The objective of the Pentagon’s CMMC program to improve the security of the defense industrial base will continue to be a priority for the Defense Department regardless of who wins the White House in the upcoming election, according to stakeholders in the supply chain process.
The Defense Department has gotten pushback from industry over the Cybersecurity Maturity Model Certification program and the many unknowns over its rollout and expected costs, but former government officials and attorneys told Inside Cybersecurity the move from a regime of self-attestation to third party certification is necessary to protect the intellectual property of the DIB and DOD.
“There are certainly going to be disagreements on the approach that we need to take to [shore up the supply chain], but there is pretty widespread agreement that we have to improve,” former Pentagon cyber leader Jack Wilmer said. “I expect there may be some tweaks to CMMC and how it gets implemented.”
Wilmer was DOD’s chief information security officer and deputy CIO for cybersecurity before leaving the Pentagon in August to join the private sector.
“Both Democrats and Republicans think government should run more efficiently and it should serve its citizens better,” Wilmer said. “When you look at the amount of intellectual property that is stolen through our industrial base, our universities and other areas, there is a recognition on both sides of the aisle that we have to be better.”
Malicious cyber activity has cost the U.S. economy between $570 billion to $1.09 trillion dollars in costs between 2006 and 2016, according to estimates from the White House Council of Economic Advisors included in the interim rule to establish the CMMC program.
“A Democratic administration will share the concerns about protection of controlled unclassified information but they are likely to pause but not stop CMMC efforts,” attorney Robert Metzger said. “They will look to consider whether the mechanisms used to implement CMMC need adjustment or a larger change.”
Metzger, co-author of MITRE’s “Deliver Uncompromised” report, said a Biden administration probably would be “especially interested” in the role of the CMMC Accreditation Body and the “responsibilities and functions assigned to this nonprofit entity” that is independent of government. The CMMC AB is currently operating under a memorandum of understanding with DOD.
The Defense Department is only just starting down the “road of how to appropriately address cybersecurity issues,” according to Harvey Rishikof, another co-author of the MITRE report and current director of policy and cybersecurity research at University of Maryland’s Applied Research Laboratory for Intelligence and Security.
“We’re in the middle of a war in which the adversaries are attacking our networks,” Rishikof said. “One of the vectors for attack is cybersecurity. No one likes change but we are in a cyber conflict and the major assets are controlled by large parts of the private sector. It is actually in the interests of the private sector to implement security as soon as they can.”
Metzger agreed saying China and other countries have been stealing technical and sensitive information from government contractors “for nearly a decade” and “the threat isn’t going to go away.”
“We are trying to remedy the vulnerabilities of large portions of the industrial base, which have exposed themselves to successful information theft and those vulnerabilities will also remain the same the day after the election or the day after the inauguration,” Metzger said.
There is likely to be turnover in the highest ranks at the Defense Department if Biden wins the election, but Norma Krayem, a federal cybersecurity policy veteran at Van Scoyoc Associates, said the first Senate-confirmed appointments will be at the cabinet level and it will take some time before personnel changes come to DOD’s acquisition office.
However, the eventual departures of DOD acquisition chiefs Ellen Lord and Kevin Fahey would not leave DOD in a vacuum when it comes to addressing cybersecurity, according to Metzger.
“Many of the personnel who are now executing CMMC and other cyber initiatives and those who are responsible for those functions in DOD Intelligence and Research and Engineering are still going to be there,” Metzger said. “Cyber and supply chain security within DOD are not political, but there may be differences in strategy or tactics.” -- Sara Friedman (firstname.lastname@example.org)