February 3, 2020 | International, Aerospace, Naval, Land, C4ISR, Security
Mark Pomerleau
The Pentagon has finalized the long anticipated cybersecurity standards contractors will have to follow before winning contracts from the Department of Defense, a new process called the Cybersecurity Maturity Model Certification (CMMC) 1.0.
The model is a tiered cybersecurity framework that grades companies on a scale of one to five based on the level of classification and security that necessary for the work they are performing.
“The government and the contractor community must keep working together to address real and growing cybersecurity threats, and we need a robust response to protect our infrastructure, information, and supply chains,” said David Berteau, president and chief executive of the Professional Services Council, a trade association for federal contractors. “With today's announcement, DoD has achieved a significant milestone.
Here's what industry officials need to know about the version finalized Jan. 31.
Why it was needed
Previously, the Pentagon did not have unified standard for cybersecurity that businesses needed to follow when bidding for contracts. Companies could claim to meet certain industry standards for cybersecurity, but those assertions were not tested by auditors, nor did the standards take into account the type of work a company was bidding to complete. Since then, defense officials have said that cybersecurity is not a one size fits all approach.
In the meantime, adversaries have discovered it is easier to target unsuspecting down tier suppliers, rather than prime contractors.
“Adversaries know that in today's great power competition environment, information and technology are both key cornerstones and attacking a sub-tier supplier is far more appealing than a prime,” Ellen Lord, the under secretary of defense for acquisition and sustainment, told reporters in a briefing at the Pentagon Jan. 31.
Officials have said cyber theft by adversaries costs the United States about $600 billion a year.
What will change?
Contracts will mandate bidders reach a certain level of certification to win specific jobs. For example, if businesses aren't bidding on a contract that has extremely sensitive information, they must only achieve the first level of certification, which involves basic cybersecurity such as changing passwords and running antivirus software. More sensitive programs will require more stringent controls.
Smaller companies down the supply chain will not, however, have to have the same level of certification as primes, said Katie Arrington, chief information security officer for the Office of the Under Secretary of Defense for Acquisition and the point person for the certification.
Another significant change with the new process is the creation of an accreditation board and assessors. The board is an outside entity, separate from DoD, that will be charged with approving assessors to certify companies in the process.
The accreditation body was formed earlier this month and officials are working on identifying and training the assessors, which will be called Certified Third-Party Assessment Organizations (C3PAO).
What's next?
Officials explained Jan. 31 that CMMC will follow a crawl, walk, run approach to ensure companies aren't unprepared for the change. The accreditation board is in the process of training the auditors that will oversee the certificaion. Once the requirements are met, a company's certification is good for 3 years.
In the meantime, DoD plans to release 10 requests for information and 10 requests for proposals that will include the new cyber standards this year. The first solicitation could come as early as June.
She added that all new contracts starting in fiscal year 2026 will contain the cybersecurity requirements, however, Lord noted that they will not be not retroactive to previous contracts.
May 30, 2023 | International, Other Defence
Ukraine is working with major British defense company BAE Systems to set up a Ukrainian base to both produce and repair weapons from tanks to artillery, President Volodymyr Zelenskiy said on Tuesday.
December 7, 2023 | International, Land
Two members of the House and two Army leaders tell Defense News what's on their nightstands.
