In this day and age, it is not uncommon for a story of a cyberattack to be front-page news. What is unsettling, however, is that the prevalence of these breaches is far more numerous than reported. And what is at stake is more than compromised consumer credit reports–national security hangs in the balance when the breached target is a member of the defense industrial base (DIB).
How can this threat be neutralized–and what is being done to protect vital intelligence from falling into the wrong hands? Mandated cybersecurity minimums for companies looking to do business with the DOD and its affiliates would go a long way in limiting these events.
Current state of cyber-compliance
The government created a scoring scale for cyber-security controls, which covers a range of -203 (doing nothing) to +110 (fully compliant). Our experience over the last decade has revealed an average score of -125, with the lowest score we have ever seen being -175. Why is that?
The crux of the problem is that while these controls have been mandated in contract law for defense contractors since at least 2015 and subject to both contract law and False Claims Act penalties, they have been unaudited and largely ignored. There has been no enforcement of these mandatory cybersecurity minimums.
Cybersecurity for the DOD is a modern-day policy of “Don’t Ask. Don’t Tell.”, with many organizations not taking appropriate cybersecurity measures, and then not reporting non-compliance. One notable development that could change all of this is the current administration’s leveraging of the False Claims Act to crack down on non-compliant defense contractors.
How the False Claims Act impacts cybersecurity compliance
A former Aerojet Rocketdyne employee claims the company entered into contracts with NASA and the DOD despite knowing it was not in full compliance with the contracts’ cybersecurity requirements. The judge refused to dismiss the case and they are headed to jury trial.
CyberSheath was not surprised at this development. In fact, we saw this coming, knowing that the government would be cracking down on defense contractors.
The Problem of Non-Compliance
All of this non-compliance of very basic cybersecurity controls is the cause and the effect behind SolarWinds, Office of Personnel Management (OPM), and likely many other data breaches. Tying non-compliance to an actual cyber-attack is hard if not impossible but it doesn’t take too much of a leap of faith to make the connection when you see the scale of sensitive information being stolen.
In parallel to the non-stop barrage of attacks on the defense industrial supply chain, many successful organizations like National Defense Industrial Association (NDIA) and their 70,000 members push back against mandatory cybersecurity minimums and the kinds of controls that would slow–if not stop–some of these attacks altogether. Here is what has transpired.
- The organization penned a letter in June 2021 citing the cost of cybersecurity controls, despite the fact that the law mandating almost 85% of the cybersecurity requirements was close to six years old at the time and already mandated but ignored by much of the DIB.
- By September 2021, NDIA had joined forces with two other large industry associations, Information Technology Industry Council (ITI) and the Professional Services Council (PSC), to collectively express concern on behalf of their members, again despite the fact that approximately 85% of the required controls had been mandatory for six years.
- Meanwhile, the estimated number of defense contractors required to report cybersecurity incidents within 72 hours to the DOD Cyber Crime Center (DC3) is often shared by the DOD as numbering from 200K to 350K. Likely no one knows the real number as DC3 only speaks to a relationship with 885 of the several hundred thousand with sensitive information.
Despite the regulations, the government knows via their own audits that contractors are ignoring the requirements. A recent across seven separate defense contractors, including:
- Multi-factor authentication was not consistently used
- Network vulnerabilities were not consistently mitigated
- Server racks were not consistently secured
- Data on removable media was not consistently protected and monitored
- Intrusion detection was not implemented
- Administrators did not require or maintain justification for access
- Physical security controls were not implemented
It’s clear that something needs to be done to help secure information and other intelligence that is vital to the safety of our country. Implementing a mandate requiring minimal but impactful cybersecurity measures makes sense–for the sake of the company doing business with the DOD, either directly or as subcontractor, and for the security of our nation.
Are you a defense contractor not compliant with CMMC?
Don’t miss your chance to REGISTER NOW to accelerate your compliance journey by understanding what to do, how to do it, and by when.