Tag Archives: DoD

Preparing for DoD’s CMMC

DoD continues to take actions that lead us to believe that they are very serious about the Cybersecurity Maturity Model Certification process.

This process will require that all DoD contractors ultimately get a third party cybersecurity certification on an annual basis if they want to continue to be part of the DoD food chain.

When I say part of the DoD food chain, I mean at every level.  An example DoD used recently was a requirement for the companies that mow the lawn and tend to the bushes at DoD installations would need to be certified.  EVERYONE is the plan.

Reports are the there are plans underway to make changes to the DFARS, the DoD acquisition regulations, this summer to reinforce the certification requirement.

It is also possible that they may extend this to the more general FARs, the acquisition regulations for the rest of the government.  They have been talking about doing that for a couple of years, so if they really do that, it won’t be a real surprise.

One step forward is the naming of Ty Schieber as the head of the 13 member body that is charged with certifying auditors.  Ty is the senior director for executive education at Virginia’s Darden School Foundation.

A DoD spokesperson said that CMMC requirements will begin showing up in presolicitation documents around June of this year.  While that date is very aggressive and may slip, it does seem to indicate that DoD is very serious about this.

Some folks say that requiring contractors to get a certification that they are protecting DoD information might discourage some contractors from bidding on DoD work.

Getting sued by the DoD for breach of contract for not protecting DoD’s information in case of a breach could be a downer as well.  That seems to be the other alternative to me and far worse.

Ignoring situations where the Chinese and others can steal our intellectual property is not a viable option any more.

It is possible that DoD COULD skew the playing field by requiring a higher level of certification than is actually required on a specific contract because their favorite contractor has that level of certification, but DoD bidders are very familiar with disputing DoD contract awards, so that, ultimately, would backfire if they did that at any large scale.

There is a concern, and it is legitimate, that certifications from different auditors could produce different results.  That puts the onus on DoD to set good guidelines so that everyone knows how the process needs to work.

The important thing is to get started now.  While the next version of the spec might change a bit, the basics are locked in stone and it will take a while to get them  done.

The plan, as it has been explained to us, is that contractors who are not certified at the appropriate level will not be allowed to bid on contracts that specify a CMMC requirement.  There will likely be long queues once the final process is announced, so getting started now will put you in a place where you can request certification earlier and get a jump on those people who wait.

Source: Washington Technology

 

 

Facebooktwitterredditlinkedinmailby feather

It’s Going to be Painful, And It’s Going to Cost Money

These are the words right out of the mouth of Katie Arrington, The Pentagon’s Chief Information Security Officer for the acquistion policy office.  Katie reports up to Kevin Fahey, the Assistant Defense Secretary for Acquisition.  He is the guy who is responsible making sure that the Pentagon spends those hundreds of billions of dollars a year responsibly.

She has been leading the charge for the Pentagon’s new Cybersecurity Maturity Model Certification (CMMC).  The plan is for the Pentagon to require that EVERYONE in the DoD supply chain, from the company providing nuts and bolts to the company writing complex software.  There are 5 CMMC certification levels, depending on the risk that a supply chain provider represents.

The current plan is that the new standard will come out early next year, start being included RFPs in mid-2020 and part of contracts starting in late 2020 (FY22).  For more information check out our CMMC web site.

Currently, companies  who have classified contracts or handle controlled unclassified information have some cybersecurity requirements, but 290,000 defense contractors and suppliers have no requirements right now.

While it is likely that this will be phased in on new contracts and higher risk contracts, Katie says that by 2025 it will be fully rolled out across the entire defense contractor space.  Given the requirements to become certified, now is the time to start planning, even if you think you, as a supplier, won’t be required to be certified until, say 2022.

From a cost standpoint, DoD understands that contract awards today are based on cost, performance and schedule, but they plan to add security as a fourth pillar and they understand that it will cost both you and them money.  That does not mean that you will have a blank check – you won’t – but it does mean that since the DoD standards are higher than general industry, they will have to pay some portion of that cost.

Regarding the pain part, it will be painful.  Companies will need to implement new rules and those rules will affect employees and there are likely at least some things that they will not be able to do any more. In addition, companies will either need to add staff to manage these security requirements or outsource that management.

Katie is saying that the DoD has the ability to FINE companies for selling products with security defects and companies should not underestimate their willingness to use that legal ability.

