Why vendors can't wait for CMMC to raise their cyber standards

Defense officials are urging the companies it relies on to bolster their cybersecurity postures amid the Russian invasion of Ukraine. 

David McKeown, the Defense Department's chief information security officer, said companies the department relies on should be thinking about cyber resiliency. 

"The current geopolitical climate, of course, should have companies thinking about how they are currently defending themselves against cyber attacks, and what DIB companies can implement immediately to become more cyber resilient. Cyber resiliency is my responsibility and yours as we work together to better protect the warfighter," McKeown said during a virtual town hall event on Feb. 24. 

At the same time, DOD's own cybersecurity assurance effort for vendors, the Cybersecurity Maturity Model Certification program, could take up to two years to fully activate. In the meantime, McKeown and other defense officials have urged defense contractors to get assessments even though they're not required. 

"It is going to take us about up to 24 months to go through the rulemaking," McKeown said, 

"and we are encouraging folks to go ahead and perhaps get a third party assessment before this goes final into law and will be included in contracts. We'd like to incentivize that and we're looking at ways to incentivize it so that it is good for you to go ahead and do that ahead of time."

The DOD officials' comments come after Ukraine government and private entities sustained cyberattacks that disabled public-facing websites. Leading up to Russia's Feb. 24 military invasion of Ukraine, security agencies urged U.S. companies to be vigilant with their cybersecurity as tensions escalated in the past weeks and take advantage of a suite of cyber tools. A recent multi-agency alert from the Cybersecurity and Infrastructure Security Agency, National Security Agency, and FBI noted that Russian hackers have been targeting defense contractors for years. 

On Thursday, CISA released another alert regarding Iran-sponsored malicious cyber operations targeting government and private entities in telecommunications, defense, local government, and oil and natural gas in Asia, Africa, Europe, and North America.

Additionally, on Friday, the Russia-based ransomware gang known as the Conti Team warned that it would "strike back at the critical infrastructure of an enemy" if Russia is targeted with cyber attacks. 

But what does it mean that the Defense Department – which is moving troops to Europe and has contractors worldwide – lacks a universal cybersecurity standard during an ongoing international military conflict, especially one that could exacerbate the number and kinds of threats companies see daily?

What's at stake for contractors 

Wes Hallman, the National Defense Industrial Association's senior vice president of strategy and policy, told FCW it was important to have unified cybersecurity standards, like what CMMC aims to be, across all of federal contracting, not just DOD because "it's really a threat for the entirety of the economy, and it's not just from Russia -- but that's the proximate threat right now."

Hallman added: "if you haven't already instituted some of those controls, obviously, you'd want to do that. At the same time, you want to make sure that your employees are being hyper vigilant of what's going on online because in many cases, we human beings are the weakest link."

Stephanie Kostro, the executive vice president for policy at the Professional Services Council, told FCW that cyber considerations involve contractors stateside and those abroad, affecting official and personal communications.  

"Everything is subject to vulnerability when you're in theater. It's subject to vulnerability no matter where you are, but when you're closer to the combat, it is one of those things you can't take for granted that you think you're on an encrypted or closed system, but you have to take the necessary safeguards or just go silent for a while just to make sure that your information is not being compromised."

Kostro said contractors have received guidance from the Pentagon to check-in via the Synchronized Predeployment and Operational Tracker system that tracks personnel, particularly if they are in theater or theater-adjacent in neighboring countries.

"I think it's critical to know that the Defense Department is taking steps here to make sure they have full situational awareness. And that extends also to the system that folks are operating on and to make sure that secure transmission stays secure," Kostro said, citing news reports that data-wiping software had been found on Ukraine computers. 

In a recent supply chain report, the Pentagon recommended increasing resources to bolster the defense industry base's cybersecurity posture. The document, which was released Feb. 24, also calls for conducting cybersecurity assessments of companies critical to DOD's supply chain as well as expanding information sharing platforms, primarily through the DOD Cyber Crime Center's Defense Collaborative Information Sharing Environment and the National Security Agency's Cybersecurity Collaboration Center, which also offers cybersecurity consulting services. 

Kostro said the Russian invasion of Ukraine and accompanying cybersecurity concerns could test how companies' preparations withstand hybrid warfare. And from that, DOD and contractors alike could learn what standards and systems stand up against persistent cyber attacks from state actors. 

"This is what we've been talking about, and we are now seeing a real world, real time example of it, and how insidious and how sneaky cyber as part of hybrid warfare can be," she said. "I think, from a company perspective, they've taken a lot of steps to improve their cyber hygiene, to improve encryption, to improve their safeguards against attack, and these are now going to be tested."