Tag Archives: DoD

Security News for the Week Ending April 3, 2020

DoD Concerned Covid Will Cause US IP Loss

In an interesting analysis, Ellen Lord, DoD’s top acquisition official, is concerned that foreign interests (including unfriendly foreign interests) will buy or invest in small U.S. defense subs and steal our tech.  In theory CFIUS and FRRMA should make that harder as the government has the right to nix buyouts if they think they will hurt us, but first they have to know about it.  With Covid potentially impacting the stability of these small companies, the government has its work cut out for it.  Source: Defense Systems

Violating a Web Site’s Terms of Service: Hacking or Not?

The Computer Fraud and Abuse Act (CFAA) was written long before the Internet, but leave it to aggressive prosecutors and companies to use it in a way that was never intended.  But the various federal courts can’t seem to figure out how to interpret it.  The DC federal court has just ruled that using a web site with a legally obtained user account in a way that may violate the web site owner’s terms of service is not hacking and cannot be prosecuted under the CFAA.  Since about half of the federal courts have ruled in each direction on this issue, it is likely to make it up to the Supremes.  This is important both for web site operators and security researchers. Source: Ars Technica

Zoom Does Not Support End to End Encryption, Despite Claims that it Does

In some of Zoom’s documentation, as well as in the client, Zoom says that it supports end to end encryption, but in fact, it does not, at least when video is involved.  I am sure now that it has come out that they lied on their web site, they will likely get sued.  If you think about it, given that they have the ability to record your call, there is no way that it can be end to end encrypted.  The video is encrypted between their data center and you, which is probably good enough for 99% of the planet.  This also means that the fuzz can listen into your call.  Moral of the story, if you are doing something illegal. Or classified.  Don’t discuss it on a public video conference (or audio) service.  There are ways to really do end to end encryption and I have set them up before, but they are neither cheap nor simple.  Source: The Intercept

DoJ Inspector General Says FISA Court Requests Are Suspect

The Department of Justice’s Inspector General says that the FBI has not followed the rules when applying for secret FISA warrants over the last five years.  Given that the whole process is secret, it is not surprising that it is flawed.  Any time the government operates outside the light of day, the opportunity for abuse is there and now, the DoJ IG is questioning 700 warrant requests made over the last 5 years.  The court is basically a rubber stamp since there is no “other side” to any request.  This came to light when Carter Page, a Trump campaign advisor, was the subject of a FISA court wiretap.  This is also at the core of the fight between the House and Senate over the renewal of certain parts of FISA that expired last month.  Source: The Register

California AG Revises CCPA Regulations Again

As the deadline set by the legislature for the enforcement of CCPA lurches closer (July 1), the AG has revised the proposed regulations again.  Among the changes are a re-expansion of the definition of personal information, privacy notice guidance, instructions on responding to data subject requests, clarification/restriction of service provider use of information and a minor clarification of the definition of financial incentives.   See the assessment from law firm ReedSmith here and a copy of the again revised regs here.

As Another DoD Contractor is Breached; DoD Works to Stop Them

Visser Precision, a precision parts contract manufacturer based in Denver, Colorado, has confirmed a “cybersecurity incident”.

Visser makes parts for the likes of Tesla, Space X, Boeing and defense contractor Lockheed Martin.

The ransomware was DoppelPaymer, is one of the Ransomware 2.0 variants that steal the data before they encrypt it.  Some of that data is available for download on the hacker’s website to prove that they stole the data.

One of the documents appears to be a partial schematic for a missile antenna.

THAT MEANS THAT THIS QUALIFIES AS A DATA BREACH.

While Tesla, SpaceX and Boeing did not respond to requests for comment, Lockheed said that they were “aware of the situation”.

Source: Tech Crunch

Lockheed, as a defense contractor, is required to notify the Department of Defense within 72 hours of a breach in most cases.  We assume Lockheed did that.   That requirement flows down to all subcontractors like Visser.  DoD can then decide what next steps are appropriate.  In this case, since it appears that sensitive information was actually stolen from Visser, DoD will, most likely, investigate.

As of about a month ago, DoD released version 1.0 of it’s Cybersecurity Capability Maturity Model (CMMC), a framework for improving the security of defense contractors.  DoD has not, however, started implementing it.  The program requires everyone who sells to the DoD, from cafeteria operators to lawn care firms to companies building missiles, to adhere to a range of cybersecurity standards and be certified by a third party to ensure compliance.

DoD is actually moving very rapidly for a government entity with 1.4 million active duty personnel, 1.1 million reservists and 860,000 civilians.  It took them less than a year to define and approve the standard and they hope to have some contracts with the CMMC requirement in place this calendar year.  That means that they have to train the assessors, approve the certifiers and issue the contracts.

No one has announced whether this attack was done by the Chinese, Russians, North Koreans or a 400 pound teenager in his parent’s basement.  With no information, I vote for the first one.

DoD says that, for contracts that have CMMC requirements, vendors will not be allowed to BID on the contract if they do not have the appropriate CMMC certifications already in place.

This is definitely motivating companies like Lockheed and breaches like the one at Visser, whom Lockheed vetted and approved the security of, only make them more motivated.

