Kristen Soles, CPA, Partner – Government Contracting Industry Leader & Bhavesh N. Vadhani CISA, CRISC, CGEIT, PMP, Principal, CohnReznick
As the number of ingress and egress points to applications and networks expands, cybercriminals are discovering new gateways to exploit government contractors and agencies. The supply chain is especially vulnerable: Attacks on global supply chains soared 78% in 2018, according to a recent report by Symantec Corp.
That’s one reason the U.S. Department of Defense (DoD) is implementing a two-pronged initiative that aims to create unified supply chain security standards for government contractors. The initiative, informally known as Deliver Uncompromised (DU), expands the requirements such that prime contractors and subcontractors must implement security controls to comply with the Defense Federal Acquisition Regulation Supplement (DFARS) rules.
With this initiative, security becomes a primary requirement for DFARS compliance and winning a government contract. Defense contractors and subcontractors will be required to build security by design into every aspect of the software product life cycle and include operational continuity measures.
A report on DU, commissioned by the DoD and published by the MITRE Corporation’s Center for Technology & National Security, identifies courses of action that spell out cybersecurity and supply chain security requirements. Prime contractors and subcontractors will be required to:
- Institute industry-standard IT practices in all software developments.
- Ensure supplier security and use contract terms.
- Appoint a chain of command for supply chain with accountability for security and integrity.
- Require vulnerability monitoring, coordinating, and sharing across the supply chain chain of command.
- Implement a campaign for education, awareness, and ownership of risk.
Proving cybersecurity with a new maturity assessment
The DoD will require written proof of a compliant security program throughout the supply chain in RFP responses. To establish accreditation, the DoD is establishing a new standard and maturity ranking called the Cybersecurity Maturity Model Certification (CMMC). Under the CMMC, contractors will be assessed on their implementation of required cybersecurity controls and processes, and their cybersecurity hygiene will be ranked on a scale of one to five:
- Level 1: Basic
- Level 2: Intermediate
- Level 3: Good
- Level 4: Proactive
- Level 5: State of the art
Level 3 will be the minimum necessary to comply with DFARS requirements to win a defense RFP. In general, Levels 1 to 3 map to NIST 800-171 Rev. 1, while Levels 4 and 5 map to NIST 800-171B. The 800-171B version of the regulation has 32 new enhanced security requirements that are based on the 14 control families found in NIST 800-171. Some significant conditions include:
- Establish and maintain a full-time security operations center.
- Establish and maintain a cybersecurity incident-response team that can be deployed within 24 hours.
- Employ automated mechanisms to detect misconfigured or unauthorized system components.
- Implement secure information-transfer solutions, including encryption of data, to control data flows between security domains on connected systems.
- Ensure that internet of things, industrial internet of things, and operational technology systems, components, and devices are compliant with the security requirements.
The Pentagon will release details on CMMC later this summer, and aims to finalize the framework by January 2020. CMMC will start appearing in RFIs in June 2020, and potential contractors will be required to demonstrate a rating of at least Level 3 by September 2020. We expect that the DoD will outsource CMMC compliance to independent third-party firms that will audit contractors and issue certifications.
The complexities of compliance
Compliance with DU and CMMC will be challenging for many prospective contractors, particularly smaller and midsize firms that have not implemented the controls detailed in NIST SP 800-171. Here’s why:
Government contractors that have not designed and implemented a formal security program will be unprepared to identify, prevent, detect, and report supply chain cyberattacks. That’s because they lack the necessary security policies, processes, and controls. Among these, an incident-response plan is critical because the DoD requires that contractors and subcontractors establish processes to identify a cybersecurity incident and report the intrusion event within 72 hours of discovery.
Moreover, contractors often don’t have documented procedures for due diligence, audits, and risk assessments of their subcontractors. Another frequent deficiency is a lack of multifactor authentication, which is a critical requirement for DFARS compliance and is a mandatory requirement under DU. The DoD has not yet specified the type of multifactor authentication required, but two-factor authentication will be a minimum.
Finally, smaller companies may lack a thorough understanding of the compliance obligations stated in DoD contracts. In part, that’s because defense contracts are inconsistent across agencies, and each may stipulate a different set of requirements.
Advanced breach-detection solutions are key
One critical mandate of both DU and CMMC is advanced breach detection, a capability that government contractors often lack. Contractors will need to fuse advanced solutions with appropriate governance and mature processes to rapidly detect devices of interest and indicators of compromise.
To fill this gap, companies will need to implement solutions that can analyze the multitude of protocols and new attack vectors each day to identify breaches and anomalous behavior on the defense contractor network. The analysis should weigh the contractors’ application-based metadata – combined with user information and the latest threat intelligence – against past, current, and future network activity to detect previously unidentified breaches.
Demonstrating compliance with DU and CMMC
The specific safeguards and controls mandated by DU and CMMC are not yet known, so compliance obligations and strategies are preliminary, at best. MITRE recommends that contractors develop a security program based on industry frameworks such as NIST SP 800-171, NIST SP 800-53, and NIST SP 800-160.
Even though the precise requirements are not yet established, government contractors should begin working toward certification now. Start by assessing compliance with NIST SP 800-171, which lays out 110 security controls for contractors. Those that have implemented most or all of the controls will have a head start earning CMMC accreditation. Contractors that have not implemented 800-171 controls will need to launch an accelerated effort to do so.