Crackdown on Supply Chain Cybersecurity
New enforcement efforts may be a compliance dream or nightmare.
Supply chain security has been of concern to government leaders for decades, but with attacks now originating in industrial control systems (ICS) from supply chain vulnerabilities and with an increasing reliance on the Internet of Things (IoT), Congress is stepping up its involvement. For example, legislators have promised that more stringent standards will soon be enforced.
These standards extend beyond the ICS supply chain to include protection of controlled unclassified information, or CUI. For most businesses that manage data and systems for the government, this means the complexity of compliance will be a nightmare and an overwhelming strain on resources. On the other hand, for the first time, new initiatives coming from the highest levels of government suggest a “we’re here to help” attitude, offering varying levels of assistance to contractors. But, will financial provision in the form of reimbursement or “allowable cost” consideration provide sufficient relief from the supply chain compliance burden?
Enforcement building momentum
The DOD’s recently announced cybersecurity enforcement model, the Cybersecurity Maturity Model Certification, is not the only indication that the government’s tolerance of non-compliance is becoming a thing of the past. If we map recent events, we can see a timeline that provides clear signs of the government’s intent to enforce compliance.
In 2017, the administration issued its first cybersecurity executive order that mandated all federal agencies use the NIST cybersecurity framework developed by the National Institute for Standards and Technology. Shortly thereafter, supply chain subcategories were added to the framework. December 31st marked the deadline for all DOD contractors to comply with Defense Federal Acquisition Regulation Supplement clause 252.204-7012 that was designed to protect CUI in non-federal information systems.
Then last year, the National Defense Authorization Act gave the DOD chief information officer authority to set and enforce information technology standards across the entire military, and Kaspersky Lab, Huawei and ZTE were barred from government and contractor networks. Furthermore, a series of DOD memos provided guidance for assessing contractor compliance with clause 252.204-7012, including contract language that addresses access to supplier security plans
In 2019, DOD issued a memo that assigns the Defense Contract Management Agency the role of validating contractor compliance with the requirements of clause 252.204-7012. Under Secretary for Defense Ellen M. Lord communicated her intent to audit the DOD supply chain for compliance to clause 252.204-7012. Also, during a hearing of the Senate Armed Services Committee, Dana Deasy, DOD chief information officer, suggested that compliance enforcement would be modeled after industry. Additionally, Sen. Joe Manchin, D-W.V., at a hearing of the Senate Armed Services Committee stated, “Somebody has to be held accountable” in response to industry feedback that it is nearly impossible to ensure all subcontractors are abiding by cybersecurity protocols.
In May, Lord’s office announced its new enforcement model, the Cyber Security Maturity Model Certification and began a “listening tour” to solicit feedback. The National Institute of Standards and Technology developed a draft document, SP 800-171B, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets, to offer additional recommendations for protecting CUI that runs a higher-than-usual risk of exposure. Finally, the the federal government filed a milestone lawsuit against a contractor that allegedly made false claims misrepresenting compliance with the document.
While much of what has taken place has immediate application for defense contractors, it is highly likely that compliance requirements under the defense regulations will eventually expand to the federal acquisition regulations sooner rather than later.
How to prepare
The majority of security leaders understand the need to prioritize supply chain protection measures. Some have taken sufficient action to put those measures in place, but most have not, due to the complex nature of implementation and ensuring compliance throughout their supply chains.
The best advice is to focus on your own organization’s cybersecurity requirements first. The following three steps will move your organization towards compliance regardless of whether your efforts are ultimately considered an “allowable cost” under the next government request for proposal, or not: define CUI as it applies to your organization, scope your network to minimize compliance and generate evidence of compliance.
What about the extremely difficult task of ensuring compliance throughout your supply chain? Hopefully legislators and government leaders will continue the “we’re here to help” approach and establish more initiatives like the Secure and Trusted Communications Reimbursement Program (to assist with the cost of replacing prohibited equipment) and the Defense Industrial Base Sector Coordinating Council to provide industry collaboration. Contractors doing business with the government and/or their suppliers may not know how the latest push for enforcement will impact them—really, only time will tell—but the good news is that relief could also be in sight.
Rod Musser is senior product manager at Tripwire.