if it will be effective in establishing norms.
“There are nation states out there, Russia being one of them, who have created a mafiosa between their best cyber criminals and the regime … they target the West to pay homage to the regime,” said Kellermann, who is also a Global Fellow for Cyber at the Wilson Center. “They inhibit any sort of proactive action with regard to creating cyber peace, an international treatise, or any international norms.”
Paul Rosenzweig, a former deputy assistant secretary for policy at the U.S. Department of Homeland Security, told CyberScoop that regardless of the group’s direction, there is an appetite for a nongovernmental organization taking on these tasksbecause of the constraints that come with government-level attribution.
“Governments are rightly reluctant for a whole host of reasons,” said Rosenzweig, now a senior fellow at the R Street Institute. “In large part because the act of calling someone out is embedded in a broader dynamic about trade, taxes, war, diplomacy, finance, you name it — the whole thing is tied up in a relationship with China, Russia, Iran or Israel. That wouldn’t burden a private sector organization.”
How to fit in
In addition to uncertainties about the institute’s data feeds, it is not immediately clear how many victims will interact with the institute, according to several cybersecurity experts who have been involved in the brainstorming conversations.
“A lot of the conversations I had at RSA [related to the institute] was about the assistance function,” one attendee said. “And when we got to the higher level of the conversation it was like, ‘Wow, you really need an institute to do all of these three things? Not just one?’ A lot of people outside still have a lot of that skepticism and trying to figure out, ‘Are you guys serious?’”
Michael Daniel, president and CEO of the Cyber Threat Alliance, told CyberScoop it is too early to say whether it would be willing to do work on behalf of the institute one day. The alliance — started years ago by Fortinet, McAfee, Palo Alto Networks and Symantec — shares cyberthreat intelligence so member companies can better protect their client bases. The alliance has since expanded to include 23 companies.
A former cybersecurity coordinator during the Obama administration, Daniel has been in discussions with the institute’s organizers, and although he sees the institute and the alliance as complementary, he told CyberScoop he doesn’t know exactly how his group and the institute might work together.
“Our membership is very keen on working with organizations like [the Cyber Peace Institute] to figure out how we best put collective data to use, how is it that we take the data, the threat intelligence that we have … to amplify what others do across the ecosystem,” Daniel told CyberScoop. “We don’t quite know exactly what this organization is going to look like, what its capacities are going to be, how it’s going to be structured, what exactly it’s going to do … It’s a little early for that … and that’s fine.”
Another issue that arose during the meetings is whether calling out cyberattacks will impact ongoing cyber-espionage operations by the U.S. and its allies, a source present told CyberScoop.
An important goal of the nonprofit’s founders has been to make the institute appear as neutral as possible and immune to government influence, multiple sources told CyberScoop. Organizers have debated placing the institute’s headquarters in two cities known for neutrality and diplomacy on an international scale: Geneva, Switzerland or The Hague, Netherlands.
Rosenzweig, who has not been involved with the institute, said if it really wants to establish its neutral bona fides, it must be willing to call out activity that appears linked with the U.S. government in addition to activity emanating from Iran, Russia, North Korea, and China.
“I think the only way to make it like that [neutral] is … to make a point of calling out the NSA when they can … making a public stink about it in a way that asserts their independence from the NSA,” he said, adding he thinks the makeup of the organization could benefit from hiring from around the globe.
Even though partnerships and logistics may not necessarily be set in stone, the institute’s organizers are eager to move forward on these issues, a source who has spoken with Microsoft organizers told CyberScoop.
“I think [organizers] want themselves to be seen as identifying the need … and light the spark to make it happen and let it do its thing,” the source said. “They want to launch it and let it figure itself out.”
“The Defense Department sees its new certification model, which it unveiled to the public this week, as a way to more quickly bring its entire industrial base up to date with best cybersecurity practices.
Every Defense contract will use this scale to determine whether companies are allowed to bid. “
“But the Pentagon also sees this new model as a means to set the stage for a broader, more complex journey to better understand the defense supply chain.
On Wednesday, DoD released a new draft of the Cybersecurity Maturity Model Certification (CMMC), the Pentagon’s most recent to attempt to create a simpler, more consistent framework for the cyber demands it imposes on its contractors and subcontractors.
The department will accept public comment on the certification model through Sept. 25.
“Every company within the DoD supply chain — not just the defense industrial base, but the 300,000 contractors — are going to have to get certified to do work with the Department of Defense,” Katie Arrington, chief information security officer for DoD’s Office of the Assistant Secretary of Defense for Acquisition, said Wednesday at the Intelligence and National Security Summit co-hosted by AFCEA and the Intelligence and National Security Alliance.
