Back to news

February 3, 2020 | International, Aerospace, Naval, Land, C4ISR, Security

Pentagon finalizes first set of cyber standards for contractors

Mark Pomerleau

The Pentagon has finalized the long anticipated cybersecurity standards contractors will have to follow before winning contracts from the Department of Defense, a new process called the Cybersecurity Maturity Model Certification (CMMC) 1.0.

The model is a tiered cybersecurity framework that grades companies on a scale of one to five based on the level of classification and security that necessary for the work they are performing.

“The government and the contractor community must keep working together to address real and growing cybersecurity threats, and we need a robust response to protect our infrastructure, information, and supply chains,” said David Berteau, president and chief executive of the Professional Services Council, a trade association for federal contractors. “With today's announcement, DoD has achieved a significant milestone.

Here's what industry officials need to know about the version finalized Jan. 31.

Why it was needed

Previously, the Pentagon did not have unified standard for cybersecurity that businesses needed to follow when bidding for contracts. Companies could claim to meet certain industry standards for cybersecurity, but those assertions were not tested by auditors, nor did the standards take into account the type of work a company was bidding to complete. Since then, defense officials have said that cybersecurity is not a one size fits all approach.

In the meantime, adversaries have discovered it is easier to target unsuspecting down tier suppliers, rather than prime contractors.

“Adversaries know that in today's great power competition environment, information and technology are both key cornerstones and attacking a sub-tier supplier is far more appealing than a prime,” Ellen Lord, the under secretary of defense for acquisition and sustainment, told reporters in a briefing at the Pentagon Jan. 31.

Officials have said cyber theft by adversaries costs the United States about $600 billion a year.

What will change?

Contracts will mandate bidders reach a certain level of certification to win specific jobs. For example, if businesses aren't bidding on a contract that has extremely sensitive information, they must only achieve the first level of certification, which involves basic cybersecurity such as changing passwords and running antivirus software. More sensitive programs will require more stringent controls.

Smaller companies down the supply chain will not, however, have to have the same level of certification as primes, said Katie Arrington, chief information security officer for the Office of the Under Secretary of Defense for Acquisition and the point person for the certification.

Another significant change with the new process is the creation of an accreditation board and assessors. The board is an outside entity, separate from DoD, that will be charged with approving assessors to certify companies in the process.

The accreditation body was formed earlier this month and officials are working on identifying and training the assessors, which will be called Certified Third-Party Assessment Organizations (C3PAO).

What's next?

Officials explained Jan. 31 that CMMC will follow a crawl, walk, run approach to ensure companies aren't unprepared for the change. The accreditation board is in the process of training the auditors that will oversee the certificaion. Once the requirements are met, a company's certification is good for 3 years.

In the meantime, DoD plans to release 10 requests for information and 10 requests for proposals that will include the new cyber standards this year. The first solicitation could come as early as June.

Arrington said earlier this week that she expects 1,500 companies to be certified by the end of 2021.

She added that all new contracts starting in fiscal year 2026 will contain the cybersecurity requirements, however, Lord noted that they will not be not retroactive to previous contracts.

https://www.fifthdomain.com/dod/2020/01/31/pentagon-finalizes-first-set-of-cyber-standards-for-contractors/

On the same subject

  • France: Armée de l'air : le général Lavigne dévoile son plan de vol

    November 30, 2018 | International, Aerospace

    France: Armée de l'air : le général Lavigne dévoile son plan de vol

    Par Alain Barluet L'espace, les effectifs, la protection aérienne du territoire et le système de combat du futur sont les priorités du nouveau chef d'état-major de l'armée de l'air. «Ce n'est pas un plan de rupture», prévient le général Philippe Lavigne. Arrivé à son poste début septembre, le nouveau chef d'état-major de l'armée de l'air (Cemaa) a tracé ses perspectives stratégiques sur la base des travaux largement entamés par son prédécesseur. Néanmoins, précise-t-il, «il m'appartient d'infléchir la trajectoire de l'armée de l'air pour lui permettre de prendre en compte les nouveaux enjeux des prochaines années». C'est ce «plan de vol» - une expression parlante pour tous les aviateurs - que le nouveau Cemaa a présenté jeudi à l'École militaire. Un projet qui, souligne-t-il, «s'appuiera sur l'ADN des aviateurs: agilité, précision, audace et passion». Selon la formule, directe, du général Lavigne, «l'objet de la mission sera de vaincre et protéger ensemble par les airs». Parmi ses priorités: le rôle futur de l'armée de l'air vis-à-vis de l'espace, qui s'affirme comme un thé'tre de conflictualité entre les puissances. «Nous devons désormais répondre à l'enjeu de ... Article complet: http://www.lefigaro.fr/international/2018/11/29/01003-20181129ARTFIG00299-armee-de-l-air-le-plan-de-vol-du-general-lavigne.php

