Defense Cybersecurity Measures Race to Stop Adversaries
The CMMC forms up as threats increase in severity.
Adversaries are stepping up their efforts to exfiltrate information and weaken the U.S. supply chain through cyberspace. These efforts aim to both wreck the country from within and strengthen the hand of the adversary wielding the digital sword, according to a U.S. government official.
New government security measures are designed with these challenges in mind, and they can help secure targeted small businesses. The Cybersecurity Maturity Model Certification (CMMC), which is rolling out, is designed to help mitigate the effects of adversarial activities in cyberspace.
The threat and the CMMC solution were described by Katie Arrington, chief information security officer for the Office of the Undersecretary of Defense for Acquisition and Sustainment. Speaking to the AFCEA Small Business Committee, Arrington divided her comments largely into two areas: the cyber threat, and the CMMC solution.
“We watched our adversaries take our IP, our data rights, ransomware attacks, you name it,” Arrington said. “The estimate is that the entire United States of America—in [its] health care sector, banking sector, defense sector—loses on average $600 billion each year in cyber exfiltration espionage.” She noted that this amount is almost the same as the annual U.S. Defense Department budget.
“Security is not ‘one-size-fits-all,’” she stated. “We need to tailor in our cybersecurity programs… that the government is spending the right money on the right programs at the right time. We’re not going to get any more money in the defense budget.”
She emphasized that while this investment is not cheap, its return on investment makes it a bargain compared to what adversaries are doing to the United States. “When they go in and they exfiltrate a small, a medium or a large-size business, they’re not backing down,” she described. “They’re in it to win it. They want to take your PII [personally identifiable information], your PHI [protected health information], your company data, your proprietary information, your supply chain. They want to know everything about you.”
Arrington continued that these activities are not just limited to China. Cyber adversaries include Russia, North Korea, Iran and terrorist states, and they have been at work in the U.S. industrial base for years.
One approach is to sabotage specifications in a procurement. Arrington described how an adversary could tamper with the specifications sent to a small business, which then would build a component perfectly along the wrong specifications. When that component later would be determined to be flawed during quality control, the procurement would be delayed and the prime contractor would dump the small business, and the loss of faith in it probably would lead to its collapse. This kind of attack is happening today, she said, and it has ramped up with the COVID-19 pandemic with everyone teleworking from their laptops at home.
The aim is to buy out the supply chain or cut it off completely, she stated. China “had its way” with the United States during the pandemic by asserting itself strongly when supplies were badly needed. Urging small businesses to take this into consideration, she cited the importance of the CMMC to help prevent what she described as “life-threatening” cyber onslaughts that place the entire defense industrial base in peril. “It’s as important in our national security as nuclear warheads,” she analogizes.
Three steps denote CMMC implementation. The first, the interim rule, goes into effect November 30. Defense federal acquisition regulation (DFAR) clause 252.204-7019 will be a company’s most immediate and urgent clause. Two others, 252.204-7020 and 252.204-7021, also kick in then. Arrington explained that the 252.204-7019 clause requires every contractor that has 252.204-7012 in their contract to register on the Defense Supplier Performance Risk System (SPRS) website. This will require a self-assessment, she noted.
Assessments will continue over the next five years as the CMMC is implemented, although firms that have measured up over the past three years might be exempted, depending on contracts and conditions. These three clauses lead into CMMC full implementation on all contracts above micropurchases—$10,000. Prime contractors have to flow it down through their subcontractors. “The -7019 is the crawl, the -7020 is the walk, and the -7021 is the run,” she stated.
Arrington explained that the multiyear CMMC effort is bipartisan. “Nothing is going to change … whichever administration takes over on January 20, this is not going anywhere,” she said in the wake of the presidential and senatorial election returns.
Katie Arrington's address is available for viewing online here.