The government is making progress toward the enforcement of minimum cybersecurity requirements — and with good reason. Chinese hackers stole 60,000 State Department emails in a recent nation-state breach.
The Cybersecurity Maturity Model Certification (CMMC) program was instituted to ensure the security of the defense industrial base (DIB) and traces back to voluntary efforts about 15 years ago. It’s crucial for contractors working with the Department of Defense (DOD) to no longer treat those security controls as optional.
At CMMC CON 2023 we learned about the urgency of securing our military’s supply chain, how far we’ve come in doing so, and what can be done to address the complexities of IT, cybersecurity, and regulatory compliance.
“The most important thing we need people to understand is that they are a target,” said Bailey Bickley, Chief of DIB Defense. “I know small businesses don’t really believe that because they’re just producing one small component or one small widget of an overall weapons system, but our adversaries are really looking for those weak links. They do broad scanning. The People’s Republic of China especially takes a really broad approach, and they’re going after the weakest link in DOD supply chains. One of our biggest messages to folks is: Don’t be that weak link.”
A new study conducted by Merrill Research and commissioned by CyberSheath shows just how weak the DIB’s supply chain is. According to the study, the average Supplier Performance Risk System (SPRS) score is a woeful -15, far short of the 110 score required by the Defense Federal Acquisition Regulation Supplement (DFARS).
Despite the poor SPRS performance, we’ve seen progress in the public-private partnership between DOD and the DIB, including more information sharing. Steve Shirley, Executive Director of the National Defense Information Sharing & Analysis Center (ND-ISAC) said the relationship is “lightyears better than it was in 2007 or 2008.”
“One of my old teammates used to say, ‘You can be wrong if you’re right too soon,’” Shirley said. “There were a couple of things that were tabled in 2009 or so that were maybe the right thing to do from a technical standpoint, but from the standpoint of the industry/government culture, or relationship that created that culture, we just couldn’t put that ball in the end zone. Now I think there’s a much higher probability that those things can be operationalized.”
NIST Fellow Dr. Ron Ross joined the program to share his perspective on that evolution and how standards like NIST SP 800-171 have changed over the years and become more specific to clear up ambiguity about how certain controls should be implemented.
Achieving and maintaining CMMC compliance is no easy task, though. Eric Liebowitz, CISO at Thales North America, and Sashi Chandrasekharan, CIO at Stellant Systems, joined a panel to discuss how IT and security teams need to partner to achieve and maintain compliance.
Further motivation came from keynote speaker Robert J. O’Neill, one of the most highly decorated combat veterans of our time. At a high level, the CMMC blueprint translates into real-world applications for military veterans, too.
“Long-term goals are accomplished by short-term goals,” O’Neill said. “And you need to master the basics. Keep it simple. One foot in front of the other. There’s a part of SEAL training called ‘Hell Week.’ SEAL training is hard enough as it is when you get four or five hours of sleep a night. Hell Week you wake up on Sunday, and you don’t sleep until Friday. … Once you see someone start to think about quitting, they’re pretty much done. They’re talking their mind into it.”