The federal government’s hands are more than full in monitoring multiple wars overseas and an election cycle just ahead. Amid these urgent conflicts, the leaders of the Five Eyes recently sat for an unprecedented interview with 60 Minutes, calling The People’s Republic of China “the defining threat of this generation.”
The first public appearance of America’s English-speaking intelligence alliance at a time of great unrest abroad speaks volumes about the importance of protecting sensitive information in cyberspace.
In recent months, U.S. agencies were breached by Chinese hackers who stole 60,000 State Department emails in their data haul, and we know defense intelligence is targeted, too. In many cases, companies that hold such intelligence aren’t aware of their own role in national security.
Nearly a decade ago, the Department of Defense (DoD) implemented a security framework, the Defense Federal Acquisition Regulation Supplement (DFARS), to safeguard our nation’s intellectual property. Despite its inclusion in more than 1 million contracts, DFARS has largely gone unenforced.
Until now.
The DoD is tracking a November release of the proposed rule on Cybersecurity Maturity Model Certification (CMMC) 2.0, which includes a crucial enforcement mechanism to keep the defense industrial base honest in protecting sensitive information.
The requirement for security controls like multifactor authentication, network monitoring, and incident reporting has long been embedded in most government contracts with the DoD, but contractors had been allowed to self-certify that they had implemented the required controls. The system to date has been one of trust, but never verify.
Microsoft says nation-state threats are rising — particularly from Russia, China, Iran, and North Korea — and threat actors are turning to new vectors like social platform Discord to target critical infrastructure.
With well over 300,000 contractors in the defense industrial base, hackers have a tremendous opportunity to steal military secrets. Forcing defense contracors to meet mandatory cybersecurity minimums should significantly limit that risk, but contractors have a long way to go in achieving compliance with what many consider basic cybersecurity hygiene.
A study conducted by Merrill Research found that only 36% of contractors submitted required compliance scores, down 10 percentage points from last year’s inaugural report. Among those that did submit scores, the average was a woeful -15 — well short of the 110 score that represents full compliance.
The study also showed that contractors pick and choose which areas of compliance they adhere to. Only 19% of respondents implemented vulnerability management solutions, and 25% have secure IT backup solutions, both staples of basic cybersecurity. Forty percent go beyond what the law requires and explicitly deny the use of Huawei, which the Federal Communications Commission designated as a national security risk.
This selectivity shows that contractors understand the risk but don’t always address it, likely because there has been no chance of ever being audited for compliance. It would be misguided to believe that the government is unilaterally imposing new rules on defense contractors. In fact, CMMC 2.0 is the culmination of a decade-long and ongoing public-private partnership.
CMMC 2.0 enforcement
The industry has had a seat at the table the whole time. Now, it needs to finally do the homework it’s heard about for years and implement security controls so we can make meaningful progress in securing our nation’s secrets.
We have come to expect tech titans including Microsoft and Google to take security seriously, and we should hold defense contractors entrusted with our national security to the same standards.
Enforcement of CMMC 2.0 protects sensitive defense information and national security assets that have been in jeopardy for too long. China and other adversaries aggressively exploit any vulnerabilities they can find. Now that the DoD has set an effective date for compliance standards, the time has come for defense contractors to embrace the requirements that have long been embedded in their existing contracts and fully implement mandatory minimum cybersecurity standards.
Maintaining American technological superiority and military secrets depends on companies across the defense industrial base embracing their commitment to cybersecurity. By embracing the public-private partnership vision behind CMMC 2.0 and achieving certification, contractors can validate themselves as stewards of the nation’s security.
Eric Noonan us Founder and CEO of CyberSheath, a provider of managed security services to companies and government.