April 17, 2020 | International, Aerospace, Naval, Land, C4ISR, Security
By: Stephen J. Flanagan and James Black As countries around the world grapple with the unfolding coronavirus pandemic, the wider business of government continues. Norway's Ministry of Defence will shortly publish its next Long Term Plan, which will then be debated by parliament. The plan outlines how the Armed Forces, in tandem with other elements of government and society, can best address the threats to Norway from hostile states, terrorists, and fragile and failing states. The plan also examines how to bolster national resilience to deal with other risks including hybrid warfare, climate change and pandemics. A new Rand report, commissioned by the MoD to inform its strategy and policy development, offers perspectives from its closest allies on the emerging security challenges and strategic options facing Norway. We found broad alignment of Norwegian and allied assessments across Denmark, France, Germany, the U.K., the U.S. and NATO institutions, but some enduring differences in emphasis and priorities. Other allies recognize Norway as punching above its weight and playing a critical role in the defense of the North Atlantic and High North. At the same time, our research concludes there is no time for complacency. Norway's key allies agree that the most significant threat in the High North is not a crisis directed against Norway itself. The more plausible danger is “horizontal escalation” — a crisis elsewhere in Europe rapidly growing into a wider conflict that threatens Norwegian waters, airspace and territory. Russia continues to demonstrate hostile intent, and its military capabilities threaten the ability of Norway and its allies to operate military forces, secure critical infrastructure and protect civilian populations. The collapse of the Intermediate-Range Nuclear Forces Treaty in 2019 brings an increased threat from medium-range ballistic missiles, requiring Norwegian and allied defense planners to adjust to new threats to the homeland and region. Improvements in the Russian Northern Fleet, including surface vessels and submarines armed with modern cruise missiles, also pose an increased threat to NATO operations in the Norwegian Sea, to undersea internet cables and to sea lines of communication essential to reinforcing Norway from North America or Europe in the event of any conflict. There is also strong consensus on the enduring threats posed by terrorism, nonstate actors and challenges such as climate change in the Arctic. While all allies recognize the need to consider the strategic implications of a rising China, the United States sees China as a more direct and imminent security threat. Allies also welcome Norway's contributions to missions on NATO's eastern and southern flanks. Allies perceive Norway as having an impressive mix of high-end capabilities for a country of its size and a mature total defense concept — its strategy for engaging all elements of society in national defense. These capabilities and commitments, coupled with a well-respected approach to strategy development, have allowed Norway to have significant influence on strategic thinking within NATO. Nevertheless, significant security challenges remain, and to address them our report suggests a number of options for Norwegian leaders to consider: Strengthen deterrence in Norway: Expand surveillance and reconnaissance capabilities; increase the military posture in northern Norway; enhance the protection of bases and forces against air and missile threats; maximize the F-35 fighter jet's potential to aid joint operations; and prepare for operations in contested cyber, space and electromagnetic environments. Expand capacity to receive allied reinforcements: Build on lessons from the joint Trident Juncture 2018 exercise, which allies viewed as an important milestone but not a full stress test; pursue increasingly challenging training scenarios; ensure sufficient pre-positioned stocks of consumables and equipment; upgrade and expand infrastructure along with concepts for dispersing forces to prevent attack; and deepen cooperation to enhance military mobility and interoperability. Explore concepts to hold potential adversaries at risk: Invite allies with more advanced reconnaissance and deep-attack systems to deploy them to Norway periodically; develop longer-range weapons for Norwegian forces; explore the utility of low-cost, unmanned assets; collaborate with key allies on concepts to deny adversaries access to the sea and to better project forces onto the littoral; and refine parallel strategic communications to control escalation. Enhance national and societal resilience: Test and refine Norway's whole-of-government approach and the mechanisms for civil support to the military; contribute to NATO's strategy for addressing hybrid threats, such as disinformation, economic pressure and cyberattacks; and explore further measures to enhance collective preparedness and will to fight. Solidify Norwegian contributions to NATO and partners: Continue contributions to NATO operations beyond the north; help to address variations in defense expenditure across all NATO nations and rebalance trans-Atlantic burden-sharing; promote deeper NATO cooperation with Sweden and Finland; and use innovation and industry to enable influence within NATO. Other countries can learn from how Norway chooses to tackle these emerging challenges, and they can benefit from its lessons learned, particularly with respect to the total defense concept. Pursuit of some of these options, along with the Norwegian government's ongoing efforts to seek allied views, could help enhance deterrence in the north and overall NATO defense. Stephen J. Flanagan is a senior political scientist at the think tank Rand. James Black is a senior analyst in the defense, security and infrastructure program at Rand Europe. https://www.defensenews.com/opinion/commentary/2020/04/16/allies-share-views-on-enhancing-defense-of-norway-and-the-high-north/