Tag Archives: CMMC

As Another DoD Contractor is Breached; DoD Works to Stop Them

Visser Precision, a precision parts contract manufacturer based in Denver, Colorado, has confirmed a “cybersecurity incident”.

Visser makes parts for the likes of Tesla, Space X, Boeing and defense contractor Lockheed Martin.

The ransomware was DoppelPaymer, is one of the Ransomware 2.0 variants that steal the data before they encrypt it.  Some of that data is available for download on the hacker’s website to prove that they stole the data.

One of the documents appears to be a partial schematic for a missile antenna.

THAT MEANS THAT THIS QUALIFIES AS A DATA BREACH.

While Tesla, SpaceX and Boeing did not respond to requests for comment, Lockheed said that they were “aware of the situation”.

Source: Tech Crunch

Lockheed, as a defense contractor, is required to notify the Department of Defense within 72 hours of a breach in most cases.  We assume Lockheed did that.   That requirement flows down to all subcontractors like Visser.  DoD can then decide what next steps are appropriate.  In this case, since it appears that sensitive information was actually stolen from Visser, DoD will, most likely, investigate.

As of about a month ago, DoD released version 1.0 of it’s Cybersecurity Capability Maturity Model (CMMC), a framework for improving the security of defense contractors.  DoD has not, however, started implementing it.  The program requires everyone who sells to the DoD, from cafeteria operators to lawn care firms to companies building missiles, to adhere to a range of cybersecurity standards and be certified by a third party to ensure compliance.

DoD is actually moving very rapidly for a government entity with 1.4 million active duty personnel, 1.1 million reservists and 860,000 civilians.  It took them less than a year to define and approve the standard and they hope to have some contracts with the CMMC requirement in place this calendar year.  That means that they have to train the assessors, approve the certifiers and issue the contracts.

No one has announced whether this attack was done by the Chinese, Russians, North Koreans or a 400 pound teenager in his parent’s basement.  With no information, I vote for the first one.

DoD says that, for contracts that have CMMC requirements, vendors will not be allowed to BID on the contract if they do not have the appropriate CMMC certifications already in place.

This is definitely motivating companies like Lockheed and breaches like the one at Visser, whom Lockheed vetted and approved the security of, only make them more motivated.

If you serve the defense industry, now is the time to get prepared because it will take some time and effort.

Facebooktwitterredditlinkedinmailby feather

DoD Contractor Hit by Ransomware Infection

Electronic Warfare Associates (EWA), a well known defense contractor in DC, was hit by a ransomware attack.  The tagline on the homepage of their website says that they are enabling a more secure future.

A Google search last week for the company brought up these results:

ewa-ransomware.png

The researcher who discovered the problem said it seems to have affected, at least, EWA Government Systems Inc,  EWA Technologies Inc. , Simplickey and Homeland Protection Institute.

EWA has not made any public announcement of the issue.  As I write this, the EWATech web site does not respond.

The current information suggests this is the Ryuk ransomware.  It is used for high value targets and is known to exfiltrate data.  Exfiltrate is a big word for steal.  Source: ZDNet

One more thing we know.  When ZDNet called the company and spoke to their spokesperson asking for a comment on the story, he or she hung up on the reporter.

So what might we speculate?

You may remember that another Navy contractor lost over 600 gigabytes of very sensitive electronic warfare data (from project Seadragon) to the Chinese in 2018.  Were the Chinese looking for more EW data?  Certainly could be.  That data is very valuable in building better offensive weapons (figuring out how to defeat our weapons) and building better defensive weapons (it is cheaper to steal it than to invent it).

The Navy went crazy after the Seadragon breach.  This makes them look even more incompetent.

DoD contractors are required to notify the Pentagon within 72 hours of a breach.  Assuming they followed the law, the Pentagon’s people (NSA, for example) could be all over this.

Much of the information that the government eventually classifies starts out as commercial research and isn’t classified until later.  Which COULD mean that whoever hacked them was after high value, not-yet classified information.

