Meeting the standards laid out in the Pentagon’s cyber certification program is a necessary start to buying down supply chain risk through establishing good cyber hygiene, but cyber experts say CMMC would not necessarily have helped contractors detect or prevent exposure to the SolarWinds attack.
The Cybersecurity Maturity Model Certification program’s current focus is on level three, which establishes a cyber regime around controlled unclassified information. Inside Cybersecurity spoke with attorneys about the benefits of CMMC for the defense industrial base and how it could be improved to address supply chain attacks.
“The point of CMMC is not to protect against nation state advanced persistent threat actors,” attorney Robert Metzger said. “There are ways in which CMMC as it evolves can assist companies to reduce their vulnerability to such attacks and CMMC could promote the protection of information through the use of encryption so the damage from such an attack is reduced.”
Metzger, co-author of MITRE’s “Deliver Uncompromised” report, said, “As CMMC evolves and becomes more broadly deployed, there will be an incremental benefit in reducing the number of companies who could be harmed by a SolarWinds type attack and by reducing the damage that is done to those who are harmed.”
A Pentagon SolarWinds analysis found a contractor “could have watched the movement of the data and the activity” through CMMC level three’s access control requirements, according to DOD’s Stacy Bostjanick, but they would not be able to stop the malware from becoming integrated in government networks.
Metzger said, “There is certainly more that would be accomplished eventually in CMMC levels four and five because those do include measures directed at advanced persistent threats but those things are expensive.”
CMMC level three is largely based on National Institute of Standards and Technology Special Publication 800-171. The higher CMMC levels will draw from NIST SP 800-172, which adds more controls into the model related to advanced persistent threats.
“The CMMC model should be seen not only as compliance exercise for organizations because of a contracting requirement but also to protect the sustainability of the organization,” Carl Anderson, managing partner at Rock Spring Law Group, said.
Anderson previously worked at cyber certification organization HITRUST as chief legal officer and spent time as counsel for the House Energy and Commerce oversight and investigations subcommittee.
Anderson said, “If an organization is just trying to reach compliance with CMMC, it will only be fulfilling the floor requirements. There needs to be an effort by contractors to reach for the ceiling” and put more investment into protecting their critical assets.
The intent of the CMMC model is to change over time depending on threats and changes in the marketplace. However, former Pentagon cyber leader Jack Wilmer said he would advise DOD to take a measured approach when adopting new requirements in reaction to SolarWinds.
“CMMC level three is roughly equivalent to NIST 800-171 and it is really important they stay in sync,” Wilmer said. “If the department wants to put some of CMMC protections into level three, the right approach to do that is to look at 800-171 and updating that through the onerous public comment process.”
Wilmer said, “It would be the way to send very consistent messaging to industry. It would make it clear because 800-171 applies across the entire federal government as opposed to throwing a couple of controls into level three of a DOD standard.”
There needs to be a discussion on “the return on investment for any of the controls put into CMMC to make sure what we don’t end up just throwing in an extra three or four controls because SolarWinds happened that could make us feel better about supply chain security but doesn’t move the needle to make us more secure,” Wilmer said.
Wilmer worked as deputy CIO for cybersecurity at DOD before he left the Pentagon in August to join the private sector. At the DOD CIO’s office, he was responsible for taking the CMMC model created by Office of the Undersecretary of Defense for Acquisition & Sustainment and making sure that it aligned with existing cyber standards across the Pentagon.
Wilmer said, “I would want to keep CMMC as close to the NIST standards as much as possible because they really are extremely well thought out. There is a reason it takes so long to make updates but there is also an argument for being more agile than the NIST process.”
“The Defense Department does have some different requirements because of the sensitivity of data compared to the rest of the federal government,” Wilmer said. “But if there are changes made to CMMC, it should focus on the sensitivity of data and not specific threat actors.” -- Sara Friedman (sfriedman@iwpnews.com)