If you serve the defense industry, now is the time to get prepared because it will take some time and effort.

Preparing for DoD’s CMMC

DoD continues to take actions that lead us to believe that they are very serious about the Cybersecurity Maturity Model Certification process.

This process will require that all DoD contractors ultimately get a third party cybersecurity certification on an annual basis if they want to continue to be part of the DoD food chain.

When I say part of the DoD food chain, I mean at every level.  An example DoD used recently was a requirement for the companies that mow the lawn and tend to the bushes at DoD installations would need to be certified.  EVERYONE is the plan.

Reports are the there are plans underway to make changes to the DFARS, the DoD acquisition regulations, this summer to reinforce the certification requirement.

It is also possible that they may extend this to the more general FARs, the acquisition regulations for the rest of the government.  They have been talking about doing that for a couple of years, so if they really do that, it won’t be a real surprise.

One step forward is the naming of Ty Schieber as the head of the 13 member body that is charged with certifying auditors.  Ty is the senior director for executive education at Virginia’s Darden School Foundation.

A DoD spokesperson said that CMMC requirements will begin showing up in presolicitation documents around June of this year.  While that date is very aggressive and may slip, it does seem to indicate that DoD is very serious about this.

Some folks say that requiring contractors to get a certification that they are protecting DoD information might discourage some contractors from bidding on DoD work.

Getting sued by the DoD for breach of contract for not protecting DoD’s information in case of a breach could be a downer as well.  That seems to be the other alternative to me and far worse.

Ignoring situations where the Chinese and others can steal our intellectual property is not a viable option any more.

It is possible that DoD COULD skew the playing field by requiring a higher level of certification than is actually required on a specific contract because their favorite contractor has that level of certification, but DoD bidders are very familiar with disputing DoD contract awards, so that, ultimately, would backfire if they did that at any large scale.

There is a concern, and it is legitimate, that certifications from different auditors could produce different results.  That puts the onus on DoD to set good guidelines so that everyone knows how the process needs to work.

The important thing is to get started now.  While the next version of the spec might change a bit, the basics are locked in stone and it will take a while to get them  done.

The plan, as it has been explained to us, is that contractors who are not certified at the appropriate level will not be allowed to bid on contracts that specify a CMMC requirement.  There will likely be long queues once the final process is announced, so getting started now will put you in a place where you can request certification earlier and get a jump on those people who wait.

Source: Washington Technology

 

 

It’s Going to be Painful, And It’s Going to Cost Money

These are the words right out of the mouth of Katie Arrington, The Pentagon’s Chief Information Security Officer for the acquistion policy office.  Katie reports up to Kevin Fahey, the Assistant Defense Secretary for Acquisition.  He is the guy who is responsible making sure that the Pentagon spends those hundreds of billions of dollars a year responsibly.

She has been leading the charge for the Pentagon’s new Cybersecurity Maturity Model Certification (CMMC).  The plan is for the Pentagon to require that EVERYONE in the DoD supply chain, from the company providing nuts and bolts to the company writing complex software.  There are 5 CMMC certification levels, depending on the risk that a supply chain provider represents.

The current plan is that the new standard will come out early next year, start being included RFPs in mid-2020 and part of contracts starting in late 2020 (FY22).  For more information check out our CMMC web site.

Currently, companies  who have classified contracts or handle controlled unclassified information have some cybersecurity requirements, but 290,000 defense contractors and suppliers have no requirements right now.

While it is likely that this will be phased in on new contracts and higher risk contracts, Katie says that by 2025 it will be fully rolled out across the entire defense contractor space.  Given the requirements to become certified, now is the time to start planning, even if you think you, as a supplier, won’t be required to be certified until, say 2022.

From a cost standpoint, DoD understands that contract awards today are based on cost, performance and schedule, but they plan to add security as a fourth pillar and they understand that it will cost both you and them money.  That does not mean that you will have a blank check – you won’t – but it does mean that since the DoD standards are higher than general industry, they will have to pay some portion of that cost.

Regarding the pain part, it will be painful.  Companies will need to implement new rules and those rules will affect employees and there are likely at least some things that they will not be able to do any more. In addition, companies will either need to add staff to manage these security requirements or outsource that management.

Katie is saying that the DoD has the ability to FINE companies for selling products with security defects and companies should not underestimate their willingness to use that legal ability.

DoD has struggled since 2013 with improving their Defense Industrial Base’s security practices first by changing the DFARS, the regulations that defense contractors have to follow, then by creating a NIST guide (which is self certified) and now with a standard that requires annual third party certification.  All the while China has been stealing $500 billion a year or more in intellectual property.  Third party certification is the kicker with this rule.  People tend to stretch the truth when they self certify, but a third party that runs the risk of getting their certification rights revoked if they stretch the truth is much less likely to stretch things.

CMMC does not have any exclusions for small contractors.  They have to meet the same standards as Lockheed does.  Since small business systems are less complex, it will be easier for small to meet those standards, but it will not be free and it will not be painless.  Small companies have less internal sophistication and less internal resources, hence the pain part.

