Lance Bellers - Fotolia

Pentagon CMMC program to vet contractor cybersecurity

The U.S. Department of Defense has developed a five-level certification framework designed to vet the cybersecurity posture of potential contractors in an effort to avoid future risks.

The U.S. Department of Defense is aiming to secure its supply chain with the cybersecurity maturity model certification, or CMMC program, which will vet potential third-party contractors.

Ellen Lord, the undersecretary of defense for acquisition and sustainment, said at a news conference at the Pentagon that the CMCC program "will measure technical capabilities and process maturity" for organizations in the running for new defense contracts.

Although the full details of the CMMC program won't be made public until January, Lord described it as a five-tier framework in which each level of certification is specifically designed based on how critical the work of the contractor would be. The CMMC program is scheduled to be fully implemented by June 2020.

Dan Fallon, senior director of public sector systems engineers at Nutanix, said programs like CMMC that "create or enhance standard practices and responsibilities around cybersecurity are essential to improving security posture."

"It is great to see the DOD engaged in a strategic, comprehensive and measured approach to ensuring the security of the products and vendors with whom they work," Fallon told SearchSecurity. "Furthermore, the Department's concerted effort in sourcing input from the private sector in developing these standards is a strong indication of its understanding that even with additional cybersecurity policy, overall security will always remain a shared responsibility between vendors and government agencies. After all, there is no one silver bullet to make an agency invulnerable to attack."

Theresa Payton, president and CEO of Fortalice Solutions and former White House CIO, said the CMMC program "is a good next step to improve supply chain security for the DOD through its contractors and sub-contractors." 

"In the wake of data breaches where the weakest link was a contractor, these are important next steps," Payton told SearchSecurity via email. She added that if she "were to prioritize security elements for every contractor and subcontractor to meet it would be: 1. ensure that all data in rest and in transit and at points of consumption are encrypted; 2. have a regular review process of user access controls and authorizations to include third party applications and system to system interactions that are tested; 3. create kill switches that can be flipped if there is a suspected intrusion; 4. ongoing training and awareness."

Dr. Chase Cunningham, principal analyst serving security and risk professionals for Forrester Research, said the requirements should focus on "using virtual infrastructure to manage the connections those persons have into a system, and really solid analytics."

"They already do basically everything anyone can to vet a singular user, having been through that myself I can tell you it is rough, but ultimately once a person is in a network it's on [the DOD]," Cunningham told SearchSecurity. "If they don't monitor [contractors] and have really segmented infrastructure, things go bad quick. Combine well-built zero-trust infrastructures with good behavioral monitoring and analytics and you can fix this problem."

The full details of the CMMC program requirements won't be known until next month, but Lord did promise the expectations, measurements and metrics used will be "crystal clear," and audits of potential contractors will be done by a third party that should be chosen by next month as well.

Additionally, Lord said at the Ronald Reagan National Defense Forum in Simi Valley, Calif. earlier this week that the DOD expects the weakest links in the supply chain to be the lower tier, smaller companies who may not be able to afford to meet the requirements. As such, the DoD is planning ways to ensure smaller contactors can meet a basic level of cybersecurity via "broader certifications" that will be detailed more in the next three months.

Payton said she was "encouraged to see that the DOD specifically noted that it will help smaller contractors to meet requirements."

"This will encourage many to embark on this endeavor," Payton said. "A rising tide lifts all boats so if the DOD would extend free software, tools, and tips and techniques to their supply chain they will naturally lift the security of the DOD ecosystem."

Cunningham disagreed and said if the CMMC program requirements are clear and "your company wants to win the bid, meet the line items."

"It will still be on the contractor to make things work. When the government is paying the bill, why should they push more help on those companies that want the work and the revenue?" Cunningham asked. "The government honestly shouldn't be helping too much."

Government contractor risks

The history of cybersecurity risks and third-party contractors can be traced back years. The most famous example was whistleblower Edward Snowden, a contractor for Booz Allen Hamilton, who stole and leaked information about NSA phone metadata tracking practices in 2013.

In 2015, a breach of the Office of Personnel Management affected millions and the ensuing investigation found that the threat actors gained access to systems in part by using credentials stolen from government contractors.

The DOD had two issues in 2017 linked to contractors. In August, an AWS S3 bucket containing unclassified data from the DOD was discovered to be publicly accessible due to misconfiguration by Booz Allen Hamilton. In November, another S3 bucket containing DOD data, this one built by contractor VendorX, was discovered to be exposed.

Payton said there's a simple reason why these past issues didn't lead to faster action by the government.

"There is a fundamental disconnect between the rate at which technology evolves and the rate at which bureaucracy reacts. What we're dealing with here is a failure of systems," Payton said. "It's never too late to learn from past mistakes, but ultimately, we need real-time solutions not just to today's obstacles and threats but to tomorrow's as well." 

Cunningham said, "This type of requirement should have been in place years ago."

"The government runs into this as they are lobbied by those big consulting firms that push back on anything they do that could impact their businesses," Cunningham said. "Obviously having a new set of standards for thousands, or tens of thousands of cleared workers is a problem they didn't want to deal with."

Dig Deeper on Security operations and management