DoD has struggled since 2013 with improving their Defense Industrial Base’s security practices first by changing the DFARS, the regulations that defense contractors have to follow, then by creating a NIST guide (which is self certified) and now with a standard that requires annual third party certification.  All the while China has been stealing $500 billion a year or more in intellectual property.  Third party certification is the kicker with this rule.  People tend to stretch the truth when they self certify, but a third party that runs the risk of getting their certification rights revoked if they stretch the truth is much less likely to stretch things.

CMMC does not have any exclusions for small contractors.  They have to meet the same standards as Lockheed does.  Since small business systems are less complex, it will be easier for small to meet those standards, but it will not be free and it will not be painless.  Small companies have less internal sophistication and less internal resources, hence the pain part.

So, if you are in the defense supply chain at any level, become educated and start getting compliant.  Or run the risk of getting kicked out of the DoD supply chain.

Source:  Cyberscoop.

Facebooktwitterredditlinkedinmailby feather

DoD Releases Draft CMMC Guidelines

The Department of Defense is probably the largest software development (and hardware development) organization in world but unlike say Microsoft or Cisco, almost all of the development is performed by third parties – the so called defense industrial base or DIB.

It is also likely the number one target of nation state hackers since a major weapons system like the F-35 might cost a trillion dollars over its lifetime and it is way cheaper for countries like China to steal the tech than to develop it.  For example, China stole the plans for the F-35 and built the J-31 (see news item here).  Unfortunately, that is far from an exception.

The DoD has been trying to tighten up security among the base of hundreds of thousands of contractors (there are 300,000 + contractors that handle sensitive unclassified information called CUI and that is just one category of information).

The government wrote a security spec called NIST SP 800-171 but enforcement has been weak.

This year, working with Carnegie Mellon, Johns Hopkins and Mitre, the DoD is developing a “Cybersecurity Maturity Model Capability” (CMMC) very similar in concept to the model Carnegie Mellon developed for software developers (CMM) back in the 1990s.

The plan is that all DoD suppliers will be required to be certified by a third party. Every year,

While the model is only at version 0.4 and will not be finalized until next January, here is what it looks like right now.

  • There are 18 domains
  • The domains are comprised of capabilities
  • The capabilities have processes and practices
  • Certification runs from level 1 to level 5
  • Level 1 requires basic cybersecurity in an ad hoc manner and is designed for small companies who are not working on very sensitive projects
  • Level 5 is advanced security practiced in an optimized fashion
  • There are 35 practices for level 1
  • For level 5, which includes levels 1-4, there are 370 practices – all subject to change at this point
  • Very few companies will need to be certified at level 5

Click here to review the overview document for version 0.4.

For those people who are familiar with the NIST Cyber Security Framework (CSF) or NIST SP 800-53, this will all look very familiar.

The problem is that a large number of defense suppliers are small businesses that have no security program at all.  For these companies, they will be required to get to at least CMMC Level 1 and be certified annually by a third party.  This could come as  a shock to some.

While DoD messed around with enforcing NISP SP 800-171, there have been a number of serious DoD breaches over the last few years which have embarrassed the Pentagon brass, so it APPEARS that they are serious about this.  WE. SHALL. SEE.

The plan is for the standard to be done by January – warp speed for DoD, be included in RFIs by June and be included in RFPs by September.  Assuming they don’t blink (and it would be easy to put it into selective RFPs as opposed to making it a mandatory requirement), that would mark a huge change for the Department.

A complete copy of the draft can be found here.

My suggestion – if you are anywhere in the DoD supply chain – is to start learning about the CMMC and begin implementing basic cybersecurity practices now.  If you are at the more sensitive end of the DoD food chain – Secret, Top Secret and SCI – start looking at CMMC Levels 3 thru 5.

DoD has also said that they are going to start including security along with cost, schedule and function in contract awards and Katie Arrington has publicly said that DoD understands that they are going to have to pay for some of this.  Katie is the special assistant for cybersecurity, reporting up to Ellen Lord, who is the Undersecretary for Acquisition and Sustainment – the person who is responsible for buying tens of billions of dollars of weapons every year.

Read these documents and get started now because if DoD actually does what it says, it will be a scramble to comply and if they actually make security an award criteria, doing it later won’t matter – you won’t get the award.