So, if you are in the defense supply chain at any level, become educated and start getting compliant.  Or run the risk of getting kicked out of the DoD supply chain.

Source:  Cyberscoop.

DoD Releases Draft CMMC Guidelines

The Department of Defense is probably the largest software development (and hardware development) organization in world but unlike say Microsoft or Cisco, almost all of the development is performed by third parties – the so called defense industrial base or DIB.

It is also likely the number one target of nation state hackers since a major weapons system like the F-35 might cost a trillion dollars over its lifetime and it is way cheaper for countries like China to steal the tech than to develop it.  For example, China stole the plans for the F-35 and built the J-31 (see news item here).  Unfortunately, that is far from an exception.

The DoD has been trying to tighten up security among the base of hundreds of thousands of contractors (there are 300,000 + contractors that handle sensitive unclassified information called CUI and that is just one category of information).

The government wrote a security spec called NIST SP 800-171 but enforcement has been weak.

This year, working with Carnegie Mellon, Johns Hopkins and Mitre, the DoD is developing a “Cybersecurity Maturity Model Capability” (CMMC) very similar in concept to the model Carnegie Mellon developed for software developers (CMM) back in the 1990s.

The plan is that all DoD suppliers will be required to be certified by a third party. Every year,

While the model is only at version 0.4 and will not be finalized until next January, here is what it looks like right now.

  • There are 18 domains
  • The domains are comprised of capabilities
  • The capabilities have processes and practices
  • Certification runs from level 1 to level 5
  • Level 1 requires basic cybersecurity in an ad hoc manner and is designed for small companies who are not working on very sensitive projects
  • Level 5 is advanced security practiced in an optimized fashion
  • There are 35 practices for level 1
  • For level 5, which includes levels 1-4, there are 370 practices – all subject to change at this point
  • Very few companies will need to be certified at level 5

Click here to review the overview document for version 0.4.

For those people who are familiar with the NIST Cyber Security Framework (CSF) or NIST SP 800-53, this will all look very familiar.

The problem is that a large number of defense suppliers are small businesses that have no security program at all.  For these companies, they will be required to get to at least CMMC Level 1 and be certified annually by a third party.  This could come as  a shock to some.

While DoD messed around with enforcing NISP SP 800-171, there have been a number of serious DoD breaches over the last few years which have embarrassed the Pentagon brass, so it APPEARS that they are serious about this.  WE. SHALL. SEE.

The plan is for the standard to be done by January – warp speed for DoD, be included in RFIs by June and be included in RFPs by September.  Assuming they don’t blink (and it would be easy to put it into selective RFPs as opposed to making it a mandatory requirement), that would mark a huge change for the Department.

A complete copy of the draft can be found here.

My suggestion – if you are anywhere in the DoD supply chain – is to start learning about the CMMC and begin implementing basic cybersecurity practices now.  If you are at the more sensitive end of the DoD food chain – Secret, Top Secret and SCI – start looking at CMMC Levels 3 thru 5.

DoD has also said that they are going to start including security along with cost, schedule and function in contract awards and Katie Arrington has publicly said that DoD understands that they are going to have to pay for some of this.  Katie is the special assistant for cybersecurity, reporting up to Ellen Lord, who is the Undersecretary for Acquisition and Sustainment – the person who is responsible for buying tens of billions of dollars of weapons every year.

Read these documents and get started now because if DoD actually does what it says, it will be a scramble to comply and if they actually make security an award criteria, doing it later won’t matter – you won’t get the award.

Navy Trying to Fix Their Cybersecurity Mess and Congress is Not Helping

After a horrifying independent review of the Navy’s current cybersecurity posture,  the Navy asked Congress to approve a new position of Assistant Secretary of the Navy to handle  cyber.  This comes after the Navy eliminated the role of CIO last year.

Congress turned them down, so now they are going around Congress to create a Special Assistant to the Secretary for Information Management/Chief Information Officer, which does not require Congressional approval.  They are also going to assign about 15-20 people to a team to work on the task.  Since there is no new money for this, many of these people will be getting additional jobs.  That, of course, will make them less effective, but at least the Navy is trying.

The Navy will also be hiring four senior leaders to run directorates inside this new office: a chief technology officer, a chief data officer, a chief digital strategy officer and a chief information security officer.  Congress has authorized special pay in certain areas like this at the rate of 1.5 times that of the Vice President of the US or about $300,000 a year per person.  They hope to attract folks from industry with numbers like this.

Their objective is to improve security across the Defense Industrial Base in light of the Chinese (and others) threat.  A key priority is to get second, third and fourth tier suppliers to implement strict cybersecurity regulations, specifically NIST SP 800-171.

Many contractors have ignored the requirements of 800-171, in part because of the cost and in part because the DoD has not been enforcing it.  In combination with the new proposed third party cybersecurity certification requirement (CMMC) that the DoD is talking about implementing next year, contractors who ignore these requirements may effectively eliminate themselves from getting any DoD contracts.  A good strategy would be to up your cybersecurity program effort in advance of these new rules going into effect, because it will take a while to get your program up to speed.

Source: Federal Computer Weekly.