Defense Systems

Contractors question DOD's cyber requirements

The Pentagon is making big moves to improve cybersecurity in its industrial base, but the contracting community and experts continue to wonder if it will all play out as intended.

Derek B. Johnson

|

The Pentagon is making big moves in an effort to improve cybersecurity for its industrial base, but so far the department's biggest roadblocks early on may be the same confusion, doubt and uneven compliance from contractors that led to the vulnerabilities in the first place.

Officials from the Department of Defense and the National Institute of Standards and Technology gave updates on two nascent programs at an Aug. 8 Information Security and Privacy Advisory Board meeting: NIST's new draft cybersecurity guidance for contractor systems deemed high value assets and the Pentagon's Cybersecurity Maturity Model Certification (CMMC) program.

Both are designed to shore up different aspects of DOD's cybersecurity regime for contractors, and both are causing heartburn among companies who are still unclear about how best to comply.

The NIST draft guidance around high value assets recently went out for public comment earlier this year. The more than 600 responses reflect confusion scope and application of the requirements.

Every individual requirement listed in the draft received more than a dozen comments or critiques, according to NIST's Victoria Pillitteri.

Cost, practicality and straightforward questions like "does this apply to me or my systems?" were among the most common sentiments expressed, while certain requirements, like one for a 24-hour security operations center, were painted as unrealistic and cost prohibitive expectations for small and mid-sized contractors.

Roger Wakimoto, a vice chancellor at the University of California, Los Angeles, wrote that his research team successfully competed for hundreds of millions of dollars in federal research funding in 2017 and expressed concerns that the enhanced requirements "may inflict unintended consequences on fundamental research" and are "unclear" about whether they apply to basic research or academic institutions that take federal research funding.

"Unless agencies are mandated to state applicability in funding announcements, this proposed change could be incredibly burdensome, as it is possible that applicants would not know that the award would fall under the new requirements until they are far along in the process of applying," wrote Wakimoto.

Others, like CTIA, a trade association representing the wireless industry, questioned whether NIST's cost assessments for compliance was too low, saying it "will likely be substantial."

Stronghold Cybersecurity worried that a requirement to restrict access to systems and components to information resources owned, provisioned or issued by the organization would wreak havoc on an increasingly mobile IT workforce.

"Any [Bring Your Own Device] goes out the window with this one for sure," wrote Jason McNew, the firm's Certified Information Systems Security Professional.

A definitional problem

Despite the complaints, the contracting community is unlikely to find sympathy among DOD officials or members of Congress, who have pushed for cybersecurity standards for the defense industrial base following a sustained campaign of digital espionage by China over the past 18 months that has hemorrhaged sensitive U.S. military secrets.

"Our adversaries aren't looking at penetrating the nuclear triad at the highest point…they're going to the lowest tier to gain access and they're patient," said Katie Arrington, a special assistant to the Assistant Secretary of Defense for Acquisition at the same meeting while discussing CMMC.

The enhanced NIST security requirements would only apply to components on nonfederal systems that store, process or transmit CUI, or when designated in a critical program or high value asset. Crucially, while NIST's baseline cybersecurity requirements are mandatory for all defense contractors, agencies must be sure to specifically include the requirements for high value assets in any contracting or procurement documents.

Just what constitutes a critical program or high value asset (and by whom) is another complicating factor. The clearest definition comes from the Department of Homeland Security, which adopted the phrase in a Binding Operational Directive and has cycled through two iterations of a definition thus far, while leaving it largely up to agencies to identify specific assets that fit the bill.

"We're still refining [the definition], I don't know that that will ever be perfect," said Alan McClelland, an information security specialist at the Cybersecurity and Infrastructure Security Agency. "Really it's open to interpretation, the agencies determine themselves based on these definitions what their high value assets are."

While DHS has offered technical expertise to the endeavor, military assets are not covered under the agency's Binding Operational Directive or its definition, though McClelland said after his briefing that officials in both agencies are in discussions to cooperate and further align their efforts down the road.

A question of maturity

If the new NIST guidance is designed to scope out the technical requirements necessary to protect contractor systems, DOD's new Cybersecurity Maturity Model Certification program is a way to ensure that contractors are in fact complying. Rather than allow contractors to self-certify, the program will bring in third-party auditors to review contractor systems to ensure they're in fact implementing the protections they claim to the government.

The Pentagon's desire for a stricter compliance regime received a boost earlier this year when the federal government successfully convinced a judge to allow a lawsuit against contractor Aerojet Rocketdyne Holdings to proceed for claims it violated the Civil False Claims Act by misrepresenting compliance with NIST's baseline cybersecurity requirements listed in the Defense Federal Acquisition Regulation Supplement.

Like with NIST's new guidance, defense contractors and experts have also expressed anxiety about how the CMMC will work, how it will apply to their systems and whether the military can work out the kinks and confusion before a contractor's certification level begins affecting the kind of procurements it can pursue. The differing levels of maturity one can achieve (measured on a scale from 1-5) further clouds the picture as to what a particular contractor may need to do or implement to continue doing business with the military.

In addition, there are a number of contractors who may genuinely think they're compliant when they're not, a problem that again goes back to the general uncertainty and doubt that arises when general principles about security are applied to specific systems and programs in the defense contracting space.

Arrington was tapped by the Pentagon earlier this year to lead the CMMC and institute a broader cultural change among the defense contracting community. A former contractor, Arrington said she saw companies that falsely self-certified or embellished their compliance with contractor cybersecurity regulations in pursuit of business.

Those days must come to an end, she said, calling for the community to move away from its widespread fixation on cost, schedule and performance while ignoring security.

"It doesn't matter how much I pay for something if it's already been exfiltrated," Arrington said. "If I'm worried about getting it on time, but by the time I get it delivered to me it's worthless, why am I worrying about the schedule? Yeah, I wanted it to perform at this capacity, but if my adversaries already have it, they're outperforming me before I get there. We have to change the culture."

A version of this article first appeared on FCW, a partner site to Defense Systems.

NEXT STORY: DOD tries to take control of the JEDI 'narrative'

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.