Tag Archives: cyber security standards

Secret Service Launching Private-Sector Cyber Crime Council

Image: U.S. Secret Service (Twitter)

The 16-member federal advisory committee (FAC) will be the first one ever for the investigative unit, which focuses on financial crimes such as counterfeiting, card-skimming and other forms of fraud.


“Previous FACs all have been established for the Secret Service’s more widely known protection mission, which provides security for U.S. presidents and other dignitaries.

Invitations for the FAC were sent earlier this month. Jonah Hill, a senior cyber policy advisor at the Secret Service, who will be executive director of the board, declined to name the other members of the FAC during an interview with CyberScoop. The move comes as the Secret Service — like most high-level law enforcement agencies — is trying to adapt as crooks move from one digital tool to the next.

“Cybercriminals are constantly changing their tactics and their targets … law enforcement must be equally persistent in our efforts to combat these ever-evolving criminal groups,” Secret Service Deputy Director Leon Newsome told CyberScoop.

The goal is to help the investigative unit “think outside of the box” in fighting cybercrime and how the Secret Service trains to combat it, Hill said.

“What we’re trying to do is get a diverse set of viewpoints and experience and expertise from industry, from academia, from state and local government, really to kind of get a holistic picture of some of the threats we face and some of the approaches the Secret Service can take to combat those threats,” he said.

Hill said the FAC’s members were selected to represent a wide array of experiences. Some of the invited are former Secret Service leaders, he said, and others are law enforcement officers, computer scientists and experts on network security, malware, ransomware, criminal trends, business email compromise, identity theft and credit card theft.

Hill declined to comment on what members of other federal agencies, if any, would participate in meetings. (The Secret Service is part of the Department of Homeland Security.) The first meeting will probably be this summer, he said, after which the board is expected to meet twice annually.

Transnational cybercrime

One area of attention is likely to be foreign governments’ practice of tapping of talented cybercriminals to do their bidding, which has presented challenges for U.S. crime-fighters as they seek to coordinate with law enforcement entities abroad to take down transnational groups.

“There’s a growing trend of a confluence between nation-state criminal actors, whether those actors are acting at the behest of government, or for the protection of government, or if governments are turning a blind eye to them,” Hill said. “To the extent that this group can help us navigate those waters we will certainly turn to them for their guidance.”

Hill declined to say which nation-state hackers the Secret Service wants the CIAB to provide guidance on explicitly.

Encryption issues and more

The Secret Service is also seeking outside expertise to help it maneuver U.S. government tech-policy changes that may be on the horizon. The Trump administration’s concerns about end-to-end encryption of email and messaging software, in particular, has stirred up the perennial debate in recent months about what to do when criminals “go dark” online. The White House, Congress, federal law enforcement agencies and Silicon Valley powerhouses like Facebook and Apple all have a stake in the debate.

“It’s really [about] understanding, helping us work through as the encryption debate advances … helping us prepare for whatever changes in either encryption law or industry approaches to encryption,” Hill told CyberScoop. “However those debates evolve, we want to be prepared to meet the challenge.”

The Secret Service doesn’t intend to advocate one way or the other on encryption, Hill said; the board will track other policy issues that affect the agency’s investigations, including privacy rules and data breach notification requirements, he said.”

Small Business Focus – Cyber Security Maturity Model Certification (CMMC)

Image: DAU.edu


Forthcoming cybersecurity controls are designed to help DoD and small business work together to protect sensitive data and help industry comply in a fairer way depending on the types of systems they’re asked to defend.


“Small businesses are increasingly being targeted digitally by nation states, according to Department of Defense officials, who say more must be done specifically to evaluate and reinforce the security of contractors battling cyberattacks.

“We’re losing,” said Katie Arrington, special assistant to the assistant secretary of defense for acquisition for cyber within the office of the undersecretary of defense for acquisition and sustainment, speaking Oct. 7 at an AFCEA-hosted event.

Arrington explained that adversaries cost the country $600 billion a year and that, with 5G on the horizon, that amount must be multiplied by “umpteenth” in 2025 given the near-unlimited bandwidth for cyber campaigns technology promises. As a result, Arrington said, the forthcoming cybersecurity maturity model certification (CMMC) was designed specifically for small businesses.

The CMMC is a framework that grades company cybersecurity on a scale of one (least secure) to five (most stringent). What small businesses will be asked to do is comply with a tiered rating system depending on the systems they’ll be working on.

What this means is if a company is working on janitorial services, they may only need to comply with level 1 of CMMC as opposed to level 3, which is equivalent to NSIT 800-171 regulations, or level 4 that is reserved for exquisite systems.

