Small businesses are increasingly being targeted digitally by nation states, according to Department of Defense officials, who say more must be done specifically to evaluate and reinforce the security of contractors battling cyberattacks.
“We’re losing,” said Katie Arrington, special assistant to the assistant secretary of defense for acquisition for cyber within the office of the undersecretary of defense for acquisition and sustainment, speaking Oct. 7 at an AFCEA-hosted event.
Arrington explained that adversaries cost the country $600 billion a year and that, with 5G on the horizon, that amount must be multiplied by “umpteenth” in 2025 given the near-unlimited bandwidth for cyber campaigns technology promises. As a result, Arrington said, the forthcoming cybersecurity maturity model certification (CMMC) was designed specifically for small businesses.
The CMMC is a framework that grades company cybersecurity on a scale of one (least secure) to five (most stringent). What small businesses will be asked to do is comply with a tiered rating system depending on the systems they’ll be working on.
What this means is if a company is working on janitorial services, they may only need to comply with level 1 of CMMC as opposed to level 3, which is equivalent to NSIT 800-171 regulations, or level 4 that is reserved for exquisite systems.
In the past, there was a two-tiered system for small businesses to be compliant, Arrington described. A company could be compliant with 80 controls under NIST 171 and have a Plan of Actions & Milestones (POA&Ms) to do the other 30, while another company could be doing all the 110 controls and both are technically acceptable.
“That isn’t right, because our adversaries aren’t taking a cup of coffee and saying, ‘I’m going to come back to you when your POA&M is done,’” said Arrington. “They’re walking through those POA&Ms like they’re Swiss cheese.”
As a result, Arrington made the case that the CMMC is really about leveling this playing field and protecting sensitive systems that require additional cybersecurity controls.
Some have noted that these new requirements, while meant to protect the defense industrial base against loss from external forces, could hit smaller companies harder within the market.
“This would have severe unintended consequences on small businesses that do not have the resources and sophistication to obtain a high CMMC level, producing market entry barriers and limiting competition," the Professional Services Council said in a Sept. 25 letter to DoD following the September draft release of the CMMC.
“Until we see the whole scope of who it’s going to apply to and why it’s going to apply to them, it could impact a lot of small companies,” Alexander Major, partners and co-leads for government contracts at McCarter & English LLP, told FCW following the same draft release.
Major’s co-lead, Franklin Turner, also told FCW that Arrington’s assertion that the CMMC would cost only a few thousand dollars is “utterly foolish,” adding it would "likely be an impediment" for small companies.
However, as Arrington and others have pointed out, top nation states are targeting these smaller companies, necessitating the initiative. Trying to sympathize with the audience, Arrington touted her background contracting with utilities, water and weather services where she herself was guilty of poor cybersecurity practices as a program manager.
“I knew where the weather was, the water was and the electric was. It was all on my laptop,” she said.
She did much of her work at coffee shops because, “I needed to network and I needed to communicate with my peers to drive new business and I needed to be seen, because as a small business you have a lot of people who telework from home.”
But even using a VPN to tunnel into work accounts has the potential to be exploited, Arrington acknowledged. “I was taking everything around me in the pipe."
Recent events have put a spotlight on the fact data doesn’t have to be classified to be sensitive. Several Navy breaches — largely attributed to China — targeted contractors that were determined to have information that wasn’t itself classified, but in aggregate disclosed sensitive capabilities. It is the increase in campaigns to exploit a higher percentage of lower-level vulnerabilities that the CMMC framework addresses.
“Our adversaries are not trying to get at us at the … top of the nuclear triad,” said Arrington. “You don’t have the aperture to defend yourself against a nation state and we don’t want you to. I need to be able to help you protect us because when 80 percent of my data lives on your network, it’s no longer a you or a me — it’s a we thing. This is a we problem.
“I need to know exactly what I’m asking you to protect and at what level. Right now, you’re all just doing a bunch of different disparate things, but there’s not a level set. [Cybersecurity] controls do not equal requirement,” Arrington continued.
It is expected that in fall 2020 CMMC requirements will be included in requests for proposals and will be a go/no go decision.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.