Contractors have questions about DOD's cyber requirements

The Pentagon is making big moves in an effort to improve cybersecurity for its industrial base, but so far the department's biggest roadblocks early on may be the same confusion, doubt and uneven compliance from contractors that led to the vulnerabilities in the first place.

Officials from the Department of Defense and the National Institute of Standards and Technology gave updates on two nascent programs at an Aug. 8 Information Security and Privacy Advisory Board meeting: NIST's new draft cybersecurity guidance for contractor systems deemed high value assets and the Pentagon's Cybersecurity Maturity Model Certification (CMMC) program.

Both are designed to shore up different aspects of DOD's cybersecurity regime for contractors, and both are causing heartburn among companies who are still unclear about how best to comply.

The NIST draft guidance around high value assets recently went out for public comment earlier this year. The more than 600 responses reflect confusion about the scope and application of the requirements. 

Every individual requirement listed in the draft received more than a dozen comments or critiques, according to NIST's Victoria Pillitteri.

Cost, practicality and straightforward questions like "does this apply to me or my systems?" were among the most common sentiments expressed, while certain requirements, like one for a 24-hour security operations center, were painted as unrealistic and cost prohibitive expectations for small and mid-sized contractors.

Roger Wakimoto, a vice chancellor at the University of California, Los Angeles, wrote that his research team successfully competed for hundreds of millions of dollars in federal research funding in 2017 and expressed concerns that the enhanced requirements "may inflict unintended consequences on fundamental research" and are "unclear" about whether they apply to basic research or academic institutions that take federal research funding.

"Unless agencies are mandated to state applicability in funding announcements, this proposed change could be incredibly burdensome, as it is possible that applicants would not know that the award would fall under the new requirements until they are far along in the process of applying," wrote Wakimoto.

Others, like CTIA, a trade association representing the wireless industry, questioned whether NIST's cost assessments for compliance was too low, saying it "will likely be substantial."

Stronghold Cybersecurity worried that a requirement to restrict access to systems and components to information resources owned, provisioned or issued by the organization would wreak havoc on an increasingly mobile IT workforce.

"Any [Bring Your Own Device] goes out the window with this one for sure," wrote Jason McNew, the firm's Certified Information Systems Security Professional.

A definitional problem

Despite the complaints, the contracting community is unlikely to find sympathy among DOD officials or members of Congress, who have pushed for cybersecurity standards for the defense industrial base following a sustained campaign of digital espionage by China over the past 18 months that has hemorrhaged sensitive U.S. military secrets.

"Our adversaries aren't looking at penetrating the nuclear triad at the highest point…they're going to the lowest tier to gain access and they're patient," said Katie Arrington, a special assistant to the Assistant Secretary of Defense for Acquisition at the same meeting while discussing CMMC.

The enhanced NIST security requirements would only apply to components on nonfederal systems that store, process or transmit CUI, or when designated in a critical program or high value asset. Crucially, while NIST's baseline cybersecurity requirements are mandatory for all defense contractors, agencies must be sure to specifically include the requirements for high value assets in any contracting or procurement documents.

Just what constitutes a critical program or high value asset (and by whom) is another complicating factor. The clearest definition comes from the Department of Homeland Security, which adopted the phrase in a Binding Operational Directive and has cycled through two iterations of a definition thus far, while leaving it largely up to agencies to identify specific assets that fit the bill.

"We're still refining [the definition], I don't know that that will ever be perfect," said Alan McClelland, an information security specialist at the Cybersecurity and Infrastructure Security Agency. "Really it's open to interpretation, the agencies determine themselves based on these definitions what their high value assets are."

While DHS has offered technical expertise to the endeavor, military assets are not covered under the agency's Binding Operational Directive or its definition, though McClelland told FCW after his briefing that officials in both agencies are in discussions to cooperate and further align their efforts down the road.

A question of maturity

If the new NIST guidance is designed to scope out the technical requirements necessary to protect contractor systems, DOD's new Cybersecurity Maturity Model Certification program is a way to ensure that contractors are in fact complying. Rather than allow contractors to self-certify, the program will bring in third-party auditors to review contractor systems to ensure they're in fact implementing the protections they claim to the government.

The Pentagon's desire for a stricter compliance regime received a boost earlier this year when the federal government successfully convinced a judge to allow a lawsuit against contractor Aerojet Rocketdyne Holdings to proceed for claims it violated the Civil False Claims Act by misrepresenting compliance with NIST's baseline cybersecurity requirements listed in the Defense Federal Acquisition Regulation Supplement.

Like with NIST's new guidance, defense contractors and experts have also expressed anxiety about how the CMMC will work, how it will apply to their systems and whether the military can work out the kinks and confusion before a contractor's certification level begins affecting the kind of procurements it can pursue. The differing levels of maturity one can achieve (measured on a scale from 1-5) further clouds the picture as to what a particular contractor may need to do or implement to continue doing business with the military.

In addition, there are a number of contractors who may genuinely think they're compliant when they're not, a problem that again goes back to the general uncertainty and doubt that arises when general principles about security are applied to specific systems and programs in the defense contracting space.

Arrington was tapped by the Pentagon earlier this year to lead the CMMC and institute a broader cultural change among the defense contracting community. A former contractor, Arrington said she saw companies that falsely self-certified or embellished their compliance with contractor cybersecurity regulations in pursuit of business.

Those days must come to an end, she said, calling for the community to move away from its widespread fixation on cost, schedule and performance while ignoring security.

"It doesn't matter how much I pay for something if it's already been exfiltrated," Arrington said. "If I'm worried about getting it on time, but by the time I get it delivered to me it's worthless, why am I worrying about the schedule? Yeah, I wanted it to perform at this capacity, but if my adversaries already have it, they're outperforming me before I get there. We have to change the culture."