At a Senate hearing on Defense Department cybersecurity, lawmakers wanted to know whether a program aimed at hardening the security of the defense industrial base would thwart supply chain attacks.
In the wake of infiltration of government and private networks through SolarWinds software and the ransomware attack on Colonial Pipeline, lawmakers are looking to reduce the exposure of federal and critical infrastructure systems to hacks.
The Pentagon’s Cybersecurity Maturity Model Certification program is designed to be one key line of defense. The program sets out five maturity models applicable to defense industrial base contractors based on the level of sensitivity of information stored in their systems. Under the program, obtaining a certification of compliance at the appropriate risk level is an allowable cost. However, the extent to which contractors may have to dig into their own pockets to obtain certification is a running concern -- so much so that Kathleen Hicks, the deputy secretary of defense, ordered a review of the program in March.
That review is finished, according to Sen. Joe Manchin (D-W.Va.), speaking at a May 18 hearing of the Senate Armed Services Committee's Cybersecurity Subcommittee, but the Defense Department’s recommendations are not complete.
"We do understand … that Secretary Hicks will be making significant modifications to the program," Manchin said.
Subcommittee Ranking Member Mike Rounds (R-S.D.) said he was concerned the CMMC approach "does little to help businesses meet those standards and certification [and]… does not account for the particulars of the threat and does not help businesses prioritize personnel or investments." One of Rounds' biggest concerns is that up and down the defense industrial base, small subcontractors have classified and controlled unclassified information beyond that which they need to deliver on their contracts.
Jesse Salazar, the deputy assistant secretary of Defense for Industrial Policy, told lawmakers that the overarching goal of CMMC is to require that defense contractors "embed cybersecurity into core operational and business practices to build a culture of cybersecurity that keeps pace with rapidly evolving threats."
Salazar also said that DOD was working through more than 850 stakeholder comments from a November update to the Defense Federal Acquisition Regulations System.
Lawmakers also looked to get answers on whether CMMC is yet another compliance exercise or if the requirements of the program will actually thwart zero-day attacks from advanced and state-sponsored threat groups.
Rear Admiral William Chase, the deputy principal cyber advisor to the secretary of Defense, told senators that CMMC compliance wouldn't necessarily thwart a supply chain style attack used in the SolarWinds campaign, but it could enable detection.
"Probably the best example is FireEye very publicly reported they caught the SolarWinds [attack] from observing lateral movement and privilege escalation within the -- within their own environment," Chase said. "If, say, a level 5 CMMC would've probably had sufficient tools to give them a shot at seeing the similar lateral movement provided they had the tipping and queuing in place."
Chase also noted that other existing programs would support a CMMC-compliant vendor in efforts to detect new attack vectors.
Separately, Keith Nakasone, the deputy assistant commissioner for acquisition specializing in IT at the Federal Acquisition Service, said on Wednesday at an FCW event that CMMC requirements won't be required across the board in major governmentwide acquisition contracts. CMMC will be added to new GWACs, but the requirements will be included on a task order by task order basis.