Certification model details five levels
The new certification model has been designed with several familiar cybersecurity requirements in mind, but it’s also an attempt to get a better handle on the defense supply chain, Arrington said.
The model covers 18 domains based on five levels.
Companies who achieve certification at the third level, for example, meet all National Institute of Standards and Technology (NIST) SP 800-171 requirements and have an information security continuity plan. Firms assessed at level five have “highly advanced cybersecurity practices” and can respond at “machine speed,” according to the draft CMMC.
DoD, which has been developing the certification model since March, has partnered with Johns Hopkins University, Carnegie Mellon University, defense industrial associations and members of the Defense Industrial Base Sector Coordinating Council to design the program.
DoD will release the model to a consortium in January 2020, which will help contractors learn the CMMC and the steps necessary to achieve each level of the certification program. The model will go live and will begin to appear in requests for information next June and requests for proposal later that fall, Arrington said.
“We understand security will be an allowable cost,” Arrington said. “We know what we’re asking for, but if we value security as delivered uncompromised, stated very clearly, the cost, schedule and performance don’t function without security. They’re invaluable.”
Arrington, along with the Department of Homeland Security and members of the Federal Acquisition Supply Chain Council, are reviewing cybersecurity standards and using DoD’s new model as a starting point for broader conversations about the defense supply chain.
“We get everyone on a level-set playing field for cybersecurity, and then we can really start looking at our supply chain, where our most and greatest vulnerabilities lie and how we can work together in a collaborative event with industry,” she said. “With 70%-plus of our data living on your networks, it is no longer a moment. It’s [not] a me-thing or a you-thing; it’s a we-thing.”
But for large defense contractors like Lockheed Martin, the new cybersecurity certification program could, at least initially, look like DoD is piling on yet another series of standards on top of an already growing list of NIST requirements.
Too many scoring methodologies and cybersecurity assessments from individual services and Defense agencies pose too much complexity, said Scott Rush, Lockheed’s deputy chief information security officer.
“We’re seeing a lot of different requirements come across,” he said. “For a large enterprise that, from an unclassified perspective, manages a large IT environment [and] common systems to support multiple programs and contracts, having a different set of requirements becomes very problematic.”
Though Rush said building the maturity model into the acquisition process makes sense, he’s hoping to see more uniform, common cybersecurity standards across the Defense enterprise.
“To bid on a contract or perform you have be maturity level 3 or you can’t perform, we understand that and we think that’s a good thing,” he said. “What we would rather not see happen, because we think it would dampen collaboration, is if it becomes part of the evaluation criteria.”
Arrington acknowledged those concerns. She sees DoD’s new cybersecurity model as a way to move past the array of disparate and scattered requirements and toward an environment that’s focused on protecting the defense supply chain.
“I’ve met with all the services, and they have bought into the CMMC being the one cybersecurity model that they’ll be using for the DoD,” she said. “Hopefully we can convince our partners in the federal acquisition side to adopt it as well.”
Supply chain illumination ‘pathfinders’ picking up steam
Meanwhile, DoD is continuing to explore ways it can realize the full scope of its supply chain.
Lockheed Martin, for example, has been working with the Missile Defense Agency (MDA) to build a tool that will identify where controlled defense information resides within each “tier” of multi-layered defense contract.
The Missile Defense Agency is reviewing the results of Lockheed’s pilot, which has been ongoing for eight-to-nine months, Rush said.
“We’ve learned a lot in terms of how to roll something like this out in a multi-tier supply chain,” Rush said. “We’ve learned a lot about the requirements they need and they don’t need, and I think it’s really going to inform a path forward from an MDA perspective. [The agency] has been talking… to [Arrington] and others in DoD about how this might apply to broader illumination efforts.”
For Arrington, the supply chain dashboards that Lockheed Martin and others have been piloting show some promise. But they leave a big question unanswered.
“The challenge is: where do [you] maintain that data inside the DoD? That’s a big one,” Arrington said. “That’s our adversaries’ golden egg. It’s a classified system, ultimately, but we also have the visibility within the MDA models.”
Using these dashboards to identify and then share information about potential risks and vulnerabilities on the supply chain with other services and members of the defense industrial base is the next challenge.
“If we can figure out a way to mitigate that risk within the supply chain, and we can buy down the risk and buy up the uncertainty, that’s what we want in these illumination tools,” Arrington said. “We are moving to them. Congress has put money appropriated for them. This is happening. What we’re deciding now are what are the requirements, what are we looking at and what is the value-add and the visibility?”