Tag Archives: DoD

DoD CMMC Update

To say that DoD’s plans to enhance the cybersecurity practices of the defense industrial base have not gone exactly as planned would be polite.

White House Executive Order 13556, creating controlled unclassified, was issued in 2010. 12 years later, DoD is still wrestling with the issue.

DFARS 252.204-7012, which mandated NIST 800-171 compliance, became effective in 2017.

CMMC version 1 was issued in late 2020 as an interim final DFARS. It never really went into effect.

CMMC version 2 was released in November 2021. It tried to simplify CMMC 1.0 and did, to an extent. But within months, they realized that a key part of it (splitting CUI compliance into two parts – one which could be self-certified and one that required third party certification) – was unworkable.

So where is it now?

CMMC 2.0 is now in the “rulemaking process” under Title 32. This process is required for all federal regulations and is really complicated. After that, it has to go through the Title 48 process which governs the Federal Acquisition Regulations process.

Stacy Bostjanick, who has been trying to shepherd CMMC since the beginning is hoping the changes that come out of the rulemaking process are minor changes to what was released a few months ago. No guarantees.

She says that she is hoping that they will be allowed, one more time, to create another “interim final rule”. Hoping.

They are trying to reduce the number of companies that will require expensive third party certifications from maybe 300,000 to 100,000, but right now there are only a dozen companies who have been approved to certify contractors. You do the math.

On top of that, DoD’s contracting officers have not been well trained at understanding and documenting what is CUI. And communicating that to contractors. You can’t communicate what you don’t understand.

Many folks believe that what will come out of this rulemaking process, which is based on NIST SP 800-171 version 2, will likely look a lot like what went in. I think this is probably right.

This means that small businesses will need to make a costly decision about whether they stay in the defense business. Many will leave. In the last six years, the number of small businesses in the defense sector has shrunk by nearly a quarter.

Unfortunately, DoD is boxed in. The problem is real and there is no simple fix. Ignoring security is not a plan. Neither is asking contractors to pinky-swear that they are doing what they should be doing.

The rules are expected to emerge from the rulemaking process in May. May 2023 that is. 13 months from now. They anticipate submitting the proposed rules in July of this year.

The Pentagon is talking to international partners. The UK has a “similar” program called the Cyber Essentials program. The Pentagon wants to compare the two programs. The Pentagon would like everyone to roll over to their desires, but that is unlikely to happen. This means that there will be differences, country to country. Contractors that do business in multiple countries will have even more paperwork – and cost – to deal with.

DoD is trying to incentivize contractors to get certified now. In part this is because, if everyone waits, the size of the queue will be that much longer. That means that if people wait for the rule to come out and get documented, then it will be longer before any number of people get certified. That means the DoD would have to choose between dropping the contract requirement or picking a less qualified, more expensive vendor who is certified. What a mess. DoD’s hands are somewhat tied in this process. They cannot offer contractors money to get certified, but they can say that vendors who are certified will rank higher in the review process than ones that are not certified. They can also say, MAYBE, that if you get certified now your certification will last longer, say, instead of three years from now vs. three years from once the standard is actually approved.

One thing that did come out in CMMC 2.0 is the concept of “waivers”. In CMMC 1.0 if you failed any controls, you failed the test. In CMMC 2.0 they are talking about waivers. Limited time, limited function, only for certain controls, maybe. They have admitted that given they do not want to shoot themselves in the head, they are going to be forced to issue waivers. They have said that each waiver will need to be individually approved by the service needing the product, which makes sense. Since some executive is going to put his or her name on a piece of paper, that by itself will limit waivers. The CURRENT plan is that waivers can’t be for more than 180 days. If there are a lot of waiver requests (there will be), that by itself will be a paperwork nightmare – both approving and tracking them. Also, since the waivers will be technical in nature, the service executive approving them will need someone to explain to him or her what the hell they are approving. A mess, in other words.

The Pentagon has created an internal deadline to submit the proposed rule to the OMB on May 4. That is step 1 in the process. Generally, they have been good at meeting those deadlines. Just barely.

They are hoping to kind of amend the -7019 and -7020 clauses instead of starting over and that is probably reasonable. But reasonable and government don’t necessarily match. It is possible that DoD will feel they need to close on a deal for the Part 32 rule before submitting the part 48 rule. That could drag things out.

We continue to tell clients to focus on 800-171 because that is VERY LIKELY to remain the core of whatever comes out of the sausage grinder. That is also what they agreed, in writing, to comply with since 2017. That means that contractors who are not 800-171 are technically in breach of contract.

