“Never let a good crisis go to waste.” – Winston Churchill
On Dec. 7, the National Security Agency issued an advisory to the Department of Defense and its defense industrial base (DIB) stating that Russian state-sponsored groups have been actively attacking a number of remote-work platforms developed by VMWare in an attempt to gain privileged access to target data. The Cybersecurity and Infrastructure Security Agency has issued similar warnings about the need for government agencies and their supporting organizations to patch holes in various VPN solutions to keep unauthorized users off their networks.
This year’s pandemic has already had a devastating impact on the federal government and its business community from a cybersecurity perspective. This was triggered by the near-overnight shift to telework on a massive scale, whether we were fully prepared to deploy it or not. As a result, cybercriminals have been empowered to exploit this vastly expanded threat surface to disrupt normal business operations of the federal government ecosystem. By exploiting the general fear and anxiety of users, hackers are stealing data, holding critical information hostage, and inciting risky internet behavior to gain access to company and government networks.
But don’t just take my word for it.
If all these advisories and cyberattacks weren’t enough to call this a crisis, we are now learning that a recent hack of a widely distributed software patch from SolarWinds Corp. by nation-state threat actors. It is part of a much larger-scale attack on major U.S. government organizations (e.g., U.S. Treasury, Commerce, State Department, and reportedly the DoD) and companies within their ecosystems — the impacts of which we have yet to fully comprehend. This incident highlights how most supply chain organizations are not prepared to prevent these threats, as a CSO analysis outlined.
Members of the DIB grapple with how to best comply with the DoD’s interim rule to accelerate their contractors’ implementation of cybersecurity requirements and enhance the protection of unclassified information within the DoD supply chain. This most recent cyber incident reminds us once again that the emergence of the Cybersecurity Maturity Model Certification, which took effect through the interim rule on Nov. 30, is so much more than simply a check-the-box compliance requirement in order to do business with the federal government.
Just as cybercriminals are increasing their deployment of malicious and destabilizing activities in cyberspace, so too must the DoD (and FedCiv, for that matter) and its supply chain reinvigorate their efforts and implement a more robust cybersecurity capability. At its very core, the objective behind CMMC is to help DoD’s supply chain better defend itself against these ever-increasing risks and impacts of cyberattacks.
For the DoD to achieve this mission objective, its contractors must embrace a complete and unwavering focus and commitment to implement the security controls and processes necessary to effectively defend their IT infrastructure(s). More importantly, they must operationalize their capability and provide continuous monitoring, awareness and response to potential cyber threats within their operating environments.
The DIB should understand that implementing the proper cyber policies and procedures to initially meet a target CMMC’s maturity level represents the first step to achieving the objective. To remain effective — and stay in compliance — organizations will need to continually monitor and maintain their own cyber risk posture and be positioned to respond effectively to any potential cyber incident, to include reporting it to the proper DoD authorities.
As this latest cyber incident has demonstrated, even having a robust cybersecurity capability does not mean we are fully protected against all cyber threats. FireEye, Microsoft, Cisco and Deloitte are among the companies that installed this recent SolarWinds hack. It is easy to think that if they were susceptible, then how do the rest of us think we will succeed? The point is that employing the sound cyber practices and techniques outlined in CMMC will not make us 100% protected against cyberattacks, but it was never ever meant to achieve that. CMMC was designed to provide the DIB with is a set of characteristics, attributes, processes and best practices that, if applied and adhered to, will provide an increased level of assurance that it can adequately protect government (CUI) data at a level commensurate with the risk.
CMMC is not a silver bullet, but it is an effective approach to improving the cyber protections and cyber resiliency of the DoD’s entire ecosystem. That is a huge improvement from where we are today. If you have not started your efforts to understand, assess and secure the CUI domain within your organization, you officially run the risk of losing opportunities to work with the DoD. More crucial is the potential security risk to the DoD, its mission and the war fighter.
“Never let a good crisis go to waste” is sage advice. Assemble your in-house team charged with managing cybersecurity for your organization and start the dialog. Review, discuss and gain a full understanding of the interim rule, NIST 800-171, and the emerging CMMC framework as it applies to how you conduct business with the DoD. Develop a tactical plan to undergo an internal assessment and/or address any gaps. Finally, discuss how your organization will commit to operationalizing cybersecurity as a normal part of conducting business with the government. Institutionalize the cybersecurity activities within your organization to ensure they are constant, repeatable and effective.
And remember that as a member of the DIB, you are not alone. Seek guidance, confirmation and assistance from government (e.g., the Office of the Under Secretary of Defense for Acquisition and Sustainment, your DoD customers), industry (e.g., the CMMC Accreditation Body), and companies in the private sector specializing in helping companies develop a cybersecurity and data protection capability. The time to act is now.
Les Buday is director of cybersecurity at HumanTouch LLC. He is also a member of the CMMC Accreditation Body.