Thousands of Pentagon Contractors May Fail in Cyber Security: Are You Protected?

A recent report warns that thousands of Pentagon contractors may not be adequately protected against cyber security threats. This is a significant concern, as these contractors are responsible for some of the most sensitive data in the United States government. Are you worried about the potential for cyber attacks? If so, you’re not alone. Many businesses are concerned about the increasing number of cyber security threats. This blog post will discuss some of the biggest cyber threats and how you can protect your business from them.

cyber security

There is a lot of work to regulate cybersecurity in the vast and complicated defense industry. The Biden administration is moving forward with a more limited plan. That’s why the Cybersecurity Maturity Model Certification program, or C.M.M.C., hasn’t been fully implemented yet. It shows the risks and problems of changing supply chain cyber rules for the defense industrial base.

According to officials, Pentagon cybersecurity standards are designed to keep U.S. weapons systems safe from enemy hackers, but only one in four defense contractors can meet them now. This could make it difficult for the Biden administration’s new push to make the standards apply to the whole D.O.D. Supply base.

Experts from the Department of Defense have looked at 220 defense contractors over the past three years and found that three-quarters of them didn’t have basic cybersecurity controls in place. They had to develop a special agreement to fix their security problems, says John Ellis, the head of the Pentagon’s Defense Industrial Base Cybersecurity Assessment Center (D.I.B.C.A.C.).

This comes when the Biden administration is working on new rules that will make more than 200,000 companies that sell goods or services to the Department of Defense have to meet the same cybersecurity standards as the government. To stop a wave of hacking attacks against U.S.U.S. defense contractors that has been going on for more than a decade, the Pentagon started the C.M.M.C. program. This is the most ambitious one yet.

An assessment tool called D.I.B.C.A.C. looks for compliance with 110 cybersecurity rules set by the National Institute of Standards and Technology in its Special Publication 800–171. As a part of the C.M.M.C. program, Ellis says those are the same standards.

Email from Ellis: “We think the [C.M.M.C.] assessment method will look very much like what the D.I.B.C.A.C. does now.”

It looks like most defense contractors can’t currently pass a rigorous test of their compliance with N.I.S.T. standards, which will be required for all defense contractors in two years.

A former member of the Defense Science Board Task Force on Cyber Supply Chain, Robert Metzger, says many companies need to do a lot of work to meet the standards for the C.M.M.C.

cyber security
Estimated 220,000 businesses provide goods or services to the government, and many of them are small businesses. – Source: Thomas Hawk/Flickr

CMMC 1.0 Is Referred to as a “Bureaucratic Monster.”

There were some shocking numbers. They’re another hit to C.M.M.C., a project started by the Trump administration to ensure that all the companies that do business with the Department of Defense have strict cybersecurity rules. To make money, the Pentagon wanted to set up a network of thousands of third-party assessment organizations, or 3PAOs, to make sure that companies were meeting C.M.M.C. requirements.

But CMMC 1.0 ran into a barrage of criticism from people in the industry who said it was too complicated and rigid, especially for small businesses. Air Force Secretary Frank Kendall wrote an opinion piece for Forbes in April 2020 that said the program would make bureaucracy grow and risk a flood of lawsuits if companies were barred from bidding on defense contracts because they didn’t pass a third-party assessment.

In a speech, he asked the Department of Defense to “kill this bureaucratic monster before it gets bigger than it already is.”

A hailstorm of ethical questions about the process for accrediting 3PAOs also hit C.M.M.C. There were questions about possible conflicts of interest. It was given this job by the Cybersecurity Maturity Model Certification Accreditation Body, or CMMC-AB. This body will review and approve 3PAOs. But some of the same companies that were going to try to get the nonprofit group to become a 3PAO were paying for it. In addition, most defense contractors had to obtain third-party certification quickly under CMMC 1.0, which meant that early accreditation as a 3PAO would effectively give the 3PAO an advantage over a vast group of defense contractors who had to get certified quickly.

It had a lot of red flags and conflicts of interest, said John Weiler, a longtime I.T.I.T. snoop and the founder of an advisory group.

People in charge of the Department of Defense had to publicly disavow companies that said they could get C.M.M.C. accreditation before the standards were even set.

