Over the last year, the U.S. government has cracked down on cybersecurity. Following the May 2021 issuance of the White House’s executive order on improving the country’s cybersecurity, federal agencies and their commercial service providers have been focused on complying with more stringent security standards while protecting themselves from the increasing threat of cyber attacks.
Now, the Department of Defense’s newly updated cybersecurity requirements program, the Cybersecurity Maturity Model Certification, is moving forward in its rulemaking process and could become a part of federal contracts as soon as May 2023.
But with CMMC 2.0 growing closer to implementation, cybersecurity experts are pointing to gaps in the cybersecurity market, underreporting and a lack of information sharing as crucial elements that may be hampering the cyber posture of organizations in the Defense Industrial Base.
“There’s a limited number of companies out there that really do focus on cybersecurity, so we need new entrants into the market,” shared Richard Wakeman, chief architect of aerospace and commercial defense for Microsoft, during the Potomac Officers Club’s 2022 CMMC Forum.
“We need to give them the IQ to be able to work with the Defense Industrial Base and quite frankly, we need to have fresh talent,” he said.
In recent years, the federal government has relied more and more heavily on industry innovations to carry out its functions and missions — however, this change has not resulted in an increase in cybersecurity vendors in the government contracting market.
But other cybersecurity industry veterans warn against relying too singularly on one service provider, favoring an internal solution instead.
“You can go out and hire a service provider, but you’ve got to be careful about which one you hire. You’ve got to make sure they know what they’re doing, you wanna look at their track record, their experience. But you don’t want to turn over your cyber expertise completely to a third party,” urged Dr. Tommy Gardner, chief technology officer for HP Federal.
Dr. Gardner and Wakeman both noted that regardless of whether or not a company uses a third party to achieve CMMC compliance, ultimately, the company alone is responsible for its cybersecurity and its ability to defend itself against attacks.
“If you’ve got in-house capability, you’re going to be able to respond much faster” to cyberattacks Dr. Gardner explained.
Along the same lines, Matthew Travis, CEO of the CMMC Accreditation Body, mentioned that right now, there is no official governance or guidance available to companies that can help them buy products and services or choose vendors as they work towards compliance.
Travis said the program has not yet delved into creating a licensed technology provider designation or an approved tools list for CMMC.
“There is no CMMC in a box,” Travis said, noting that right now, “buyer beware” is the mentality companies should individually take in regards to their cybersecurity purchases from third parties.
Now, more than ever, the threat of cyberattacks is on the rise. Specifically, ransomware is the number one threat that companies report to the Department of Defense, according to Terry Kalka, interim director for the DOD’s Cyber Crime Center and the Defense Industrial Base Collaborative Information Sharing Environment.
“Most attackers are either attempting to perform some form of resource development, essentially harvesting information to use for a later attack, or reconnaissance — they’re scoping you out in case they might want to go further,” Kalka revealed.
Similarly, John Ellis, director of the Defense Contract Management Agency’s software division, said he gets pinged with these kinds of threats “24/7.”
“Some of those intrusions are more successful than others,” Ellis said, but “many companies are not even aware of these activities.”
Despite these persistent threats, Ellis said the reports he sees from companies are not quite adding up.
“Reporting should be much higher than it is. We need that going forward, we need that awareness, we need that understanding. It’ll help the Department understand requirements, it’ll help the Defense Industrial Base understand requirements, it will help us evolve going forward.”
In addition to boosting cyber incident reporting, Kalka shared that companies should be sharing critical threat information with each other to raise the cybersecurity defenses of the entire environment.
“It’s not just cyber threat information sharing, it’s best practice information sharing, it’s tools and technique information sharing,” commented Kalka. “It’s really important to find a community of interest or a collective set of your peers wherever you are in the ecosystem.”
Join the Potomac Officers Club for its next in-person event, the 2022 Annual Navy Summit on June 2. Carlos Del Toro, secretary for the U.S. Navy, will keynote. Spots are filling up fast – register today to save your seat!