In the United States Defense Industrial Base (DIB), government contracts are rarely fulfilled by one organization alone.
Generally, a primary contractor bids on a project in partnership with a team of subcontractors, each of which provides specific expertise and a highly specialized product (such as a component or material) or service (such as coding).
Under the prime contractor/subcontractor model, the prime contractor works directly with the government and manages the subcontractors.
While this model may be successful in terms of efficiency, it has not proved to be advantageous for security. In many cases, prime contractors on a project share more sensitive data with their subcontractors than is necessary for fulfilling their duties.
When adversaries attempt to steal this data, they may not target prime contractors directly, as larger companies are more apt to have robust cybersecurity defenses in place. Instead, adversaries attack smaller subcontractors, because those companies have access to sensitive data without the ability to adequately secure it, offering an easy "back door" for attacks.
The state of DIB cybersecurity
The loss of sensitive data through the DIB has driven the Department of Defense to institute rules regarding how contractors must secure the data with which they are entrusted.
The first effort to accomplish this was the publication of NIST SP 800-171. Under Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012, contractors with access to sensitive but unclassified information were required to be compliant with NIST SP 800-171.
However, the issue with DFARS Clause 252.204-7012 is that it had no teeth. Under the current rules, defense contractors are required to self-certify their compliance with the regulation. If they perform self-certification and are honest about their lack of compliance, they are permitted to institute a “get well plan” to fix the identified issues.
Kevin Fahey, the Pentagon’s Assistant Defense Secretary for Acquisition, recently stated that larger companies are doing a good job in meeting the government’s cybersecurity requirements, “...but in no case do they meet everything that they thought they met.” He added that many times, foreign hackers will attack a subcontractor that is “...fifth-, sixth-tier.” Fahey went on to say. “If you’re flowing down information they don’t need, then that’s bad. That’s where we’re seeing our biggest problem.”
Fahey’s statements are corroborated by a recent study conducted by Sera-Brynn which reported that surveyed government contractors had implemented, on average, only 39% of the 110 requirements of NIST SP 800-171.
Additionally, none of the organizations surveyed were found to be fully compliant with the regulation, and 45% of them had never read the publication.
It is important to note that the Sera-Brynn survey was biased toward organizations that were more likely to be compliant with the regulation. A more general survey pool that includes smaller subcontractors is likely to paint an even bleaker picture of the state of regulatory compliance among the DIB.
CMMC and the future of compliance
The reality of DIB cybersecurity compliance is that most defense contractors are unable or insufficiently motivated to implement the security controls outlined in NIST SP 800-171.
Since organizations are currently permitted to self-certify compliance, many continue operating despite being in regulatory non-compliance.
With the implementation of the DoD Cybersecurity Maturity Model Certification (CMMC), all of this will change.
Under the new regulations, contractors will need to be audited and certified for CMMC before being allowed to bid on government contracts, and certification will be performed by third-party auditors.
It’s important to note that CMMC is not designed to exclude smaller subcontractors. Rather, it is intended to assess and enhance the cybersecurity posture of all organizations that work with the DoD.
Under this new framework, contractors will be able to roll any costs associated with security into their billable rate. In addition, the grants will be available to smaller contractors to assist with their initial certification.
Contractors applying for CMMC certification may wish to evaluate security solutions that have already been vetted for use on government systems to protect classified and sensitive information, such as those approved under the Commercial Solutions for Classified (CSfC) program.
The CSfC program was designed to provide government entities with the security solutions that they need to protect both classified and CUI data as quickly as possible. Instead of limiting acquisitions to government off the shelf (GOTS) hardware, the CSfC program certifies commercial off the shelf (COTS) as meeting certain security needs.
In fact, in order to keep costs down, the CSfC program requires giving preference to COTS over GOTS products when possible.
While it is not mapped directly to NIST SP 800-171 requirements, the security level of a CSfC device should meet or exceed the CMMC requirements for handling classified or sensitive data.
Learn more about Attila’s security solutions approved for use in protecting the nation’s most critical information and systems against cyber attacks.