One more rub in the ointment. Since 800-171 R2 came out, 800-53 revved from R4 to R5. There is an effort within NIST right now to create 800-171 R3 based on NIST SP 800-53 R5 medium. DoD has already said that they are working with NIST to incorporate some of the stuff that they “lost” when they went to CMMC 2.0. That means the goalposts are likely to move before the final rule is in place.

Credit: SCMagazine, Inside Cybersecurity, YouTube, Inside Cybersecurity, Inside Cybersecurity

CMMC 2.0 is Coming – In a Year or Two

CMMC just became more complicated or more simple.

The feds published an advance notice of proposed rulemaking (ANPR) for CMMC 2.0 and then just as quickly, unpublished. The Federal Register, the place were office notices are published only said that they asked for it to be unpublished.

So people saw the ANPR for about 18 hours and here is what they saw:

  • CMMC Levels 2 and 4 would be removed. Since DoD already said they don’t plan to use them, that is not a big deal.
  • CMMC Level 1 would be a self assessment. Whether this is important depends on the consequences of lying. After all, the current 800-171 is pretty much a self assessment.
  • The process maturity sections of CMMC would go away. This is a big loss because without process maturity you really haven’t integrated security into the culture.

There seems to be a big disconnect between what is CUI and what is not. I was involved in a long conversation today where the customer of a three letter agency was saying, in their contract, that the names and personal information of contractor employees was CUI.

For now all assessments and certifications are on hold.

It also means that all of the companies in the CMMC ecosystem, from trainers to certifiers, are wondering about their investments. Some invested a lot of money.

On the other hand, DFARS 252.204-7012 and its underlying requirements of NIST SP 800-171, which is about 80% of CMMC version 1, Level 3, is still there and does not appear to be going away.

Was the release of CMMC 2.0 a mistake? A trial balloon? Intentional sabotage? No one is saying.

Personally, I think it was a trial balloon, but who knows.

Reports are that it will take the feds at least a year from now to develop the regulations behind CMMC 2.0 and that assumes that it doesn’t change from what was leaked. Of course, that is just a rumor. For all we know it could drop next week.

What we do know is the pilot program is suspended and contract requirements are being removed.

It is our recommendation that customers who are not fully compliant with 800-171, which your contract says that are currently certifying that you are, need to continue working towards becoming fully compliant. The DoJ announced two weeks ago that they intend to prosecute folks who lie about that. How aggressive that is going to be is unknown. What is known that the feds currently make around $5 billion a year from these prosecutions. Great revenue stream. And, whistle blowers can get up to 30 percent of that.


Here is what other people are saying.

JDSupra says that the Pentagon is suspending the pilot and the DoD is evaluating how it could “provide incentives” to companies that voluntarily get certified in the interim. That is a different twist. Do it now and we pay for it, do it later and you pay for it? Interesting.

They also say the self certification is for “some circumstances”.

Finally, they say that the new level 2 would be split into prioritized programs which will require third party certification and other programs which will require annual attestations by corporate officers, similar, I am guessing, to Sarbanes Oxley. People who lie there could be prosecuted, jailed or debarred.

They are also saying that it is possible that there may be a waiver process for some particular controls.

A lot of unknowns.

The Pentagon has some very high level stuff at the Office Of Acquisition and Sustainment’s website, even though it is rumored that they will be losing management responsibilities of the program. It may be moving over the the DoD CIO, but that is currently a rumor. What is a fact is that A&S has not done a great job over the last year. They say that the Pentagon wants to simplify things for small businesses, which is good, while protecting the national security, which is hard.

In the meantime, the Chinese, Russians, North Koreans and others continue to rob us blind.

Is everything clear?


So, as I said, work on 800-171 compliance and stay tuned. Could be tomorrow, could be a year from now.


Security News for the Week Ending April 3, 2020

DoD Concerned Covid Will Cause US IP Loss

In an interesting analysis, Ellen Lord, DoD’s top acquisition official, is concerned that foreign interests (including unfriendly foreign interests) will buy or invest in small U.S. defense subs and steal our tech.  In theory CFIUS and FRRMA should make that harder as the government has the right to nix buyouts if they think they will hurt us, but first they have to know about it.  With Covid potentially impacting the stability of these small companies, the government has its work cut out for it.  Source: Defense Systems

Violating a Web Site’s Terms of Service: Hacking or Not?