In the past, there was a two-tiered system for small businesses to be compliant, Arrington described. A company could be compliant with 80 controls under NIST 171 and have a Plan of Actions & Milestones (POA&Ms) to do the other 30, while another company could be doing all the 110 controls and both are technically acceptable.

“That isn’t right, because our adversaries aren’t taking a cup of coffee and saying, ‘I’m going to come back to you when your POA&M is done,’” said Arrington. “They’re walking through those POA&Ms like they’re Swiss cheese.”

As a result, Arrington made the case that the CMMC is really about leveling this playing field and protecting sensitive systems that require additional cybersecurity controls.

Some have noted that these new requirements, while meant to protect the defense industrial base against loss from external forces, could hit smaller companies harder within the market.

“This would have severe unintended consequences on small businesses that do not have the resources and sophistication to obtain a high CMMC level, producing market entry barriers and limiting competition,” the Professional Services Council said in a Sept. 25 letter to DoD following the September draft release of the CMMC.

“Until we see the whole scope of who it’s going to apply to and why it’s going to apply to them, it could impact a lot of small companies,” Alexander Major, partners and co-leads for government contracts at McCarter & English LLP, told FCW following the same draft release.

Major’s co-lead, Franklin Turner, also told FCW that Arrington’s assertion that the CMMC would cost only a few thousand dollars is “utterly foolish,” adding it would “likely be an impediment” for small companies.

However, as Arrington and others have pointed out, top nation states are targeting these smaller companies, necessitating the initiative. Trying to sympathize with the audience, Arrington touted her background contracting with utilities, water and weather services where she herself was guilty of poor cybersecurity practices as a program manager.

“I knew where the weather was, the water was and the electric was. It was all on my laptop,” she said.

She did much of her work at coffee shops because, “I needed to network and I needed to communicate with my peers to drive new business and I needed to be seen, because as a small business you have a lot of people who telework from home.”

But even using a VPN to tunnel into work accounts has the potential to be exploited, Arrington acknowledged. “I was taking everything around me in the pipe.”

Recent events have put a spotlight on the fact data doesn’t have to be classified to be sensitive. Several Navy breaches — largely attributed to China — targeted contractors that were determined to have information that wasn’t itself classified, but in aggregate disclosed sensitive capabilities. It is the increase in campaigns to exploit a higher percentage of lower-level vulnerabilities that the CMMC framework addresses.

“Our adversaries are not trying to get at us at the … top of the nuclear triad,” said Arrington. “You don’t have the aperture to defend yourself against a nation state and we don’t want you to. I need to be able to help you protect us because when 80 percent of my data lives on your network, it’s no longer a you or a me — it’s a we thing. This is a we problem.

“I need to know exactly what I’m asking you to protect and at what level. Right now, you’re all just doing a bunch of different disparate things, but there’s not a level set. [Cybersecurity] controls do not equal requirement,” Arrington continued.

It is expected that in fall 2020 CMMC requirements will be included in requests for proposals and will be a go/no go decision.”


Cyber Security Maturity Model (CMMC) Training Underway For Auditors



The CMMC accreditation body, a not-for-profit and independent group of stakeholders, has been stood up and recently selected its chair.

[It] will take the cyber standards set to be released this month and use them to develop training and certification requirements for the third-party assessment organizations and individual assessors that will evaluate companies.


“Training of the third-party accreditors for the DOD’s upcoming unified cybersecurity standard will take place from now until June, according to the Defense Department’s acquisition head.

Ellen Lord, the defense undersecretary for acquisition and sustainment, told reporters the final version of the Cybersecurity Maturity Model Certification is set to publish by the end of January, and an independent accrediting body will begin training the auditors.

“The release is the end of this month for the CMMC model version one,” Lord told reporters during a Jan. 14 Defense Writers Group event in Washington, D.C. “The initial training is taking place of the assessors between now and June,” which is when the first requests for information including the standard are expected to roll out.

The CMMC accreditation body, a not-for-profit and independent group of stakeholders, has been stood up and recently selected its chair. The consortium, as Lord referred to it, will take the cyber standards set to be released this month and use them to develop training and certification requirements for the third-party assessment organizations and individual assessors that will evaluate companies.

FCW has reached out to the accrediting body for more information on training.

Ty Schieber, the CMMC accrediting body’s chairman, previously told FCW the organization has several working groups that will help define and strategize around the accrediting body’s functions, including governance, standards, adjudication, organizational structure, change management and budget.

Lord said the accrediting body “will incorporate semi-automated processes” and “include a tool that certified third-party assessors will employ for audits and collecting metrics to inform risk.”

