A major change to the Department of Defense supply chain security standard is in the works. Vendor security was typically evaluated after awarding a contract, but a new mandatory cyber security certification program would force contractors to demonstrate their readiness to repel attacks before being allowed to bid.
The hope is that the new certification model will simplify and streamline cyber requirements for federal government contractors while also strengthening and modernizing supply chain security. It is also meant to help beef up the security of secondary and tertiary subcontractors, who are often not subject to the same level of scrutiny as the primary contractor.
While there is a clear national security need for the organization to protect itself from vendor compromise, the new standards will likely involve a cyber security investment that might be too steep for smaller vendors.
Improved supply chain security for military contractors
The Pentagon had been discussing the creation of a security certification for vendors since 2018. The Cybersecurity Maturity Model Certification was announced in March of this year, with the first draft delivered in August for a mandatory period of public comment.
The new cyber security certification creates a five-level system. Vendors are assessed on 18 separate “domains,” or elements of cyber security such as incident response plans and risk management policies. A vendor does not have to have a perfect score in each domain, but has to meet a certain aggregate score in two different groups of domains in order to be certified.
Vendors are also not expected to meet the highest CMMC levels across the board, but are asked to be assessed at relevant levels in order to meet specific threats they are expected to be faced with. Contracts will require that vendors be at certain levels in each domain in order to bid.
Certified vendors will also be subject to regular cyber hygiene audits overseen by the Federal Risk and Authorization Management Program (FedRAMP).
The measure is presently on its fourth draft, and will go through two additional drafts running through November before the final framework is implemented in January 2020. Once that happens, vendors will be expected to be ready to meet cyber security certification requirements as early as June 2020.
The Defense Department estimates that about 300,000 contractors will need the new cyber security certification.
The proposed CMMC levels
Each vendor will be ranked at level one to five in each domain, according to the new cybersecurity requirements.
Level 1: Basic (some best practices implemented, limited resistance against threats)
Level 2: Intermediate (all best practices implemented, meaningful resistance against threats)
Level 3: Good (all National Institute of Standards and Technology SP 800-171 security controls implemented for unclassified information, moderate resistance against threats)
Level 4: Proactive (automated controls and regular review policies implemented, strong resistance against threats)
Level 5: Advanced (strongest controls and policies implemented with regular reviews, strong resistance against even the most advanced attackers)
Vendors will be asked to meet specific cyber security certification levels in specific domains in order to be eligible for contracts, with the standards varying based on what kind of access they have and information they will be handling.
Problems for small businesses?
In the early public comment phase, smaller contractors have voiced concerns that the cost of the cyber security certification will be too high.
The Defense Department has responded to these concerns with several measures. Some security improvements will be an “allowable cost” for contractors, meaning that they can bill the government for their upgrade expenses. Tax breaks have also been discussed as an incentive.
Even with these measures in place, smaller contractors will likely see an increased and significant up-front expense in doing business with the government.
The modern threat and the need for cyber security certification
For their part, the Defense Department feels that these supply chain security improvements are a necessary cost for defense contractors to do business in the modern cyber landscape. Cybersecurity practices simply must improve across the board.
The National Counterintelligence and Security Center issued a report in September that indicated supply chain security breaches have already threatened US critical infrastructure and that these attacks are expected to both evolve and to increase in frequency.
In June, the US Customs and Border Protection Agency was breached and the personal information of about 100,000 travelers who had crossed the country’s southern border was exposed. The source of the breach was traced back to optical scanner hardware contractor Perceptics, who had apparently stored this sensitive data on their own company servers.
About one year ago, the travel records of about 30,000 military and civilian personnel were leaked. The Pentagon declined to name the source of the breach due to information security concerns, but did confirm it was a vendor.
In 2017, security researchers with UpGuard discovered unsecured Amazon S3 buckets belonging to the US Central Command. These buckets contained some 1.8 billion public posts, articles and comments scraped from a wide variety of sources from 2009 to 2015. UpGuard reported that the buckets belonged to a defunct defense contractor called VendorX.
All of this comes amidst a general surge in supply chain security breaches over roughly the past two years, as threat actors have realized that small vulnerable contractors tend to provide the best opening into the networks of larger and more hardened targets. Attackers either find ways to move laterally into the target network by using the access methods available to the contractor, or in some cases they simply stumble onto sensitive data hosted on the contractor’s own machines and servers.
The Defense Department has tens of thousands of contractors, but these contractors frequently have a number of small business subcontractors of their own that end up with some sort of privileged access. That makes it virtually impossible for the agency to directly oversee supply chain security involving hundreds of thousands of entities that could potentially be the source of a breach. A simplified and universal cyber security certification is a sensible way to manage the situation, but one that may push some smaller vendors out of the market.
The Defense Department is seeking public comments through November.