The program’s public face, Katie Arrington, the C.I.S.O. for the Department of Defense’s acquisition and sustainment office, was put on administrative leave in May of last year, Bloomberg reports. This is a strange twist on CMMC 1.0. After the N.S.A. accused her of making an unapproved disclosure of classified information, she moved to a new job. An ex-GOP state lawmaker who ran for Congress in South Carolina in 2018 lost. Arrington’s clearance was temporarily revoked, and she now faces having it completely revoked, which would effectively bar her from working in a national security job again.

During a lawsuit filed last year, Arrington said that because her clearance had been revoked, she couldn’t answer the charges against her because she couldn’t find out what they were or see the evidence that backed them up. The lawsuit was settled late last month, and her lawyer told S.C.S.C. Media that Arrington now has the information she needs to fight the effort to revoke her clearance. “We hope that this matter will be completely favorably resolved within a few months,” the lawyer said.

cyber security
These are members of the US Navy Aerial Demonstration Team, better known as the Blue Angels. They piloted the FA-18 “Hornet” aircraft during a May 2017 show. – Source: DOD photo/Marvin Lynchard/Flickr

CMMC 2.0: A Simplified Standard

President Biden took office last year, and in November, top defense officials said they would start over with a new program called CMMC 2.0. C.M.M.C. was already being looked at when Biden took office.

CMM 2.0 cuts cybersecurity requirements for most defense contractors, simplifies the compliance scheme from five levels to three and removes all but a small number of vendors’ need for third-party assessments. This reduces the demand for certification and drastically shrinks the proposed for-profit 3PAO ecosystem.

In a big way, the new version of the program allows contractors who don’t pass their third-party security assessment to enter into a special agreement called a Plan of Action and Milestones, or POA&M, to fix their security flaws. They can keep bidding and working on D.O.D. Contracts while they do.

C4ISRnet’s David McKeown talked about the CMMC 2.0 numbers at an event last year.

  • It’s made up of about 220,000 businesses that make things for the government.
  • More than 140,000 of them have data about federal contracts that “wouldn’t be very important if it was lost to the enemy.” These companies will be referred to as C.M.M.C. level one, which means they only need to show that they meet NIST 800–171 standards in an annual self-assessment and that a senior company executive has signed off on it.
  • The other 80,000 contractors also have controlled, unclassified information. They fall into the “advanced” C.M.M.C. level two category, which means they have much information. But McKeown said that only half of those contractors have “critical to national security” information and will need to be checked by a 3PAO, a third-party group. The other half of the data isn’t as important, but they’ll still have to write a self-assessment.
  • About 500 companies that work on the most critical contracts will be categorized as level three, which means they will have to meet even stricter N.I.S.T. standards from Special Publication 800–172. These companies will need to get a group two certification from an independent 3PAO and get a separate certificate from D.I.B.C.A.C. professionals.

It’s said that CMMC 2.0 solves many of the problems that industry groups and defense trade groups had with the original plan.

They’re still nervous, but not in public. That’s in part because the Justice Department has started a new project to fight “Civil Cyber-Fraud.” Prosecutors at the Department of Justice have said that they will go after government contractors who “knowingly misrepresent” their cybersecurity practices or protocols to get government business. Deputy Attorney General Lisa Monaco noted this last year. The False Claims Act, or F.C.A., will be used by the Civil Cyber-Fraud Initiative to reward whistleblowers and prosecute contractors who don’t meet cybersecurity standards.

Whistleblowers can get a share of the government’s money back when it sues a contractor. This is called the False Claims Act. “Civil Cyber-Fraud,” on the other hand, uses it in a way that makes the C.M.M.C. compliance process look like a game. This could make self-attestations look like a trap.

“Overall, the F.C.A. is a good thing, but there are bad consequences to using it this way,” said Metzger, the lawyer. … You’re giving money to people who think they’re doing the right thing for the public, but who also have money in their pockets… F.C.A. is not an excellent way to make sure that [D.O.D. Vendor] meets cybersecurity standards.

However, there are promising signs for vendors as the administration starts a two-year process of making general rules. This could be good news for them.

For example, contractors can limit the scope of third-party inspections for level two compliance. “This is important, and it can be beneficial, to reduce the risk of too broad scoping,” Metzger said.

Weiler said there is no way to get back the time wasted when CMMC 1.0 didn’t work.

“We kind of wasted three years,” he said. There is a good chance that the Chinese were pleased about this news.

Leave a Comment