  • Defense Innovation Unit moves to ease commercial drone certifications

    April 28, 2024 | International, Aerospace

    Defense Innovation Unit moves to ease commercial drone certifications

    DIU wants to improve its process for vetting commercial drones, with the goal of making it easier for companies to sell their systems to the U.S. military.

  • Light as a form of defence? Laser brings down unwanted drones

    June 10, 2020 | International, Aerospace

    Light as a form of defence? Laser brings down unwanted drones

    June 8, 2020 - Almost 300,000 km per second. That's the speed of light, and also the speed of laser light. Faster than any projectile. A laser is also accurate and always hits its target. This means it should be possible to bring down unwanted drones quickly and cheaply. In a laboratory set-up for weapon systems, TNO is already seeing promising test results with a high-energy laser. From an innocent toy to an offensive weapon: that's what happens when malicious people attach explosives to drones. The fact that improvised explosive devices like this can inflict significant damage was confirmed yet again last September, during the attacks on Saudi Arabian oil installations. GATWICK AIRPORT PLAGUED BY DRONES Even without explosives, drones can still cause major problems. In 2018, at Braitains Gatwick airport, a few simple and inexpensive drones proved capable of causing hours of disruption to air traffic. “The Netherlands has its own counter-drone research programme. The problem is being taken very seriously.” COUNTER-DRONE RESEARCH PROGRAMME Several countries across the world, including the Netherlands, are developing solutions for the problem of drones. Last year the Netherlands launched its own counter-drone research programme, spearheaded by the Ministry of Defence, the National Police and the National Coordinator for Counterterrorism and Security (NCTV). The problem is being taken very seriously and is therefore high on the agenda. UTMOST CARE “The first challenge is to quickly detect and identify an incoming drone”, says Patrick Keyzer, who heads up TNO's research programme. “If a drone appears to represent a genuine threat, we have to disarm it as quickly as possible. Of course, it must be done with the utmost care and we need to ensure that we inflict as little unintentional damage as possible.” “TNO is testing a high-energy laser capable of burning a hole in thick steel plate in just a few seconds” ENOUGH FIREPOWER Using a laser is one of the possibilities for disabling drones. “It's a highly effective method”, confirms Federica Valente, Business Developer for TNO's high-energy laser research. In a heavily-secured bunker, her colleagues are testing a high-energy laser capable of burning a hole in thick steel plate in a matter of seconds. “That's obviously more than enough firepower to bring down drones.” LESS THAN A EURO A SHOT “This kind of laser is also extremely accurate and cost-effective”, she continues. “To fire it, you only have to pay for the energy: less than a euro each time. A laser is also very flexible, enabling you to monitor the drone's every movement at relatively low cost.” “In addition to using a laser, we can also take control of the drones or use jammers” TOOLBOX “A laser weapon certainly has numerous advantages”, agrees Keyzer. “But we need to carefully assess the setting and situation in which a drone appears. It's important to have several options at our disposal for disabling drones responsibly. This is why we're currently developing and researching several different solutions. In addition to using a laser, we can also take control of the drones or use jammers. So, it's not a case of ‘one solution fits all'. Nevertheless, the emergence of a laser weapon will help enormously in combating the threat of drones.” The laser weapon is just one of the weapon systems that TNO is researching. The aim of these innovations is to protect those who protect us. Read more about it on the ‘Weapon Systems' page. View source version on TNO: https://www.tno.nl/en/tno-insights/articles/light-as-a-form-of-defence-laser-brings-down-unwanted-drones/

All news