The Cybersecurity and Infrastructure Security Agency (CISA) is keeping a close eye on the progress of the Defense Department’s (DoD) Cybersecurity Maturity Model Certification (CMMC) program to improve the security of the defense industrial base (DIB) as CISA considers possible moves in the same direction on the civilian side of the Federal government.
That was one of several news takeaways from MeriTalk’s “Digital Hygiene: Tips for Ensuring Data Security Compliance” webinar on May 6 that covers Federal government compliance requirements for data security and hygiene.
Boyden Rohner, CISA’s associate director for vulnerability management, said her agency is “eagerly anticipating how CMMC rolls out” for the DoD as her agency considers programs that may run in the same direction.
“We are waiting with bated breath to learn some lessons” from the DoD program, “and then can transfer to our own communities,” Rohner said. Similar to the Pentagon’s aims with the CMMC program to improve DIB supply chain security, “we are very committed” to instructing CISA’s constituents on security relative to risk, she said.
Asked whether CISA had any planning similar to a CMMC-type program underway, Rohner replied, “we are definitely exploring that.”
She also said CISA was “working very hard” on contributing to aspects of the White House’s expected executive order on cybersecurity that she said, “may lean further into requirements for stakeholders or contractors who do business with the Federal civilian government.”
That process, Rohner said, is “one of the nearest term ways we will be pushing into this space a little bit more.”
Buddy Dees, director of the CMMC program said on the webinar that the model developed by DoD is “a big move forward” for supply chain security by adding the obligation of DIB members to verify that they have at least minimal levels of cybersecurity in place. “If any company in that supply chain does not implement” security, “in essence that creates a risk in the entire supply chain,” he said.
And he said the model introduces the concept of cybersecurity maturity that not only requires implementation of technical solutions but also to perform the processes that yield a “repeatable approach to cybersecurity to protect the information” that companies receive from DoD.
Dees also said his office has “initiated conversations” with officials at the Department of Homeland Security (DHS) to talk about lessons learned through the development of the CMMC program thus far, and “to see if a model like CMMC” may work with other Federal agencies.
Stuart Itkin, who is vice president of CMMC and FedRAMP Assurance at Coalfire Federal, said, “everyone deserves a tremendous amount of credit for that work that has been done” on the CMMC program. The program’s rapid pace of development, he said, has been “incredibly unusual,” and has covered ground in two years “that typically takes decades.” Itkin said CMMC is dealing with a “very unique use case” of keeping secure information that the government shares with third parties, and in doing so, gives up the ability to “protect that information directly” on its own.
The CMMC program is essential, Itkin said, to avoid theft of government information from private-sector contractors, which he said was the case when the Chinese government stole information to build a copy-cat version of the F-35 fighter plane. As a result, he asserted, the Chinese government was able to construct a “carbon copy” version of the aircraft for use by its own military services.
Kirk Kern, CTO Americas and director of the Office of Technology and Strategy at NetApp, said he views the CMMC program and others like it as “critical sources” to understand and apply security requirements.
He said that the cost of compliance with programs like CMMC may be “problematic” for some smaller government contractors, but also contrasted the cost of improving security against the potential “huge financial loss” that may be incurred by a contractor who is victimized by a cyber attack. And, he pointed out, companies that improve their own security may save money in other ways, including realizing lower premiums for cybersecurity insurance.
For the whole story, please enjoy access MeriTalk’s “Digital Hygiene: Tips for Ensuring Data Security Compliance” webinar.