Current and prospective member companies of the defense industrial base (DIB) have watched with interest as the U.S. Department of Defense (DoD) developed its all-encompassing Cybersecurity Maturity Model Certification (CMMC) program. The DoD began implementing CMMC at the end of 2020. The program is designed to ensure that controlled, unclassified information (CUI) used and stored by any DIB system and network is protected from access by unauthorized users.
Most defense suppliers already know in broad terms how CMMC differs from previous cybersecurity programs: CMMC defines five levels of compliance, each with a set of supporting practices and processes. To meet a specific level, each contractor must meet the practices and processes within that level and those below it. And whether or not they meet a specific level won’t be based, as in the past, on self-assessment. Instead, a non-profit organization named the Cybersecurity Maturity Model Certification Accreditation Board (CMMC AB) has been set up and recognized by the DoD as the stand-alone organization responsible for qualifying, training and certifying CMMC third-party auditors (C3PAOs).
That is enough info to worry the most staid of supply-chain leaders, who are scrambling to understand the details of these new expectations and how to best prepare to meet them. In December, Smart Manufacturing hosted one of its Collective Intelligence roundtables to help. The video can be viewed at www.SME.org/cmmc. The experts hammered a few points hard:
You have to put the time in
“I think it’s interesting that we call CMMC a ‘maturity model.’ There’s a function of time associated with that,” said panel moderator David Rampton, VP at the supply-chain management consultancy Aerofied.
“As I understand it, it’s not going to be possible to flip a switch and, for all the money in the world, show maturity,” he said. “You might have excellent resources at your disposal, you might have a very robust plan in place, but without the passage of some time to actually demonstrate maturity,” it will be hard to claim you’ve reached a given level.
Adam Austin, the cybersecurity lead at consultancy Totem Tech, agreed, adding a warning that the time investment to reach CMMC’s third level—the minimum level required for working with CUI—could dwarf the work hours needed to reach standards like the AS9001 quality management standard. And the time the supplier will need to put in has a parallel in the much greater time a CMMC third-party assessment is likely to take than does an AS9001 assessment.
“The CMMC assessment is expected to be much more intense than your average ISO 9001 audit,” he said. “In fact, the DoD is estimating it’s going to take, even for a small business, four assessors a couple of hundred hours to execute the assessment. And you would compare this to the [mere] dozens of hours it takes one or two folks to perform an ISO 9001 audit for a small business.”
It is worth remembering that these assessments will not be made by the supplier’s own employees or consultants it chose and hired for the purpose. They will be made by true third-party assessors, who come to the company with no prior assumptions or biases, and who will be thorough, Austin warned:
“The C3PAOs have three methods that they can and will chose from to assess the state of your organization’s cybersecurity maturity. They can interview your personnel, they can examine systems and documentation, and they can actually test procedures and cybersecurity enforcement mechanisms. And we can actually expect the assessors to execute all three of these methods.
“For example, they may ask, and it’s their prerogative to ask, for a temporary user account in your network,” creating an opportunity to interview the system’s administrators and determine their knowledge of procedures of account creation. Then they can examine those procedures themselves.
“They would interview and then examine. They might actually test that the protections are in place,” he said. The assessors have the prerogative to not take a SysAdmin at his or her word.
The upshot: Don’t wait.
Industry 4.0 doesn’t ‘solve’ CMMC
The smart factory environment adds new factors to the cybersecurity challenge. The speed and efficiency of Industry 4.0 is enabled by networked digital communications, from shop-floor equipment on up to C-suites and back again. That is its strength. But from a cybersecurity standpoint, each link of that networked chain is potentially a place where security could be breached, said Sean Nobles, president of the cybersecurity consultancy NaviSec.
“Security no longer has to happen at only the edge of a system, where the Internet connection comes into a facility,” he said. “There are multiple layers now.”
That multiplication of targets for mischief may be somewhat balanced by the high-speed, AI-empowered digital systems being developed to protect against incursions, Nobles acknowledged. But there is a danger in relying on a product—any product—if it is used as a substitute for developing an enterprise-wide culture of security.
“Right up against the emerging smart-factory technologies that are coming out, there are also vendors out there” who are claiming that they have digital solutions “that are able to cover any emerging use case that might be out there,” he said. Be wary, he said, “when a security vendor comes out and says that we’re the only solution you ever need for operational technology networks.”
Nobles emphasizes this point: CMMC compliance cannot be assured with the purchase of a product. Such a product can definitely help the system to be more secure, he said, but it doesn’t replace a security mindset:
“What can end up happening is, a company thinks they’re more secure than they are because they have this next-generation machine-learning, AI-type solution in place that’s supposed to be the last cybersecurity solution they ever need to buy. That can be dangerous if the company thinks that that’s true. Because it’s not.”
