In the wake of the cybersecurity disaster at the Naval Undersea Warfare Center, where a contractor lost control of over 600 gigabytes of extremely sensitive weapons system data for the Sea Dragon program, the DoD is reacting. Sea Dragon, based on the few details we have, is a disruptive offensive weapon targeting Chinese submarines.
Among the data compromised is cryptographic information about how the subs communicate.
Now the Chinese have those secrets and the billions of dollars probably spent on the program may be flushed down the toilet.
DODDAC, the Department of Defense Damage Assessment Center, is trying to assess the level of damage that was done. It is likely that we will never find out the true impact of this breach.
The category of information that was breached is known, generally, as controlled unclassified information or CUI. The DoD has been talking for years about implementing an acquisition rule called DFARS 204.252-7012, securing controlled unclassified information and NIST SP 800-171, the how to guide for doing that. December 31, 2017 was supposed to be the date the regulation went into effect, but in mid December the DoD blinked. Again. The instructions to industry were that they just needed to have a plan for becoming compliant.
But the problem is that no one was assigned to fix the problem.
In the wake of this new and recurring scandal, Defense Secretary Jim Mattis ordered the Under Secretary of Defense for Intelligence to deal with this. The Under Secretary instructed the Defense Security Service, who is accountable for managing classified information in the defense contractor community, to come up with a plan to manage controlled unclassified information too. The challenge with that is the amount of controlled unclassified information and the number of people handling it dwarfs the amount of classified information by many times.
Given this, what should defense contractors and sub-contractors do now?
While we don’t know the how and the when, it is very likely that DoD will begin to clamp down on how contractors handle CUI and the Defense Security Service will expand their sphere of influence to contractors handling CUI. Starting with the primes – and letting them handle the subs. We have seen that this has already started, but we believe it will accelerate.
For the most part, what NIST 800-171 mandates is “best in industry” cyber security practices.
If you are a contractor, you should be actively working on becoming compliant. You should have been already doing this, but there should be more urgency now. Starting with implementing the policies, procedures and practices and moving on from there. Adding the controls and monitoring; incident response and so on.
While we don’t know when, my guess is General Mattis does not want another disaster on his watch and he already has the regulations on the books to help fix the problem. All he needs to do is make it happen. Remember, Generals, especially Marine Corps Generals, are very good at “making it happen” and I would not question his desire to not be embarrassed again. He is going to have to, at some point, explain to Congress why the billions of dollars they gave him have been wasted. Not a fun conversation.
Given all this, being prepared is a really good plan. We can help.
Information for this post is based on a memo from the Pentagon.