Officials from the Defense Department (DoD) and the Cybersecurity and Infrastructure Security Agency (CISA) said today that creating more effective defenses against sophisticated cyberattacks of the type used in the SolarWinds Orion hack may require further adoption of zero trust security concepts.
That was the news from Bob Kolasky, who heads CISA’s National Risk Management Center (NRMC), and Stacy Bostjanick, director of the Cybersecurity Maturity Model Certification (CMMC) Policy Office for DoD’s under secretary of Defense for Acquisition and Sustainment, who spoke during an online event organized by AFCEA International.
Both officials also discussed the growing likelihood that the CMMC security model will migrate in some form from its present use in ensuring minimum cybersecurity standards in the defense industrial base (DIB) to further areas of Federal government contracting.
Zero Trust Defense
Asked about the SolarWinds hack – which was accomplished by Russia-backed actors who injected malware into software updates provided by the vendor to thousands of organizations – and whether levels of security mandated by the CMMC model would have spotted such attacks earlier on, Bostjanick replied that only the more advanced tiers of security under CMMC would have worked for that purpose.
The CMMC model incorporates five tiers of cybersecurity compliance – each progressively more advanced – and their attainment by DIB members depends on what level of security is required by their participation in defense contracts.
Bostjanick said that CMMC compliance up to the level 3 rating would not have prevented an attack using similar methods as the SolarWinds exploit, although employing cybersecurity practices to the level 3 rating may have given some companies the ability to identify that such an attack was taking place.
“You’re not going to get into the levels of stopping [that attack] until you get to levels 4 and 5,” she said. “To really stop a SolarWinds [type attack], you almost have to go to a zero trust environment,” Bostjanick said.
Zero trust security concepts incorporate much more rigorous and frequent evaluations of user and endpoint identities to allow access to networks.
Kolasky agreed that something closer to a zero trust concept would be useful in that regard.
Discussing how to prevent software exploits, he suggested “really putting extra controls in place on things that have high levels of access, because that is where the risks are.” He continued, “that is where you go closer to zero trust,” adding, “you can’t go zero trust everywhere . . . but you can where the risk is higher.”
CMMC Model Migration
Elsewhere during the AFCEA event, Kolasky said he regards the CMMC model as a “pathfinder” that can inform security improvements in other areas of the government.
“As CMMC takes off in the DIB community … they are a pathfinder, they are leading the way,” he said. Noting that DIB companies also do business with non-defense government sectors, he said, “we want to make sure as expand this journey that we are learning from the pathfinders,” and also make sure that the government does not create markedly different cybersecurity standards for other non-defense contractors.
“It’s important to do things that are consistent with CMMC” as the government looks to migrate similar standards to non-defense contractors, he said. “Other parts of government are looking to establish good standards,” he said. “That connection point will be a really important element this year” as the government looks to roll out supply chain security efforts covering other sectors, he added.
Bostjanick, noting that her office is included on CISA’s ICT Supply Chain Risk Management Task Force that Kolasky’s NRMC created, said that the security aim of the CMMC model “is not just a DoD issue.”
“As we move forward … I believe we are going to have to make this a Federal governmentwide capability across the board” and address supply chain security as a “whole of nation issue … not just a DoD or DHS-type concern,” she said.
Kolasky said that at DHS, momentum had been building in 2020 for the adoption of a CMMC-type model, but added that policy decision was up to new leaders taking over at the agency since the Biden administration was inaugurated in January.
“At CISA, we are not at the point where we are saying we are developing CMMC for our contracts,” he said, but continued, “we are putting those good practices in place.”
“There is not a formal answer yet as to how it is going to play out, but we are headed to more convergence,” Kolasky said.