Facebooktwitterredditlinkedinmailby feather

Navy Trying to Fix Their Cybersecurity Mess and Congress is Not Helping

After a horrifying independent review of the Navy’s current cybersecurity posture,  the Navy asked Congress to approve a new position of Assistant Secretary of the Navy to handle  cyber.  This comes after the Navy eliminated the role of CIO last year.

Congress turned them down, so now they are going around Congress to create a Special Assistant to the Secretary for Information Management/Chief Information Officer, which does not require Congressional approval.  They are also going to assign about 15-20 people to a team to work on the task.  Since there is no new money for this, many of these people will be getting additional jobs.  That, of course, will make them less effective, but at least the Navy is trying.

The Navy will also be hiring four senior leaders to run directorates inside this new office: a chief technology officer, a chief data officer, a chief digital strategy officer and a chief information security officer.  Congress has authorized special pay in certain areas like this at the rate of 1.5 times that of the Vice President of the US or about $300,000 a year per person.  They hope to attract folks from industry with numbers like this.

Their objective is to improve security across the Defense Industrial Base in light of the Chinese (and others) threat.  A key priority is to get second, third and fourth tier suppliers to implement strict cybersecurity regulations, specifically NIST SP 800-171.

Many contractors have ignored the requirements of 800-171, in part because of the cost and in part because the DoD has not been enforcing it.  In combination with the new proposed third party cybersecurity certification requirement (CMMC) that the DoD is talking about implementing next year, contractors who ignore these requirements may effectively eliminate themselves from getting any DoD contracts.  A good strategy would be to up your cybersecurity program effort in advance of these new rules going into effect, because it will take a while to get your program up to speed.

Source: Federal Computer Weekly.

 

Facebooktwitterredditlinkedinmailby feather

Security News Bites For The Week Ending January 18, 2019

City of Del Rio, Texas Reverts to the 1950s – Paper and Pen – After Ransomware Attack

Update:  The city says that it cannot issue utility bills which means that it won’t get utility revenue from residents.

Del Rio, Texas, on the Texas-Mexico border was hit by a ransomware attack this week and as a result, went back to pencil and paper.  All computers and servers were turned off and the city disconnected from the Internet.  While writing a receipt by hand for your library fines is quaint and works, I am not what happens if you want to, for example, buy or sell a house and need to pull up official city documents which likely only exist online.

Del Rio is working with the Secret Service to figure out what to do next.  It is unknown if they have insurance or even effective backups.

Del Rio’s population is about 40,000,   We have seen a number of small cities fall victim to ransomware, likely because they do not have the budget or staff to combat today’s sophisticated attacks.  Source: City of del Rio.

iPhones Being Discounted in China

Following on Tim Cook’s announcement that the iPhone company’s revenue will be down in the quarter ending December 29th (from November’s estimate of $89 to $93 billion down to $84 billion.  Retailers in China are discounting the newest iPhones (the XRs and XSs) from 10 to 20 percent.  China is a very important growth market for China since most of the western world is i-saturated.  If sales slow down in China and the rest of Asia, that won’t bode well for Apple’s future sales.   Given that an iPhone XS max sells, even when discounted, for over $1,400 and China’s strong nationalist tendencies, citizens may be buying phones from Huawei and other Chinese companies instead.  Apple’s stock has taken a tumble from $230 on October 3 to to $153 on January 10.  While revenue from iPads, wearables and other Apple products and services grew 19%, together they represent a blip on what should be known as iPhoneCo’s revenue (it represents less than 1 percent of the company’s total revenue).  Not to worry though, Apple still has over $100 billion in cash in the bank.  (source: Bleeping Computer).

Apple was forced to remove the more affordable iPhone 7 and 8s from German stores due to a patent dispute with Qualcomm.  In addition Chinese courts made Apple stop importing iPhones from the 6 to the X due to the same dispute (which seems sort of funny since Foxconn and a couple of competitors build most iPhones in China).  This leaves Apple with only the insanely expensive XR and XS lines to sell in China, which could explain the discounts above.  (Source: Bleeping Computer).

 

Some of the Biggest Web Hosters Are Vulnerable

A well known security researcher has found significant security holes in five of the largest web hoster’s systems – holes that would allow for an account takeover.  The hosters are Bluehost, Dreamhost, Hostgator, OVH and iPage.   It is reasonable to assume if we found these holes, there are more to be discovered.  In total, this represents about 7 million web sites at risk – enough to keep hackers busy for years.

This points out the importance of vendor cyber risk management.  Just because a vendor is big does not mean that it is secure.  Source: Tech Crunch.

