Hackers Target Defense Contractors in an Effort to Reach the Pentagon

The Department of Defense (DoD) has one of the largest supply chains in the world, scaling to hundreds of thousands of different vendors and partners. Yet, these vital partners in our nation’s defense infrastructure pose a huge cyber risk.

Indeed, Bloomberg has published a laundry list of cybersecurity lapses among contractors that give bad actors and hostile nations a “leg up on countering the Pentagon’s weapons of tomorrow.”

Unfortunately, the DoD has lacked an effective way to monitor cybersecurity risk in its supply chain; thus, attacks continue unabated. Only last week, Nextgov reported that a supplier to several major defense contractors — including Lockheed Martin, Boeing, General Dynamics, and SpaceX — was the target of a ransomware attack. Documents were stolen from Denver-based aerospace contractor Visser Precision Manufacturing and are already showing up online. The ransomware used in the alleged attack, DoppelPaymer, steals data before encrypting the victim’s computer and then exposes the files, which can include classified or sensitive information.

The attack is a textbook example of the kind of cyber incident the Pentagon is trying to prevent through its new Cybersecurity Maturity Model Certification (CMMC) framework. But CMMC only goes so far. Let’s take a look at what CMMC requires and how the defense community can augment its cyber risk reduction efforts.

What is the Cybersecurity Maturity Model Certification?

CMMC is a new security DoD framework that holds suppliers accountable for their security postures before they engage in government business.

Finalized on January 31, 2020, the model articulates several requirements that contractors must meet to qualify for various cybersecurity maturity certifications. Those certifications range from Level 1, “Basic cybersecurity,” to Level 5, “Highly advanced cybersecurity practices.” These certifications are likely to be mandated in RFPs beginning as early as September this year.

How do contractors get CMMC certified?

To achieve certification, contractors must partner with an independent third-party agency, which will schedule an assessment. Contractors can select the level of certification they’re applying for. They will be required to demonstrate their cybersecurity maturity to the assessor; there is no self-certification allowed.

Once the assessment is complete, the certification level (though not specific results) will be made available to the DoD and the public.

Here is a comprehensive list of CMMC FAQ’s to help you get started.

The need for the CMMC in today’s security climate

No one wants more regulations, but as the DopplePaymer breach and other attacks highlight, it’s critically important that defense contractors find ways to strengthen and validate their security postures. Not doing so compromises their ability to do business with the government and heightens their own cyber risk postures. With the average cost of a data breach reaching up to $4.6 million per incident, these companies can’t afford the risk exposure. Furthermore, a breach would likely jeopardize national security — potentially exposing intellectual property pertaining to weapons, materials, and R&D that could compromise military and defense readiness.

16 Cybersecurity KPIs

We’ve compiled 16 valuable, easy-to-understand cybersecurity and cyber risk KPIs that can be integrated into a dashboard for any member of an organization who wants to become more aware of cyber risk.

Learn More
Button Arrow

While the CMMC holds contractors accountable through third-party cyber assessments, it’s critical that contractors and subcontractors gain visibility into their own security performance — at all times — to avoid surprises and potentially lost government business. They must assess their security operations on a regular basis to ensure they are maintaining high standards and not falling below the security maturity thresholds that they are certified against.

To do this quickly and effectively, contractors can employ a security performance management (SPM) program to assess their overall security postures. More than a point-in-time snapshot of security performance, SPM ensures continuous monitoring of emerging risk factors, such as unpatched systems, insecure access points, misconfigured software, and previously unknown malware infections. By employing an SPM program, contractors can gain much-needed visibility and context into their risk across geographies and subsidiaries — both on-premise and in the cloud.

With this insight, contractors can efficiently allocate their limited resources on remediation and risk mitigation actions, such as ones that could have prevented the DoppelPaymer attack. They may also have a better chance of meeting important certifications requirements set forth by the CMMC.

Continuously assessing risk in the DoD supply chain

In addition to taking steps to monitor their own security performance, contractors must also extend this level of visibility and insight to their subcontractors. Indeed, the CMMC stipulates that DoD subcontracts are also subject to its requirements. Therefore, contractors need to be aware of who their fourth parties are and any risk they pose that may jeopardize their contracts.

Prime contractors can benefit from a tool like BitSight’s third-party risk management solution, which continuously monitors the security performance of all subcontractors. Using this insight, contractors can determine the greatest sources of risk in their supply chains and engage with fourth parties to help them improve security performance and ensure they receive appropriate CMMC certification.

Prime contractors are not alone in benefiting from continuous monitoring of their partners and vendors. J6 and G6 staff should have third-party risk management programs in place to continuously monitor and evaluate their vendors, and ensure their subordinate S6 staffs stay informed about any adverse events with their contractors. Leaders should not assume that because they are using a GSA schedule vendor that there is no or little risk of a data breach.

There’s no time to waste

The clock has started on CMMC compliance, and all defense contractors need to prepare. It’s vital that they take steps to achieve visibility into their own security performance, before independent assessors knock on their door. In doing so, they can quickly take steps to improve their security controls and likely increase their desired certification chances.

Similarly, prime contractors and the Pentagon’s own communications staff must ensure they have a mechanism in place to shine a spotlight on emerging risk across their supply chain.

Ready or not, the Pentagon is moving forward with an aggressive timeline for CMMC compliance. As the pace of breaches targeting military data sustains momentum, there’s no time for anyone in the defense community to waste.