CMMC Security for All: A Holistic Approach
This is the final blog in our series on CMMC. Here’s a quick recap of the ground covered to date. We began with an overview of CMMC, moved on to unpack Levels 1 & 2 plus the COTS exception, covered options for fast tracking Level 3 compliance and then drove into the unique risks and opportunities for prime contractors.
By Amy Williams, PhD, CISSP, CMMC-RP - Director of Proactive Services
The goal of NIST 800-171 and subsequently of CMMC has always been to ensure specific levels of security throughout the entire Defense Industrial Base (DIB). The greatest conundrum, however, is that currently the biggest attack targets are smaller businesses with leaner budgets. There is awareness that the entire supply chain is at risk as a result of this specific vulnerability, but the question is how do we shore up security throughout the supply chain in a way that is affordable to all?
Since the publication of the last blog post, the DoD’s CMMC program has come under review with the intention of considering possible improvements. The following is the official statement of DoD spokesperson Jessica Maxwell regarding the program review: “In light of increasingly frequent and complex cyber intrusion efforts by adversaries and non-state actors, the Department remains deeply committed to the security and integrity of the defense industrial base. As is done in the early stages of many programs, the DoD is reviewing the current approach to CMMC to ensure that it is achieving stated goals as effectively as possible while not creating barriers to participation in the DoD acquisition process.”
While there is no specific information regarding the purpose of the review, we believe that there are at least two critical issues to address:
1. The cyber security resource and knowledge gap between larger and smaller members of the DIB
2. The affordability of CMMC for SMB
Thoughts on how to remedy these issues are presented in the rest of this article.
The DoD Supply Chain: A Box of Tangled Twinkle Lights
Understanding how the complexity of the defense supply chain creates security challenges is foundational to discussing how we should tackle the problem. The term "supply chain" brings to mind a linear succession – one company builds a product and hires subcontractors to manufacture parts for that product. Logically, it seems straightforward. In reality, however, the DoD’s supply chain network is less of a linear chain and more like the giant box of tangled twinkle lights. Let’s look at production of military tanks to illustrate how quickly the defense supply chain becomes complex.
Military tanks are a specific, relatively low production item compared to commercial vehicles. However, more than one company builds tanks, and they all have their own complex network of suppliers, with each supplier providing a different set of components. Assuming there are subcontractors for major sub- components of a tank such as the tracks, bogie wheels, turret, fenders, communications systems, engine components, etc., there can be hundreds to thousands of subcontractors involved in building a tank. Now consider the fact that each of those subcontractors have their own complex network of suppliers plus other 3rd-party contractor relationships unrelated to work for the DoD. These relationships are unknown to the original prime contractor, and yet as demonstrated in the last blog where we went through an anatomy of a supply chain attack, an unrelated 3rd-party connection to a subcontractor can quickly escalate to a dangerous assault on a prime. Multiply the risk by the number of different prime contractors that each subcontractor works with and the exposure is staggering. Finally, adding to the complexity, once products like tanks are in service, more vendors are added to the supply chain to maintain, repair and operate the tanks. These vendor relationships may circle back into the original connections to acquire parts either directly from one of the parts manufacturers or alternatively from parts distributors who were not a part of the manufacturing process but work with the contracting agencies and may also have sensitive data from multiple different primes and subs for multiple contracts.
How We Got Here
The above example is quite simple and yet it effectively demonstrates how chaotic and unwieldy the supply chain is. How did we end up here? In the last few decades, producers of tangible goods have adopted "lean manufacturing" processes and "just-in-time" delivery practices that are focused on ensuring that the quality of a single component is consistent, material waste is minimized, and employee efficiency is maximized. In order for this approach to work effectively, communications between and among supply chain members have been streamlined and improved.
In other words, the importance of improving the speed of information sharing eclipsed the importance of network and data transmission security. Security measures have been an afterthought, typically based on the needs that arise after a new type of breach occurs. Larger companies with greater resources were originally more likely to be direct targets, but as attack strategies evolved so have defenses, and larger companies have had the required resources to keep up. In addition, the large companies were doing just that – keeping up, rather than trying to implement a full set of security controls at once (as many small members of the DIB are currently trying to do).
More recent, attack strategies have shifted to the smaller companies for two reasons:
- The creativity in the design of a product is often in the design of the components
- Smaller companies with leaner budgets are less likely to have invested adequately in cyber security, so they present a new way into the larger companies
Short-Term Advice for SMBs
What can be done to make cyber security affordable for all, given the chaotic structure of the supply chains and the vast number of small companies that are members of the DIB? In the short term, there are a few things that the smaller companies can do. First and foremost, they should check with their prime contractors to ask two important questions:
- What level of CMMC will be required of suppliers
- Is the Prime Contractor planning on providing any type of support, financial or otherwise?
Prime contractors are coming under increasing pressure from the DoD to find ways to assist their suppliers. The aid may come in the form of a hotline, webinars, or in some cases, financial assistance. A recent press release was published announcing that prime contractor SourceAmerica is launching a grant program for its non-profit members to get the assistance they need to become CMMC compliant. Other prime contractors may follow suit. In addition to being an ethically forward effort, it is also a financially smart move for prime contractors to provide financial assistance to their suppliers since the primes are still the ultimate target.
Smaller contractors that are manufacturers should also be aware that there are Manufacturing Extension Programs (MEPs) in most states in the US that provide a variety of resources. Some of them like the Maryland MEP specifically provide financial support for CMMC compliance efforts.
Thoughts on Longer-Term Solutions
Longer term, additional measures can be taken to level the playing field. New programs to assist small businesses learn what is needed to work with the DoD should purposefully incorporate more cyber training into those programs to ensure that security issues are top of mind and baked into the strategy as the companies grow.
The DoD should work closely with primes to develop strategies, programs and resources needed for the larger companies to foster and facilitate better cyber security practices throughout their supply chains.
Prime contractors should begin to be more proactive in their outreach efforts, learn more about the common security issues facing their vendors, identify members that are performing exceptionally well, and also identify key suppliers that are critical to their operations that may need additional support.
Independent analysis and confirmation of good cyber security practices is a smart idea. In school, however, before we give kids a test, we teach them what they need to know. Best-case scenario: parents as well as teachers are heavily involved in the education of kids. No matter where a company is within the defense supply chain, BlueVoyant is here to help, including coaching the smaller members of the DIB, but we would also like to see more Prime Contractors follow SourceAmerica’s example and provide resources to their supply chain.
Prime contractors are the parents in this scenario because they know the most about what data is flowed down and they are the ones that set expectations about how each subcontractor should manage that data. We believe the DoD and the CMMC-AB should work with Primes to provide them the resources necessary to educate members and possibly help fund security of the supply chain.
For those primes that wish to be more engaged in helping their supply chains, BlueVoyant can help with 3rd-party risk capabilities that provide an unparalleled view into the supply chain. We are currently helping prime contractors help their supply chains by providing those primes with a comprehensive understanding of their supply chain strengths and weaknesses – which contractors are doing well and which ones need a bit more help – all without touching the subcontractors’ systems. Further, we can see common problems across the entire set of contractors so that comprehensive solutions may be put in place where necessary. Finally, we have the ability to support primes with proactive remediation of risks if that is preferred to just receiving a report.
Whether driven by prime contractor requests or direct requests, we are helping individual companies of all size prepare for CMMC assessments. National defense is in our company’s DNA – our leadership comes in large part from government leadership and fully half
of our consulting team are veterans. We deeply care about protecting all members of the DIB and our holistic offerings were designed with the goal of providing support for every level, regardless of size or complexity.