The Computer Fraud and Abuse Act (CFAA) was written long before the Internet, but leave it to aggressive prosecutors and companies to use it in a way that was never intended.  But the various federal courts can’t seem to figure out how to interpret it.  The DC federal court has just ruled that using a web site with a legally obtained user account in a way that may violate the web site owner’s terms of service is not hacking and cannot be prosecuted under the CFAA.  Since about half of the federal courts have ruled in each direction on this issue, it is likely to make it up to the Supremes.  This is important both for web site operators and security researchers. Source: Ars Technica

Zoom Does Not Support End to End Encryption, Despite Claims that it Does

In some of Zoom’s documentation, as well as in the client, Zoom says that it supports end to end encryption, but in fact, it does not, at least when video is involved.  I am sure now that it has come out that they lied on their web site, they will likely get sued.  If you think about it, given that they have the ability to record your call, there is no way that it can be end to end encrypted.  The video is encrypted between their data center and you, which is probably good enough for 99% of the planet.  This also means that the fuzz can listen into your call.  Moral of the story, if you are doing something illegal. Or classified.  Don’t discuss it on a public video conference (or audio) service.  There are ways to really do end to end encryption and I have set them up before, but they are neither cheap nor simple.  Source: The Intercept

DoJ Inspector General Says FISA Court Requests Are Suspect

The Department of Justice’s Inspector General says that the FBI has not followed the rules when applying for secret FISA warrants over the last five years.  Given that the whole process is secret, it is not surprising that it is flawed.  Any time the government operates outside the light of day, the opportunity for abuse is there and now, the DoJ IG is questioning 700 warrant requests made over the last 5 years.  The court is basically a rubber stamp since there is no “other side” to any request.  This came to light when Carter Page, a Trump campaign advisor, was the subject of a FISA court wiretap.  This is also at the core of the fight between the House and Senate over the renewal of certain parts of FISA that expired last month.  Source: The Register

California AG Revises CCPA Regulations Again

As the deadline set by the legislature for the enforcement of CCPA lurches closer (July 1), the AG has revised the proposed regulations again.  Among the changes are a re-expansion of the definition of personal information, privacy notice guidance, instructions on responding to data subject requests, clarification/restriction of service provider use of information and a minor clarification of the definition of financial incentives.   See the assessment from law firm ReedSmith here and a copy of the again revised regs here.

As Another DoD Contractor is Breached; DoD Works to Stop Them

Visser Precision, a precision parts contract manufacturer based in Denver, Colorado, has confirmed a “cybersecurity incident”.

Visser makes parts for the likes of Tesla, Space X, Boeing and defense contractor Lockheed Martin.

The ransomware was DoppelPaymer, is one of the Ransomware 2.0 variants that steal the data before they encrypt it.  Some of that data is available for download on the hacker’s website to prove that they stole the data.

One of the documents appears to be a partial schematic for a missile antenna.


While Tesla, SpaceX and Boeing did not respond to requests for comment, Lockheed said that they were “aware of the situation”.

Source: Tech Crunch

Lockheed, as a defense contractor, is required to notify the Department of Defense within 72 hours of a breach in most cases.  We assume Lockheed did that.   That requirement flows down to all subcontractors like Visser.  DoD can then decide what next steps are appropriate.  In this case, since it appears that sensitive information was actually stolen from Visser, DoD will, most likely, investigate.

As of about a month ago, DoD released version 1.0 of it’s Cybersecurity Capability Maturity Model (CMMC), a framework for improving the security of defense contractors.  DoD has not, however, started implementing it.  The program requires everyone who sells to the DoD, from cafeteria operators to lawn care firms to companies building missiles, to adhere to a range of cybersecurity standards and be certified by a third party to ensure compliance.

DoD is actually moving very rapidly for a government entity with 1.4 million active duty personnel, 1.1 million reservists and 860,000 civilians.  It took them less than a year to define and approve the standard and they hope to have some contracts with the CMMC requirement in place this calendar year.  That means that they have to train the assessors, approve the certifiers and issue the contracts.

No one has announced whether this attack was done by the Chinese, Russians, North Koreans or a 400 pound teenager in his parent’s basement.  With no information, I vote for the first one.

DoD says that, for contracts that have CMMC requirements, vendors will not be allowed to BID on the contract if they do not have the appropriate CMMC certifications already in place.

This is definitely motivating companies like Lockheed and breaches like the one at Visser, whom Lockheed vetted and approved the security of, only make them more motivated.

If you serve the defense industry, now is the time to get prepared because it will take some time and effort.

Preparing for DoD’s CMMC

DoD continues to take actions that lead us to believe that they are very serious about the Cybersecurity Maturity Model Certification process.

This process will require that all DoD contractors ultimately get a third party cybersecurity certification on an annual basis if they want to continue to be part of the DoD food chain.

When I say part of the DoD food chain, I mean at every level.  An example DoD used recently was a requirement for the companies that mow the lawn and tend to the bushes at DoD installations would need to be certified.  EVERYONE is the plan.

