Could NIST 800-171 or CMMC have Influenced the Response to SolarWinds?
SolarWinds, with more than 300,000 global clients, including many federal agencies in the United States and mostly Fortune 500 companies, unknowingly released a software update that included malware providing hackers unobstructed remote access to victim networks. The magnitude of this breach requires impacted customers to conduct forensics if they have the means, immediately remove the compromised SolarWinds Orion products from their network, execute an incident response action plan and rebuild the network previously monitored by SolarWinds products.
This level of breach is catastrophic, and impacted businesses should assume total compromise. The work to recover from this event on a meaningful size network is inconceivable for those who have not been through this before.
As a Microsoft Partner and leading provider of Managed CMMC Compliance to Defense Industrial Base (DIB) contractors, CyberSheath has fielded many inquiries related to the extensive investigation into the SolarWinds breach. As nearly every business of any size has some level of Microsoft deployed in their environment, we wanted to share several items we felt would be of interest to those with Microsoft, SolarWinds, or both currently deployed.
- Microsoft Source Code Repository Access: Microsoft detected malicious SolarWinds applications in their environment, isolated and removed. During the investigation, Microsoft detected unusual activity with a small number of accounts, which was used to view source code repositories. The accounts could not modify code, and the affected accounts were investigated and remediated. There has been no identified risk to services or customer data due to this activity. Access the full Microsoft post SolarWinds Impact and Investigation. Microsoft provided security tools to investigate and mitigate any known SolarWinds related malicious activity. Microsoft has published several resources that can be used in response to this attack.
- Microsoft 365 Defender: Businesses with Microsoft Defender 365 should leverage the Indicators of Compromise (IOC’s) provided by Microsoft 365 Defender to look for vulnerabilities and potentially malicious activities related to the SolarWinds attack.
- Microsoft Azure Sentinel: Microsoft has published recommended content to Azure Sentinel that should be used to monitor for indicators of compromise.
Finally, the Solorigate Resource Center, which Microsoft keeps updated with their latest information, can be found here.
Regulatory Compliance Impact on SolarWinds Incident
Aside from what businesses can and should be doing to respond to and recover from this widescale attack, one of the questions heard frequently is, “Could CMMC have prevented any of this?”. We think this is the wrong question to ask and represents “silver bullet thinking”. For example, we do not use this type of thinking in regards to vehicle seatbelts. Seatbelts are required in vehicles here in the United States despite their inability to prevent 100% of injuries, because we still recognize their overall value in injury prevention.
The fact is had DFARS clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting been enforced and compliance verified since 2017, rather than then selectively implemented through self-certification, the SolarWinds attack might have looked very different. The clause mandates rapid reporting of cyber incidents to DoD. Specifically, the clause requires:
Cyber Requirements under NIST 800-171 Since 2017
(c) Cyber incident reporting requirement.
(1) When the Contractor discovers a cyber incident that affects a covered contractor information system or the covered defense information residing therein, or that affects the contractor’s ability to perform the requirements of the contract that are designated as operationally critical support and identified in the contract, the Contractor shall—
(i) Conduct a review for evidence of compromise of covered defense information, including, but not limited to, identifying compromised computers, servers, specific data, and user accounts. This review shall also include analyzing covered contractor information system(s) that were part of the cyber incident, as well as other information systems on the Contractor’s network(s), that may have been accessed as a result of the incident in order to identify compromised covered defense information, or that affect the Contractor’s ability to provide operationally critical support; and
(ii) Rapidly report cyber incidents to DoD at https://dibnet.dod.mil.
(2) Cyber incident report. The cyber incident report shall be treated as information created by or for DoD and shall include, at a minimum, the required elements at https://dibnet.dod.mil.
(3) Medium assurance certificate requirement. In order to report cyber incidents in accordance with this clause, the Contractor or subcontractor shall have or acquire a DoD-approved medium assurance certificate to report cyber incidents. For information on obtaining a DoD-approved medium assurance certificate, see https://public.cyber.mil/eca/.
(d) Malicious software. When the Contractor or subcontractors discover and isolate malicious software in connection with a reported cyber incident, submit the malicious software to DoD Cyber Crime Center (DC3) in accordance with instructions provided by DC3 or the Contracting Officer. Do not send the malicious software to the Contracting Officer.
(e) Media preservation and protection. When a Contractor discovers a cyber incident has occurred, the Contractor shall preserve and protect images of all known affected information systems identified in paragraph (c)(1)(i) of this clause and all relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report to allow DoD to request the media or decline interest.
(f) Access to additional information or equipment necessary for forensic analysis. Upon request by DoD, the Contractor shall provide DoD with access to additional information or equipment that is necessary to conduct a forensic analysis.
(g) Cyber incident damage assessment activities. If DoD elects to conduct a damage assessment, the Contracting Officer will request that the Contractor provide all of the damage assessment information gathered in accordance with paragraph (e) of this clause.
Benefit of NIST 800-171 Information-Sharing Mechanism
While looking at this list of reporting requirements, it is impossible to believe that the defense industrial base would not have been better served having implemented NIST 800-171 and being part of the robust information-sharing mechanisms between DoD and industry. IOC’s Would have reached a wider audience, faster and likely with greater precision.
It is not a leap of faith to believe that our national security and the Department of Defense supply chain will be materially strengthened because of regulatory requirements like CMMC.
How Secure is the Defense Industrial Base Supply Chain?
We invite you to an interactive review of our analysis detailing hundreds of DoD contractors’ cybersecurity posture to discover the concerning findings and best practices that lead to compliance. During this webinar, you will learn:
- Top 3-5 failing controls; what are they, and why are they so challenging to implement?
- Outcomes by business profile, from professional services to the manufacturing floor.
- Top 3 characteristics of organizations who successfully achieve compliance.