Organizations aren't ensuring the security controls of their third-party partners are up to snuff.
Cybercriminals know "the easiest way to destroy is from within — it's a lot easier to take a supply chain out from within," said Katie Arrington, CISO for Acquisition and Sustainment at the Department of Defense, while speaking on a panel during the Billington Cybersecurity Summit Tuesday.
Cyberattacks on business partners can bypass their target victim's security by latching onto the weakest link in an organization's supply chain. Organizations need to trust the data they share with partners is as protected in a partner's network as it is in-house.
High-profile breaches, while dangerous and embarrassing, lead to security and compliance progress. Compliance with more government-issued regulations creates more business opportunity; cybersecurity becomes a competitive advantage.
Organizations working to secure work with the federal government have to prove their capabilities. Programs outlined by the federal government for their contractors, including the Cybersecurity Maturity Model Certification (CMMC), are applicable to every kind of business. Security programs set maturity levels for businesses to obtain and present to prospective partners.
"This is not an IT problem. This is a business problem … In the past, cybersecurity was relegated or delegated down to the IT department." said Karlton D. Johnson, vice chair of the board of directors for the CMMC Accreditation Body (CMMC-AB), during the panel. "CMMC is not just for people who are interested in doing government business."
The DOD's contractor network includes upwards of 300,000 companies — conducting an audit of all of them couldn't be done, Arrington said. The dilemma helped create CMMC-AB, where third parties can prove their compliance and readiness to partner with the federal government.
The CMMC was created earlier this year and is currently in "DFAR rule change," (Defense Federal Acquisition Regulation Supplement to the Federal Acquisition Regulation). Arrington expects approval by November.
"The model is a consolidation of many different standards, not just the [National Institute of Standards and Technology]," said Arrington.
For example, an organization that has the 252.204-7000 disclosure of information clause in their contract for controlled unclassified information, prohibits it from releasing unclassified information "to anyone outside" the organization, "regardless of medium," according to the clause.
If an organization has this clause, "you've been attesting to the government that you're doing these 110 controls" laid out by NIST's Special Publication 800-171, said Arrington.
"If we were actually doing [those controls], things wouldn't be as bad as they are now," said Arrington. Some companies will mistakenly say, 'I've gone and I've gotten NIST certification.' Well, NIST doesn't certify. You don't have a new certification."
What's in it for industry
Contracts make industry do what it's supposed to, or at least hold businesses accountable for a breach of contract. CMMC is, in part, meant to guarantee a level of security when acquiring new products or businesses. "Cybersecurity shouldn't be an issue when you first start talking. They drilled it down to the IT level, [but] IT and cyber are not the same thing," said Arrington.
In June, the CMMC-AB opened up positions for the certified third-party assessment organizations that will eventually be responsible for combing through companies vying for business with the DOD.
But depending on an organization's supply chain and required level of CMMC certification, it never needs to publicly articulate it. Whether it's the DOD or another company, "I don't want people putting their level on their website. I don't want to tell the adversary what you're not doing. I keep saying it's like 'Fight Club;' You don't talk about 'Fight Club,'" said Arrington.
Having private sector companies understand the difference between certifications and compliance is part of CMMC's mission, but it's also about how organizations undergo the process of a CMMC certification.
"I pray every day that the model never becomes a checklist," said Arrington. Instead she wants businesses to critically think with their teams about why a solution or process is needed and then adapt as threats evolve.
"How AWS or Cisco provides security today, it darn well better be different five years from now," Arrington said.
With CMMC, businesses within a supply chain don't have to think about the security capabilities of their partners. It makes the certification valuable outside of government work too.
From any business perspective, "if I'm going to partner with other companies, I want to protect their information as well as they're protecting mine," said Johnson.