Federal and Defense officials spoke at today’s Billington Cybersecurity Summit about procurement cybersecurity challenges they face and the initiatives they’ve launched to combat those hurdles by shifting toward a “security first” approach to acquisition and supply chain management.
National Institute of Standards and Technology (NIST) Fellow Ron Ross said in a supply chain management panel that the Federal government currently struggles with both vertical cybersecurity – or securing the entire stack, from the application to the operating system to the network – and horizontal or supply chain security.
“Supply chain is broad and deep, and we rely very, very heavily on the great innovations and technologies coming from that supply chain, to build our systems, which go into critical applications,” Ross said. “I think the one issue that I would continue to stress is, you have not yet understood the complexity of the issue, and how to manage or reduce that complexity. It’s all about attack surface; attack surface exists in that vertical stack, and your attack surface extends out to your supply chain.”
Katie Arrington, CISO of the Defense Department’s (DoD’s) Office of the Undersecretary of Defense for Acquisition, stressed that shifting the culture toward security above all other priorities is critical to the way DoD is looking to develop its acquisition strategy.
“We are changing our culture – our culture in security,” Arrington said. “Costs, schedule, [and] performance have no value if it’s unsecure. If we can’t deliver it with the right price because our adversaries have taken it, it’s useless. Performance doesn’t matter if your adversary has it before get into the battlefield.”
Arrington added that DoD is gearing toward “security first” by rewriting the DoD Instruction 5000, which provides the policies and rules that govern the defense acquisition system, as well as retraining program managers (PMs) to build cyber resiliency into products they develop for DoD weapons systems and critical infrastructure.
The Cybersecurity Maturity Model Certification (CMMC) – which is aimed to assess and reinforce cybersecurity posture in the defense industrial base – is another significant project Arrington has worked on. Arrington said that her office is currently receiving feedback on CMMC until Sept. 22, when she will apply the feedback to the CMMC requirements.
Arrington added that DoD’s requests for information will be used to apply CMMC levels in June 2020, “where companies will need to become the mature-level certified. It’ll be a go/no-go decision.” In making this change, Arrington said she hopes CMMC will “get people on top of cybersecurity standards at their company” so that PMs will drive security into the products that DoD and other agencies acquire.
Ross said that learning from DoD and other agencies that have applied cybersecurity-forward certifications and requirements for industry suppliers is something for the Federal government as a whole to consider in their supply chain management.
“I do think that we should all learn a lesson from what the DoD has experienced in the past three or four years,” Ross said about the NIST 800-171 standard that has been the Federal status quo for thwarting threats, particularly from foreign actors, for DoD.
Ross added that 800-171 has applied “a broad brush of requirements across a huge community” in the Federal sphere of acquisition and created “the highest level of protection to everything,” but that setting the bar that high has caused agencies to fail because they don’t have the time, energy, or resources they need to achieve cybersecurity standards that best fit their needs.
“We can learn from [CMMC] and say, ‘Look, we can tailor our requirements and our controls to the level of sensitivity or criticality of that asset,’” Ross said. “If we can treat those things first, as special and tailor their requirements and our ability to assess those requirements to see if they’re affected. … If you specialize on critical, sensitive assets first, then we can solve this problem. If we continue to go down the road of trying to ‘compliance’ all of the time, everywhere, then we’re going to fail miserably.”