All of this is speculation, but reasonable speculation.

Which brings us up to the Pentagon’s efforts to require defense contractors to get an independent, third party cybersecurity certification called CMMC.  Would a certifier have discovered a problem which allowed this to happen?   Assuming the Pentagon is in the middle of this investigation, we may never hear.  But I bet folks are looking at the forensics right now.

But this certainly bolsters the logic behind the CMMC certification requirement.  And it is on track for starting later this year.

For those of you who sell to the government – both civilian and military, this is just one more warning to protect your ass.ets.

And more ammunition for Katie Arrington (who runs the CMMC project).

Oh.  One last thing.

The spokesperson who hung up on the media.  That is a GREAT way to get even more media attention on the worst day of your career.

There is something called an Incident Response Plan.  Part of an IRP is a Crisis Communications Plan.

Perhaps they should think about writing one.  And training people.

PS – It is probably required by CMMC.

 Facebooktwitterredditlinkedinmailby feather

Preparing for DoD’s CMMC

DoD continues to take actions that lead us to believe that they are very serious about the Cybersecurity Maturity Model Certification process.

This process will require that all DoD contractors ultimately get a third party cybersecurity certification on an annual basis if they want to continue to be part of the DoD food chain.

When I say part of the DoD food chain, I mean at every level.  An example DoD used recently was a requirement for the companies that mow the lawn and tend to the bushes at DoD installations would need to be certified.  EVERYONE is the plan.

Reports are the there are plans underway to make changes to the DFARS, the DoD acquisition regulations, this summer to reinforce the certification requirement.

It is also possible that they may extend this to the more general FARs, the acquisition regulations for the rest of the government.  They have been talking about doing that for a couple of years, so if they really do that, it won’t be a real surprise.

One step forward is the naming of Ty Schieber as the head of the 13 member body that is charged with certifying auditors.  Ty is the senior director for executive education at Virginia’s Darden School Foundation.

A DoD spokesperson said that CMMC requirements will begin showing up in presolicitation documents around June of this year.  While that date is very aggressive and may slip, it does seem to indicate that DoD is very serious about this.

Some folks say that requiring contractors to get a certification that they are protecting DoD information might discourage some contractors from bidding on DoD work.

Getting sued by the DoD for breach of contract for not protecting DoD’s information in case of a breach could be a downer as well.  That seems to be the other alternative to me and far worse.

Ignoring situations where the Chinese and others can steal our intellectual property is not a viable option any more.

It is possible that DoD COULD skew the playing field by requiring a higher level of certification than is actually required on a specific contract because their favorite contractor has that level of certification, but DoD bidders are very familiar with disputing DoD contract awards, so that, ultimately, would backfire if they did that at any large scale.

There is a concern, and it is legitimate, that certifications from different auditors could produce different results.  That puts the onus on DoD to set good guidelines so that everyone knows how the process needs to work.

The important thing is to get started now.  While the next version of the spec might change a bit, the basics are locked in stone and it will take a while to get them  done.

The plan, as it has been explained to us, is that contractors who are not certified at the appropriate level will not be allowed to bid on contracts that specify a CMMC requirement.  There will likely be long queues once the final process is announced, so getting started now will put you in a place where you can request certification earlier and get a jump on those people who wait.

Source: Washington Technology

 

 Facebooktwitterredditlinkedinmailby feather

It’s Going to be Painful, And It’s Going to Cost Money

These are the words right out of the mouth of Katie Arrington, The Pentagon’s Chief Information Security Officer for the acquistion policy office.  Katie reports up to Kevin Fahey, the Assistant Defense Secretary for Acquisition.  He is the guy who is responsible making sure that the Pentagon spends those hundreds of billions of dollars a year responsibly.

She has been leading the charge for the Pentagon’s new Cybersecurity Maturity Model Certification (CMMC).  The plan is for the Pentagon to require that EVERYONE in the DoD supply chain, from the company providing nuts and bolts to the company writing complex software.  There are 5 CMMC certification levels, depending on the risk that a supply chain provider represents.