What has to come first is, across the enterprise, having the basics of cybersecurity internalized, he said. “And then once you have done so, it might be a good idea to look at those more advanced vendor technologies.”
For example, “there’s no substitute for training somebody how to not open a suspicious email. That can be the weakest link. You can have all the security in the world in place. But if you get one person who clicks on it or puts a USB drive in, it can bypass all the controls that you have in place.”
It’s not ‘NIST today and CMMC tomorrow’
Some suppliers may be confused about how and when CMMC will affect them. For example, CMMC is not being made retroactive: its requirements have begun going into new DoD contracts, but it isn’t an addendum to current contracts. That makes it sound like companies fully occupied with current contracts have some breathing room.
Another factor: Since 2017, the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 has already required CUI users to demonstrate adequate cybersecurity, and the NIST cybersecurity standard developed to meet that requirement, NIST 800-171, maps exactly with CMMC’s third level—the minimum level required for CUI.
So the question is, if a company has a defense contract with that DFARS 7012 requirement now, is there anything it needs to do differently to prepare for contracts with CMMC requirements in them?
“I think the first step is that there has to be a mindset change. The idea that there is 800-171 today, and CMMC is some future thing, we’re past that. They’re both today,” said Nathan Wright, air vehicle cybersecurity director at aerospace prime Bell Flight.
“What I would recommend for a company to do is, if you have a DFARS 7012 clause, be sure you’re compliant with it. Execute an internal self-assessment.”
How? “DCMA [The DoD’s Defense Contract Management Agency] was actually mandated and commissioned to develop a program for assessment. And they have a model that you can follow to self-assess yourself to NIST 800-171. It’s very important to go ahead and do that, to begin implementing improvements now,” he said.
“By the time the CMMC assessor comes to you, you need to show a maturity in those same fields that you’ve implemented with 800-171. It’s critical to start now.”
Wright offered this advice to those getting started: Be in touch with whichever aerospace prime you are supplying under the current contract.
“As you’re trying to understand the regulations, as you’re trying to implement the changes, if you have problems and challenges, reach out to your prime. It is in their best interest that you are successful,” and most likely, they have more expertise in cybersecurity than a down-tier supplier would, he noted.
“They will have people that can help answer questions. They won’t give you all the answers, they won’t do the work for you. But they are there as a resource. They want to make sure that you’re successful.”
Along with spyware: crimeware
Because CMMC is a requirement of the Department of Defense, suppliers often think of cyber incursions as primarily the province of international espionage—wherein the adversary’s hope is to steal intellectual data in order to reproduce their own version of, say, a joint strike fighter. But as Aerofied’s Rampton notes, that’s usually not the case. More often, he said, the invader’s hope is simply money.
“In 2020, Verizon did a study on data breaches in manufacturing. For data breaches among manufacturers, 73 percent of all data breaches were financially motivated as opposed to 27 percent that were espionage-driven,” he noted.
Totem Tech’s Austin noted that manufacturers are more likely to get in the crosshairs of this breed of cyber criminals than other businesses:
“All industry sectors are faced with financial theft—but the manufacturing industry is by far the biggest target for adversarial espionage campaigns,” he said. “It’s almost 10 percent higher than any other sector, according to that Verizon report.”
Over 90 percent of the breaches cited in the same report were actually executed by organized crime or nation state-level adversaries, Austin said.
“So, we’re talking about Eastern European crime syndicate, or Chinese military-type level of sophistication in these attacks, targeting all members of the manufacturing sector, from large prime contractors all the way down to the mom-and-pop business. It’s cheaper and simpler to steal something than to design it yourself. And our adversaries actively pursuing this theft are very capable. They’re well organized, and they’re motivated.”
NaviSec’s Sean Nobles noted that the danger isn’t only from large organizations, however.
“In our own experience, we’ve seen that there’s now ransomware available as SaaS: ‘ransomware as a service,’ which is out there and that criminals subscribe to,” he warned. “They’re getting access to these ransomware kits that they’re then using to deploy into industries like manufacturing.”
Bell Flight’s Nathan Wright agreed.
“One of my main takeaways today is that if you have nefarious intentions, it’s pretty easy to go out there, get some sophisticated crimeware and start attacking manufacturers,” he said.
“All the more reason why taking measures to put basic protections in place and then building upon those basic protections is so crucial,” said Rampton. “Because the barrier to entry to participate in the criminal side of this is very low.”
The good news is that implementing CMMC standards will mitigate cyberattacks—whether the attacker’s motivation is service to a foreign power or just some easy money.