CMMC and the Cyber Future of America’s Defense Industrial Base

Earlier this month, the American nuclear weapons contractor Sol Oriens revealed that it had suffered a cyberattack, allegedly at the hands of the REvil ransomware gang. REvil claims to be auctioning the firm’s stolen data. This attack prompted Chris Grove, technology evangelist with Nozomi Networks, to remark, “A small, veteran owned company, most likely bound by multiple NIST Standards, working on nuclear weapons secrets, is probably one of the more secure manufacturers out there. And yet, we see the same story repeat itself – when the ‘Big Game Hunter’ cybercriminals target an organization, they are likely to get in.”

“We see the same story repeat itself – when the ‘Big Game Hunter’ cybercriminals target an organization, they are likely to get in.” – Chris Grove, technology evangelist with Nozomi Networks

This is scary stuff. More than 300,000 companies comprise America’s Defense Industrial Base (DIB), which makes weapons and a huge range of supporting products for the Department of Defense (DoD). They all have their cyber vulnerabilities. And, as we know, attackers, often from America’s strategic adversaries, have perpetrated many highly successful penetrations of the DIB. As but one example, hackers stole 600 gigabytes of secret submarine codes and other classified data from a US Navy contractor in 2018.

In response, the DoD released the Cybersecurity Maturity Model Certification (CMMC) in 2020 with the goal of establishing high, uniform security standards for companies in the DIB. The National Institute of Standards (NIST) manages the framework for CMMC. The program focuses mostly on securing controlled unclassified information (CUI) handled by members of the DIB, mapping cybersecurity practices at defense contractors to best practices and processes according to five maturity levels.

CMMS is a smart, well-intentioned program, but like many efforts of its kind, it’s taking a long time to get started and the early reports on it are not encouraging. According to a report from BlueVoyant, 28% of companies they analyzed would likely would fail to meet the most basic, tier-1 CMMC requirement. Forty-eight percent showed severe vulnerabilities, including unsecured ports, unsecured data storage and ports and unsupported software.

“As regulations call for higher levels of cybersecurity hygiene, the reality is that many businesses struggle to keep up: organizations often have limited IT resources and implementing new technologies to meet security requirements can seem like an overwhelming investment.” – Bassam Al-Khalidi, Founder and Co-CEO of Axiad

Bassam Al-Khalidi, Founder and Co-CEO of Axiad, commented on these findings, saying, “It’s alarming but not unsurprising that over a quarter of companies wouldn’t meet the most basic CMMC requirements. As regulations call for higher levels of cybersecurity hygiene, the reality is that many businesses struggle to keep up: organizations often have limited IT resources and implementing new technologies to meet security requirements can seem like an overwhelming investment.”

The industry is starting to rise to the occasion. For example, Redspin, a division of CynergisTek (CTEK), recently announced that it was the first organization to successfully pass the CMMC Level 3 certification as a Candidate CMMC Third-Party Assessor Organization (C3PAO). The CMMC Accreditation Body has credentialed Redspin as an Authorized C3PAO ready to conduct CMMC assessments.

“Soon, defense contractors will have to be certified at a given level of CMMC to qualify for contracts that specify the level,” explained Caleb Barlow, CEO of Redspin. “If you need to be at level 2, and you’re at level 1, well, you can’t bid on that contract. Our program can help contractors go up in the CMMC maturity, which we then certify.”

“The new rules have teeth. You have to show that you have the maturity. For instance, if you say your process involves creating log files for certain devices, we’re going to want to see that log.” – Caleb Barlow, CEO of Redspin

Redspin is able to work contractually with Organizations Seeking Certification (OSCs) in conducting assessments based on CMMC Levels 1-3. The process, according to Barlow, is similar to ISO 9000 and comparable standards initiatives. In preparation for certification, the OSC must undertake an intensive process of documentation. The goal is to demonstrate evidence of process maturity, along with appropriate resourcing of security controls and organization-wide training.

“This CMMC program is a great example of the government leveraging its massive purchasing power to effect change in cybersecurity,” Barlow added. “The new rules have teeth. You have to show that you have the maturity. For instance, if you say your process involves creating log files for certain devices, we’re going to want to see that log.”