End-to-End Encryption and Defense Industry Cybersecurity
The CMMC helps harden industrial base cybersecurity.
The Department of Defense (DOD) is dramatically increasing its digital security expectations for defense contractors and subcontractors. Having been on both sides of the partnership between government and the public sector, I am happy to see DOD is not only raising the bar on cybersecurity but also providing guidance on the implementation of cybersecurity best practices within the defense industrial base.
Information management is a critical component for our military forces today no matter where they are operating. The technology that provides and supports that information brings unparalleled capabilities to our warfighting efforts against potential adversaries. We rely on the work of our defense contractors to bring this technology to our forces and with it, the expectation that all steps are taken to reduce risks and vulnerabilities that could delay or reduce our capabilities.
For years, however, this expectation has fallen short due to huge gaps in data security. Data has been compromised and the integrity of data has been questioned. The challenge of overcoming these gaps was recently highlighted by former U.S. Undersecretary of the Navy Thomas Modly, who noted that “serious data breaches, in both our own networks and those of our suppliers, have rudely awakened us to the relentless nature of our adversaries. …there is not a single thing that we do to defend our nation for which data and information management will not be core to our business.”
And this issue and reliance is one equally felt across all branches of services.
The DOD recently rolled out its new Cybersecurity Maturity Model Certification (CMMC) program. The CMMC marks a major step forward in hardening the cybersecurity of our defense industrial base, and it is not playing favorites. It applies equally to the primes as well as their subcontractors. Ellen Lord, undersecretary of defense for acquisition and sustainment, highlighted the need to go deep in her January 31st press conference announcing CMMC when she noted that our adversaries look “at our most vulnerable link, which is usually six, seven, eight levels down in the supply chain. “
The CMMC provides the defense industrial base with a combination of processes and practices, distributed among five tiers, enabling both the government customers and industry to know exactly what is expected from a cybersecurity perspective. Based on the program, and the risks associated, defense contractors and their subcontractors will be expected to meet essential criteria in order to do business with the Defense Department.
The pillars of DOD contract awards have traditionally been cost, performance and schedule. The CMMC has made cybersecurity the foundation on which these pillars rest. Cybersecurity has now become the price of admission to the bidding process itself. Without a sufficiently secure system, a contractor’s bid won’t be considered. As I mentioned, the CMMC is a tiered framework, but it also links best practices and standards so that defense contractors will know what exactly is required.
Today, around 300,000 contractors work with the department and a lot of their legacy processes and systems will need an upgrade to meet the new CMMC standards. Given my years in leading cybersecurity efforts both within the DOD and the Department of Homeland Security, as well as my experience in the private sector, I know the proper use of strong encryption standards can play an outsized role in the success of CMMC. End-to-end encryption should be singled out for extra attention here given its power in securing data and in protecting email, data and files.
End-to-end encryption is indeed the gold standard for data security and goes a long way toward achieving the level of protection the CMMC envisions. While securing data communications between senders and recipients, it is also a critical element in a defense-in-depth capability, ensuring minimal risks should a breach occur.
This fundamental capability has even been recognized in the last few months by new State Department rules as a means to provide an acceptable process for communicating International Traffic in Arms data overseas, because end-to-end encrypted data does “not constitute an export, re-export, retransfer, or temporary import” of information. This ruling highlights the significant level of confidence State Department officials afford to data secured with end-to-end encryption.
Navy Chief Information Officer Aaron Weiss likes to say that cybersecurity cannot be “security by compliance” but rather must be “security as a state of being.” Something I have preached for years. Today, digital security has to be part of everything the Navy and the DOD do. Cybersecurity must be woven into every step in the supply chain. CMMC acknowledges that and insists that defense suppliers do too. With end-to-end encryption for email and file sharing, contractors can take a basic, yet critical, first step towards protecting their data and achieving real CMMC-level security.
The new CMMC will take our defense supply chain onto an important and structured path for digital security. Contractors who catch the rising tide will be ready to bid and ready to operate with real security.
Rear Adm. Michael Brown, USN (Ret.), has led cyber operations in the Defense Department and Homeland Security Department and held executive positions in the private sector. He is an advisor to PreVeil.