The current plan is that the new standard will come out early next year, start being included RFPs in mid-2020 and part of contracts starting in late 2020 (FY22).  For more information check out our CMMC web site.

Currently, companies  who have classified contracts or handle controlled unclassified information have some cybersecurity requirements, but 290,000 defense contractors and suppliers have no requirements right now.

While it is likely that this will be phased in on new contracts and higher risk contracts, Katie says that by 2025 it will be fully rolled out across the entire defense contractor space.  Given the requirements to become certified, now is the time to start planning, even if you think you, as a supplier, won’t be required to be certified until, say 2022.

From a cost standpoint, DoD understands that contract awards today are based on cost, performance and schedule, but they plan to add security as a fourth pillar and they understand that it will cost both you and them money.  That does not mean that you will have a blank check – you won’t – but it does mean that since the DoD standards are higher than general industry, they will have to pay some portion of that cost.

Regarding the pain part, it will be painful.  Companies will need to implement new rules and those rules will affect employees and there are likely at least some things that they will not be able to do any more. In addition, companies will either need to add staff to manage these security requirements or outsource that management.

Katie is saying that the DoD has the ability to FINE companies for selling products with security defects and companies should not underestimate their willingness to use that legal ability.

DoD has struggled since 2013 with improving their Defense Industrial Base’s security practices first by changing the DFARS, the regulations that defense contractors have to follow, then by creating a NIST guide (which is self certified) and now with a standard that requires annual third party certification.  All the while China has been stealing $500 billion a year or more in intellectual property.  Third party certification is the kicker with this rule.  People tend to stretch the truth when they self certify, but a third party that runs the risk of getting their certification rights revoked if they stretch the truth is much less likely to stretch things.

CMMC does not have any exclusions for small contractors.  They have to meet the same standards as Lockheed does.  Since small business systems are less complex, it will be easier for small to meet those standards, but it will not be free and it will not be painless.  Small companies have less internal sophistication and less internal resources, hence the pain part.

So, if you are in the defense supply chain at any level, become educated and start getting compliant.  Or run the risk of getting kicked out of the DoD supply chain.

Source:  Cyberscoop.Facebooktwitterredditlinkedinmailby feather

Navy Trying to Fix Their Cybersecurity Mess and Congress is Not Helping

After a horrifying independent review of the Navy’s current cybersecurity posture,  the Navy asked Congress to approve a new position of Assistant Secretary of the Navy to handle  cyber.  This comes after the Navy eliminated the role of CIO last year.

Congress turned them down, so now they are going around Congress to create a Special Assistant to the Secretary for Information Management/Chief Information Officer, which does not require Congressional approval.  They are also going to assign about 15-20 people to a team to work on the task.  Since there is no new money for this, many of these people will be getting additional jobs.  That, of course, will make them less effective, but at least the Navy is trying.

The Navy will also be hiring four senior leaders to run directorates inside this new office: a chief technology officer, a chief data officer, a chief digital strategy officer and a chief information security officer.  Congress has authorized special pay in certain areas like this at the rate of 1.5 times that of the Vice President of the US or about $300,000 a year per person.  They hope to attract folks from industry with numbers like this.

Their objective is to improve security across the Defense Industrial Base in light of the Chinese (and others) threat.  A key priority is to get second, third and fourth tier suppliers to implement strict cybersecurity regulations, specifically NIST SP 800-171.

Many contractors have ignored the requirements of 800-171, in part because of the cost and in part because the DoD has not been enforcing it.  In combination with the new proposed third party cybersecurity certification requirement (CMMC) that the DoD is talking about implementing next year, contractors who ignore these requirements may effectively eliminate themselves from getting any DoD contracts.  A good strategy would be to up your cybersecurity program effort in advance of these new rules going into effect, because it will take a while to get your program up to speed.

Source: Federal Computer Weekly.

 Facebooktwitterredditlinkedinmailby feather