Reports are the there are plans underway to make changes to the DFARS, the DoD acquisition regulations, this summer to reinforce the certification requirement.

It is also possible that they may extend this to the more general FARs, the acquisition regulations for the rest of the government.  They have been talking about doing that for a couple of years, so if they really do that, it won’t be a real surprise.

One step forward is the naming of Ty Schieber as the head of the 13 member body that is charged with certifying auditors.  Ty is the senior director for executive education at Virginia’s Darden School Foundation.

A DoD spokesperson said that CMMC requirements will begin showing up in presolicitation documents around June of this year.  While that date is very aggressive and may slip, it does seem to indicate that DoD is very serious about this.

Some folks say that requiring contractors to get a certification that they are protecting DoD information might discourage some contractors from bidding on DoD work.

Getting sued by the DoD for breach of contract for not protecting DoD’s information in case of a breach could be a downer as well.  That seems to be the other alternative to me and far worse.

Ignoring situations where the Chinese and others can steal our intellectual property is not a viable option any more.

It is possible that DoD COULD skew the playing field by requiring a higher level of certification than is actually required on a specific contract because their favorite contractor has that level of certification, but DoD bidders are very familiar with disputing DoD contract awards, so that, ultimately, would backfire if they did that at any large scale.

There is a concern, and it is legitimate, that certifications from different auditors could produce different results.  That puts the onus on DoD to set good guidelines so that everyone knows how the process needs to work.

The important thing is to get started now.  While the next version of the spec might change a bit, the basics are locked in stone and it will take a while to get them  done.

The plan, as it has been explained to us, is that contractors who are not certified at the appropriate level will not be allowed to bid on contracts that specify a CMMC requirement.  There will likely be long queues once the final process is announced, so getting started now will put you in a place where you can request certification earlier and get a jump on those people who wait.

Source: Washington Technology



It’s Going to be Painful, And It’s Going to Cost Money

These are the words right out of the mouth of Katie Arrington, The Pentagon’s Chief Information Security Officer for the acquistion policy office.  Katie reports up to Kevin Fahey, the Assistant Defense Secretary for Acquisition.  He is the guy who is responsible making sure that the Pentagon spends those hundreds of billions of dollars a year responsibly.

She has been leading the charge for the Pentagon’s new Cybersecurity Maturity Model Certification (CMMC).  The plan is for the Pentagon to require that EVERYONE in the DoD supply chain, from the company providing nuts and bolts to the company writing complex software.  There are 5 CMMC certification levels, depending on the risk that a supply chain provider represents.

The current plan is that the new standard will come out early next year, start being included RFPs in mid-2020 and part of contracts starting in late 2020 (FY22).  For more information check out our CMMC web site.

Currently, companies  who have classified contracts or handle controlled unclassified information have some cybersecurity requirements, but 290,000 defense contractors and suppliers have no requirements right now.

While it is likely that this will be phased in on new contracts and higher risk contracts, Katie says that by 2025 it will be fully rolled out across the entire defense contractor space.  Given the requirements to become certified, now is the time to start planning, even if you think you, as a supplier, won’t be required to be certified until, say 2022.

From a cost standpoint, DoD understands that contract awards today are based on cost, performance and schedule, but they plan to add security as a fourth pillar and they understand that it will cost both you and them money.  That does not mean that you will have a blank check – you won’t – but it does mean that since the DoD standards are higher than general industry, they will have to pay some portion of that cost.

Regarding the pain part, it will be painful.  Companies will need to implement new rules and those rules will affect employees and there are likely at least some things that they will not be able to do any more. In addition, companies will either need to add staff to manage these security requirements or outsource that management.

Katie is saying that the DoD has the ability to FINE companies for selling products with security defects and companies should not underestimate their willingness to use that legal ability.

DoD has struggled since 2013 with improving their Defense Industrial Base’s security practices first by changing the DFARS, the regulations that defense contractors have to follow, then by creating a NIST guide (which is self certified) and now with a standard that requires annual third party certification.  All the while China has been stealing $500 billion a year or more in intellectual property.  Third party certification is the kicker with this rule.  People tend to stretch the truth when they self certify, but a third party that runs the risk of getting their certification rights revoked if they stretch the truth is much less likely to stretch things.

CMMC does not have any exclusions for small contractors.  They have to meet the same standards as Lockheed does.  Since small business systems are less complex, it will be easier for small to meet those standards, but it will not be free and it will not be painless.  Small companies have less internal sophistication and less internal resources, hence the pain part.

So, if you are in the defense supply chain at any level, become educated and start getting compliant.  Or run the risk of getting kicked out of the DoD supply chain.

Source:  Cyberscoop.