At the beginning of March 2020, Fifth Domain reported that Colorado-based aerospace, automotive and industrial parts manufacturer Visser Precision LLC had suffered a DoppelPaymer ransomware infection. Those behind this attack ultimately published information stolen from some of Visser’s customers. Those organizations included defense contractors Lockheed Martin, General Dynamics, Boeing and SpaceX.
As the attack discussed above illustrates, digital threats like DoppelPaymer threaten to weaken the federal government’s supply chain by targeting contractor organizations. At best, these contractors will undertake lengthy investigations and ultimately be required to make difficult, and potentially costly, decisions in order to minimize the damage of these sophisticated attacks to themselves and their government customers. At worst, these attacks will expose information that compromises national security.
It’s therefore no wonder that the U.S. government is pursuing several initiatives in an effort to better secure its supply chain. Two of the most prominent of these efforts are SP 800-171, Revision 2 and Cybersecurity Mature Model Certification (CMMC).
SP 800-171 Rev. 2
On February 21, 2020, the National Institute of Standards and Technology (NIST) released the final draft of SP 800-171, Revision 2, entitled “Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations.” The motivation for this publication is the understanding that controlled unclassified information (CUI) residing on non-federal systems could limit the U.S. government’s ability to effectively fulfill its missions and business operations if not properly secured.
In December 2017, all DoD contractors that handle, process or store sensitive types of government information were required to comply with the security controls described in NIST 800-171, Rev 1. Revision 2 of the Requirement provides agencies with updated guidance that they can use to secure CUI on systems and organizations outside of the federal government. These updates include some minor editorial changes to Chapter One, Chapter Two, the Glossary, Acronyms and the References appendices. Note, the document does not contain any changes to the security requirements discussed in Chapter 3 of the Requirement.
In January 2020, the U.S. Department of Defense (DoD) released the final version of its Cybersecurity Maturity Model Certification (CMMC). Per the program’s website, SP 800-171 Rev. 2 will be one of the many cybersecurity control standards that CMMC will combine to create one unified standard for cybersecurity. The program will also draw upon ISO 27001, AIA NAS9933 and other security controls in an effort to measure the maturity level of an organization’s existing digital security posture.
Looking ahead, the DoD indicated in a web statement that it’ll begin using CMMC as a means to verify that organizations wishing to work with the Department are fulfilling essential digital security requirements. Towards that end, officials at DoD said they’d begin working with a third party to audit potential contractors for compliance with CMMC by June 2020.
There’s still a lot of work to be done in the meantime, however. As reported by Meritalk, for instance, Undersecretary of Defense Ellen Lord said that DoD is actively considering how to bring small- to medium-sized businesses (SMBs) into the folds of CMMC and retain them. Lord indicated that this step would help prevent digital attackers from abusing SMB providers as a means of tracing the supply chain up to U.S. federal agencies.
Not only that, but DoD is also working to keep up with growing international demand for the CMMC verification mechanism. In another report by Fifth Domain, Lord said that the CMMC team was working with eight individual countries along with the EU cybersecurity body as of late-winter 2020. She indicated that those countries and groups were specifically interested in adopting CMMC for their own use.
And while DoD’s CMMC leaders are pushing to stay on a very aggressive schedule, they said they are currently evaluating what potential delays could be caused by the DoD’s response to the COVID-19 pandemic, as reported by FedScoop.
Tripwire’s Thoughts on These Initiatives
Maurice Uenuma, vice president of federal systems at Tripwire, believes that the CMMC will go a long way towards improving the security of the federal government’s supply chain. As quoted by AFCEA International:
Perhaps the greatest benefit, at least at the outset, is that it clearly communicates the seriousness with which DOD intends to address weaknesses in supply chain cybersecurity, and its intention to leverage its vast regulatory and market powers to drive compliance. There is also the benefit of integrating and rationalizing several different standards … into a single framework. If this effort is ultimately successful, the lessons learned and market impact could reach far beyond the defense industrial base.
That said, organizations that want government work should not just sit back and wait for the changes introduced by CMMC and SP 800-171 Rev. 2 to reach them. They need to be proactive and lay the groundwork for complying with these security standards.
Organizations can begin this process by using asset discovery to achieve visibility over their systems. Once they have an accurate inventory of all hardware and software that’s connected to their networks, organizations can look to deploy a solution that can evaluate those systems against the CIS Critical Security Controls including vulnerability management, security configuration management, log management and file integrity monitoring. Lastly, they should make sure they have a solution in place that can automatically feed data to a third-party assessor. This will make the task of proving compliance with SP 800-171 Rev. 2 and CMMC much easier.
Click here to learn more about how Tripwire can help your organization maintain compliance with federal mandates such as CMMC and SP 800-171 Rev. 2.