The impending cybersecurity certification has drawn concern among small business advocates, particularly around cost and the required expertise for implementing the standards.

When asked about whether DOD has done an impact study on how CMMC will affect small businesses, Lord didn’t have a clear answer, simply saying that trade organizations such as the Professional Services Council, were looking into it.

“One of my biggest concerns was really about small and medium businesses because that’s where a large part of innovation comes from and we need that. We want to retain them,” Lord told reporters.

DOD has said it is working with the accrediting body, prime contractors, and industry associations to brainstorm ideas on how to make implementing the cybersecurity standard more cost effective. However, Lord said, there won’t be a way around CMMC, and waivers were not being considered at this time.

“I do not anticipate waivers at this point in time,” Lord said. “We have not discussed that because cybersecurity is so critical, it becomes a differentiator.”

Instead of waivers, Lord reiterated that CMMC has multiple levels, the lowest of which adheres to basic cyber hygiene practices and can be tailored to any system.

Ultimately, Lord said it’s an “ecosystem” when it comes to supply chain security.

“We do understand this is an ecosystem, and frankly we often forget that,” she said. “When you look at integrated supply chain, you have six, seven, eight, nine levels down and it’s that six, seven, eight, nine levels that we are really, really concerned about.”

DOD is anticipating to complete the federal rulemaking process for CMMC by the end of 2020.”


DOD: “Primes Should Help Small Business With CMMC”

Image: “Peopleskeep.com


“The Defense Department is hoping large defense contractors will be cyber mentors for small businesses and startups as it rolls out its new cybersecurity standard next month”


“Ellen Lord, DOD’s acquisition chief, told reporters during a Dec. 10 briefing the department was attuned to small businesses cost-related concerns of its new Cybersecurity Maturity Model Certification. While there’s no mandate at work, Lord said big companies and industry associations should pitch in with help as the standard is implemented in 2020.

“We know that this can be a burden to small companies in particular,” Lord said. “At this point, I don’t rule anything out, but I’m not envisioning waivers. I am envisioning the primes and the industry associations and the government with industrial policy really working as kind of the help desk, the help agent, enabling these companies to be compliant with a lot of support.”

The CMMC model has been praised by senior defense officials, such as Navy CIO Andrew Weis, for having the “right perspective” and criticized by small business advocates over cost concerns.

Lord stressed that supply chain vulnerabilities are most prevalent six to seven levels down from prime contractors, and the Defense Department is working to minimize costs so small businesses can be more compliant with CMMC over the next two to three months. Katie Arrington, DOD’s chief information security officer, previously said part of that transition will be considering reciprocity for other cyber certifications, such as the Federal Risk and Authorization Management Program, or FedRAMP.

“This is a U.S. economic security issue as well as a U.S. security issue,” Lord said. “When we look at cybersecurity standards, I believe it is absolutely critical to be crystal clear as to what expectations, measurements are, what the metrics are, and how we will basically audit against those.”

Contractors will have to get certified by a designated accrediting body. Lord said DOD is working with multiple companies but has not designated an accrediting body but indicated there will be more than one.

Alan Chvotkin, executive vice president and counsel of the Professional Services Council, says it’s a good time to start focusing attention on CMMC.

“I think she’s right to focus on raising the visibility of CMMC,” Chvotkin said. “It will be market affecting. Those companies that have the certification will be able to compete for work at DOD; those who don’t have the certification will not be able to work on DOD contracts. That’s pretty important.”

The final CMMC framework, as well as the list of accrediting bodies, will be released and fully available in January. Lord said DOD is considering a “rolling roll out” for requests for proposals and contracts that incorporate the new standard starting in July.

Mike Hettinger, a lobbyist who advises tech vendors on government relations and strategy, has been following CMMC and is concerned that the July timetable means that the big companies Lord expects to offer guidance on the new standards will have their own compliance issues to contend with.

“To think that between now and next summer a big company is going to get through the certification process and set up a mentor-protégé process with their partners seems like a bit much,” Hettinger said.”


CISA Requests Public Input On Civilian Agency Mandatory Cyber Security Order



“The Department of Homeland Security’s cybersecurity division is trying something new. Instead of simply ordering civilian agencies to take a specific action to shore up their cybersecurity, it is asking the public to weigh in on the order first.


“DHS’ Cybersecurity and Infrastructure Security Agency issued a draft Binding Operational Directive (BOD) that compels civilian agencies to establish programs to work with outside security researchers to find and fix software flaws in agency websites and applications.

