The United States Department of Defense (“DoD”) recentlyannounced two important changes to its approach to securing its supplychain:  1) cybersecurity costs will soonbe allowable under DoD contracts, and 2) the creation of a CybersecurityMaturity Model Certification (“CMMC”) which will be required under all DoDcontracts.[1]

The DoD’s motivations for these changes are pretty clear:the DoD is heavily dependent on its contractors, and the DoD recognizes that nomatter how secure it makes its own computing systems, those systems are only assecure as their weakest link.  The DoD’sbroad announcement regarding cybersecurity is a good sign that it recognizesthat these weak links can come from a variety of sources including the moreobvious technology issues, such as vulnerabilities in technology supplied tothe DoD like Citrix security software[2],Cisco routers[3],or Microsoft Windows[4],and also from vendors providing non-technical products and services to theDoD.  This later category of risks isillustrated by All-Ways Excavating’s (“All-Ways”) role in the near collapse ofthe U.S. electrical grid[5].  All-Ways is an excavating company based inthe Pacific Northwest.  They provideresidential and commercial contracting and building services for residential,commercial, and government customers. One day, the FBI appeared at the All-Ways offices as part of theirinvestigation into the near collapse of the United States electrical grid, thesystem through which power plants throughout the US distribute electricity toeach other and their customers. Fortunately, U.S. intelligence officials detected and were able to stopthe attack before it could be completed, but it could have had a devastatingimpact on the country.  The intelligenceofficials traced the attackers’ actions back to an All-Ways E-mail account thathad been compromised.  The attackers usedthat compromised account to send infected E-mails to the All-Ways employee’scontacts, including contacts at prime contractors and utility companies.  These seemingly legitimate E-mails were then openedby some recipients, and the attackers then repeated this process until theyobtained access to the machines that connected to the electrical grid itself.

Issues like that at All-Ways, as well as data breaches at large government contractors and the growing number of cybersecurity-related whistleblower cases[6] have driven home to DoD that it needs to find ways to encourage contractors to increase their cybersecurity posture. That is why the DoD is using a combination of both positive and negative reinforcement to get contractors to come up to speed.

On the positive reinforcement side, the DoD willjoin the growing number of large organizations that pay for at least a portionof their vendors’ efforts to improve their cybersecurity maturity.  The DoD has yet to announce whether all oronly a portion of the cybersecurity costs will be allowable, but in either casethis should come as welcome news to government contractors.  We will update our subscribers when newinformation is available from the DoD, but government contractors should assesshow and where they will make additional investments.

On the negative reinforcement side, the DoD has announcedthe creation of the CMMC.  Rather thanfocusing on the presence or absence of particular technologies in thecontractor’s environment, the CMMC measures the maturity of contractors’ cybersecurityprograms.  The CMMC will define fivelevels of maturity, from “basic” to “state-of-the-art”, and no later thanSeptember 2020 all government solicitations will include threshold maturityrequirements for all contractor cybersecurity programs.  Every vendor on a contract, includingsubcontractors, must meet those maturity requirements or their proposal willnot be considered.  The maturitycertifications must be conducted by third-party cybersecurity auditors who willconduct audits, collect metrics, and inform risk mitigation for the entiresupply chain.

Falsely certifying maturity levels can lead to debarment andcan also result in liability under the False Claims Act, which can include damagesof up to three (3) times the payment for the goods and services, plus upto $21,916 in penalties per claim. Depending on the nature of the claims, it is easy to see how the damagescould skyrocket to many millions of dollars. Thus, it is imperative for contractors to ensure that they are fully incompliance.

CMMC Version 1.0 and the certification process is expectedto be released in January 2020.  DoD will begin adding CMMC requirementsto its requests for information (“RFIs”) in June 2020, and they are targetingSeptember 2020 for adding it to all solicitations.  In our experience, initial cybersecuritymaturity assessments are a wake-up call for many companies, and it can take significanttime for the companies to find the resources necessary to improve theirmaturity.  Assessing systems nowwill allow your company to begin addressing any issues so it is better situatedwhen the CMMC requirements take effect. 

Fathom Cyber will helpyour company stay competitive under the DoD’s new approach to vendor cybersecurityrisk management.  Contact us at[email protected] or 215-648-1950.

[1]“Help Me, Help You”: Defense Department AdvisesContractors That Cybersecurity Is An Allowable Cost – Damon Silver andCatherine Tucciarello –https://www.jdsupra.com/legalnews/help-me-help-you-defense-department-82203/last viewed 6/28/2019)

[2] Iranian-backed hackers purportedly gained access toCitrix’s internal systems and were able to at least monitor, and possiblyimplant vulnerabilities in, the company’s security efforts – https://www.nbcnews.com/politics/national-security/iranian-backed-hackers-stole-data-major-u-s-government-contractor-n980986last viewed 6/28/2019)

[3] Cisco makes very secure routers that are highlyintelligent.  However, this intelligencealso creates attack surfaces that criminals can probe for, and ultimately exploit,vulnerabilities – https://www.wired.com/story/cisco-router-bug-secure-boot-trust-anchor/last viewed 6/28/2019)

[4] Microsoft recently announced a major flaw in itsRemote Desktop Protocol service which can be exploited to give attackerscomplete control over impacted systems – https://securityboulevard.com/2019/06/nsa-warns-users-of-bluekeep-vulnerability-urges-them-to-update-their-windows-systems/(lastviewed 6/28/2019)

[5] The All-Ways issue is a America’s Electric Grid Has aVulnerable Back Door-and Russia Walked Through It – Rebecca Smith-Rob Barry –https://www.wsj.com/articles/americas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112last viewed 6/17/2019)

[6]Employees are increasingly reporting theiremployers for their failure to meet basic cybersecurity requirements ingovernment contracts – See, e.g., United States ex rel. Markus v AerojetRocketdyne Holdings – https://casetext.com/case/united-states-ex-rel-markus-v-aerojet-rocketdyne-holdings-inclast viewed 6/28/2019)