Judge Says Feds Can’t Force You to Unlock Biometrically Protected Phone, Even with a Warrant

In what is likely going to be appealed, a Northern California Magistrate Judge says that the Feds can’t force you to unlock biometrically secured phones, even with a warrant.

There has been a lot of give and take in this area, with judges saying you can’t be forced to incriminate yourself by unlocking your password protected phone until now.  Somehow, in the law’s view, a password is testimony and a fingerprint is not.

The Feds wanted the judge to issue a warrant forcing anyone on the premises at the time of a raid to unlock their phones for them.

In this case, the judge said the warrant request was over broad.

But he also said that forcing people to unlock their phones runs afoul of the Fourth and Fifth amendments to the Constitution.

The Feds were in a hurry because if the phones “age” in their evidence lockers, biometrics will no longer work, even if they convinced people to do that.

It seems to me that this is the right answer, but stay tuned.  Source: The Hacker News.

The DoD is Horrible at Cybersecurity

According to the Department of Defense’s Inspector General, there were 266 cybersecurity recommendations open, some dating back to 2008.

This includes unlocked server racks and unencrypted disks at Ballistic Missile Defense Sites.

If this was bad, wait till you hear about contractors.

The IG examined 7 ballistic missile contractors.  Of them, 5 did not always use multi-factor authentication when accessing missile information.  They also failed to conduct risk assessments and encrypt data.

The list goes on and on.

No one has been arrested and/or charged with any crimes.  That fundamentally is the problem.  If there are no consequences to ignoring the rules, then many people just won’t bother.  Source: Motherboard.

 

Facebooktwitterredditlinkedinmailby feather

DoD Moving Forward on Cybersecurity After Breach

In the wake of the cybersecurity disaster at the Naval Undersea Warfare Center, where a contractor lost control of over 600 gigabytes of extremely sensitive weapons system data for the Sea Dragon program, the DoD is reacting.  Sea Dragon, based on the few details we have, is a disruptive offensive weapon targeting Chinese submarines.

Among the data compromised is cryptographic information about how the subs communicate.

Now the Chinese have those secrets and the billions of dollars probably spent on the program may be flushed down the toilet.

DODDAC, the Department of Defense Damage Assessment Center, is trying to assess the level of damage that was done.  It is likely that we will never find out the true impact of this breach.

The category of information that was breached is known, generally, as controlled unclassified information or CUI.  The DoD has been talking for years about implementing an acquisition rule called DFARS 204.252-7012, securing controlled unclassified information and NIST SP 800-171, the how to guide for doing that.  December 31, 2017 was supposed to be the date the regulation went into effect, but in mid December the DoD blinked.  Again.  The instructions to industry were that they just needed to have a plan for becoming compliant.

But the problem is that no one was assigned to fix the problem.

In the wake of this new and recurring scandal, Defense Secretary  Jim Mattis ordered the Under Secretary of Defense for Intelligence to deal with this.  The Under Secretary instructed the Defense Security Service, who is accountable for managing classified information in the defense contractor community, to come up with a plan to manage controlled unclassified information too.  The challenge with that is the amount of controlled unclassified information and the number of people handling it dwarfs the amount of classified information by many times.

Given this, what should defense contractors and sub-contractors do now?

While we don’t know the how and the when, it is very likely that DoD will begin to clamp down on how contractors handle CUI and the Defense Security Service will expand their sphere of influence to contractors handling CUI.  Starting with the primes – and letting them handle the subs.  We have seen that this has already started, but we believe it will accelerate.

For the most part, what NIST 800-171 mandates is “best in industry” cyber security practices.

If you are a contractor, you should be actively working on becoming compliant.  You should have been already doing this, but there should be more urgency now.  Starting with implementing the policies, procedures and practices and moving on from there.  Adding the controls and monitoring; incident response and so on.

While we don’t know when, my guess is General Mattis does not want another disaster on his watch and he already has the regulations on the books to help fix the problem.  All he needs to do is make it happen.  Remember, Generals, especially Marine Corps Generals,  are very good at “making it happen” and I would not question his desire to not be embarrassed again.  He is going to have to, at some point, explain to Congress why the billions of dollars they gave him have been wasted.  Not a fun conversation.

Given all this, being prepared is a really good plan.  We can help.

Information for this post is based on a memo from the Pentagon.

Facebooktwitterredditlinkedinmailby feather