The appeal for public input is in the collaborative spirit of vulnerability disclosure policies (VDP), which crowdsource an organization’s security by asking ethical hackers to improve it. VDPs are common in the private sector, but much too rare in government for DHS’s taste. When CyberScoop first reported last month that CISA had prepared the directive, officials estimated that, out of scores of civilian agencies, just 10 had VDPs in place.

“[I]t’s the public that will provide those reports and will be the true beneficiaries of vulnerability remediation,” Jeanette Manfra, CISA’s assistant director for cybersecurity, wrote in a blog post explaining the unusual decision to seek feedback on a DHS cybersecurity order.

Outside experts on VDPs have a month to offer their feedback.

The draft order tasks agencies with setting up VDPs within six months of the order being released. It adds a sense of urgency to the issue by requiring agencies to add one new system or service to the scope of their VDPs every 90 days. The draft BOD  also “draws a line in the sand” for agencies to embrace VDPs, as Manfra put it, in that agency systems that come online after the directive must be included in the disclosure program.

“In seeking public comment, we’re also nodding to the fact that, to our knowledge, a requirement for individual enterprises to maintain a vulnerability disclosure policy has never been done before, and certainly not on this scale,” Manfra, who is leaving CISA by the end of the year, wrote in her blog post.

The big changes in how agencies deal with software vulnerabilities will be coordinated through the Office of Management and Budget, which has issued its own guidance to agencies as they prepare to establish VDPs.

“As the federal government’s digital footprint has expanded, the risks to its networks and information have also grown,” the OMB guidance states.”

DOD Unveils Plan For Contractor Cyber Security Standards

Image: “Enisa”


The standards, known as Cybersecurity Maturity Model Certification, will be researched and developed in partnership with the Johns Hopkins Applied Physics Lab and Carnegie Mellon University Software Engineering Institute.

Once in place, third-party private sector companies will audit contractors to ensure compliance. The program also will include an education and training center for cybersecurity.”

“A Department of Defense official unveiled plans Thursday for contractor cybersecurity standards that are scheduled to be implemented by January 2020.

Katie Arrington, special assistant to the assistant secretary of Defense acquisition for cyber, made the announcement along with a plea for the private sector to work with the government to secure its supply chain at a Professional Services Council conference Thursday. The new standards will have a five-level system, and they will combine guidance currently in place from the National Institute of Standards and Technology with new input from the private sector and academia.

The level of cybersecurity required by the standards will be indicated on all contract solicitations once implemented.

Defense officials have spoken of the need to develop new contractor cybersecurity standards for more than a year now. Earlier this year, DOD CIO Dana Deasy described how tier-one prime contractors aren’t the big concern.“It’s down when you get to the tier-three and the tier-four” subcontractors.”

“Where the issue breaks down is that as you go down to those various subcontractors, do they understand, [are they] equipped, have the knowledge and the capabilities to defend themselves, and what is it we should be doing more to help them learn how to defend themselves at those tiers?” Deasy said.

Arrington’s announcement was the first look into what to expect when the new standards are implemented. Similarly, in 2017, DOD introduced a regulation that requires all vendors who do business with the department to more safely guard “covered defense information” that is transmitted to or stored in their systems or networks for contracted work.

In addition to speaking about the new rules, Arrington stressed the need for collaboration between public and private sectors to ensure information security.

“It is not a ‘me’ thing, it is a ‘we’ thing,” Arrington said.

The “vast majority” of DOD contractors have ad hoc and inconsistent cybersecurity practices, Arrington said. Cybersecurity breaches and intellectual property theft of DOD data has led to the theft of high-grade weapon systems, such as the F-35.

“We should be infuriated about what has happened to our data,” she said.

Arrington will be embarking on a listening tour across the country to seek input from contractors for the cybersecurity rules. Arrington is a former South Carolina lawmaker and small business owner who contracted with the government — experiences she said will inform her work to help secure military data.

The greatest counterintelligence risk to the U.S. is not theft of government data, but private sector IP, said Joyce Corell, assistant director for supply chain and cyber at the Office of the Director of National Intelligence’s National Counterintelligence and Security Center. Governments, like China’s, and their efforts to steal U.S. IP have taken up the majority of the U.S. counterintelligence apparatus’s work, Corell said in a talk following Arrington’s.

New steps to secure the supply chain are critical to plugging the leaks of data. To do so, Corell pushed for cybersecurity to be baked-in across all parts of the supply chain for government contractors. In the past, Corell has pushed small businesses to increase their cybersecurity to work with the government.

Corell and Arrington both drove the message that cybersecurity is needed at all levels of the supply chain, at all levels of contracting and from the military to civilian agencies.

Supply chain security is “a team sport,” Corell said.”