21 décembre 2023 | International, Terrestre
3 février 2020 | International, Aérospatial, Naval, Terrestre, C4ISR, Sécurité
Pentagon finalizes first set of cyber standards for contractors
Mark Pomerleau
The Pentagon has finalized the long anticipated cybersecurity standards contractors will have to follow before winning contracts from the Department of Defense, a new process called the Cybersecurity Maturity Model Certification (CMMC) 1.0.
The model is a tiered cybersecurity framework that grades companies on a scale of one to five based on the level of classification and security that necessary for the work they are performing.
“The government and the contractor community must keep working together to address real and growing cybersecurity threats, and we need a robust response to protect our infrastructure, information, and supply chains,” said David Berteau, president and chief executive of the Professional Services Council, a trade association for federal contractors. “With today's announcement, DoD has achieved a significant milestone.
Here's what industry officials need to know about the version finalized Jan. 31.
Why it was needed
Previously, the Pentagon did not have unified standard for cybersecurity that businesses needed to follow when bidding for contracts. Companies could claim to meet certain industry standards for cybersecurity, but those assertions were not tested by auditors, nor did the standards take into account the type of work a company was bidding to complete. Since then, defense officials have said that cybersecurity is not a one size fits all approach.
In the meantime, adversaries have discovered it is easier to target unsuspecting down tier suppliers, rather than prime contractors.
“Adversaries know that in today's great power competition environment, information and technology are both key cornerstones and attacking a sub-tier supplier is far more appealing than a prime,” Ellen Lord, the under secretary of defense for acquisition and sustainment, told reporters in a briefing at the Pentagon Jan. 31.
Officials have said cyber theft by adversaries costs the United States about $600 billion a year.
What will change?
Contracts will mandate bidders reach a certain level of certification to win specific jobs. For example, if businesses aren't bidding on a contract that has extremely sensitive information, they must only achieve the first level of certification, which involves basic cybersecurity such as changing passwords and running antivirus software. More sensitive programs will require more stringent controls.
Smaller companies down the supply chain will not, however, have to have the same level of certification as primes, said Katie Arrington, chief information security officer for the Office of the Under Secretary of Defense for Acquisition and the point person for the certification.
Another significant change with the new process is the creation of an accreditation board and assessors. The board is an outside entity, separate from DoD, that will be charged with approving assessors to certify companies in the process.
The accreditation body was formed earlier this month and officials are working on identifying and training the assessors, which will be called Certified Third-Party Assessment Organizations (C3PAO).
What's next?
Officials explained Jan. 31 that CMMC will follow a crawl, walk, run approach to ensure companies aren't unprepared for the change. The accreditation board is in the process of training the auditors that will oversee the certificaion. Once the requirements are met, a company's certification is good for 3 years.
In the meantime, DoD plans to release 10 requests for information and 10 requests for proposals that will include the new cyber standards this year. The first solicitation could come as early as June.
She added that all new contracts starting in fiscal year 2026 will contain the cybersecurity requirements, however, Lord noted that they will not be not retroactive to previous contracts.
Sur le même sujet
-
-
10 janvier 2020 | International, C4ISR, Sécurité
How tensions with Iran could test a new cyber strategy
Mark Pomerleau In 2018, the Department of Defense began following a new philosophy for cyber operations to better protect U.S. networks and infrastructure. Known as “defend forward,” the approach allows U.S. cyber forces to be active in foreign network outside the United States to either act against adversaries or warn allies of impending cyber activity that they've observed on foreign networks. After the U.S. military killed an Iranian general in a Jan. 2 drone strike and after national security experts said they expect Iran might take some retaliatory action through cyber operations, the specter of increased cyber attacks against U.S. networks puts Cyber Command and its new approach front and center. “This Iran situation today is a big test of the ‘defend forward' approach of this administration,” James Miller, senior fellow at Johns Hopkins Applied Physics Laboratory and former undersecretary of defense for policy, said at a Jan. 7 event hosted by the Council on Foreign Relations. “Will [Cyber Command] take preventative action? Will they do it in a way that our allies and partners support and that can be explained to the public?” While Iran fired several missiles Jan. 7 at a base in Iraq where U.S. troops lived as an initial response to the drone strike, many national security experts expect Iran could continue cyber actions as further retaliation for the strike. Iran could also ratchet up its cyber operations in the United States following the collapse of portions of the 2015 nuclear deal between the United States, Iran and five other nations to curb Iran's nuclear weapons capability in return for sanctions relief. Over the past 12 months, the White House and Congress streamlined many of the authorities used to conduct cyber operations to help cyber forces to get ahead of threats in networks around the world. One such provision in last year's annual defense policy bill provides the Pentagon with the authority to act in foreign networks if Iran, among other named nations, is conducting active, systematic and ongoing campaigns of attacks against the U.S. government or people. Cyber Command declined to comment on what, if anything, they were doing differently since the drone strike. Some experts, however, have expressed caution when assessing how well this defend forward approach has worked thus far given it is still relatively new. “The jury is very much still out here,” Ben Buchanan, assistant professor and senor faculty fellow at Georgetown University, said at the same event. “We don't have a lot of data, there's been a lot of hand-wringing ... about these authorities and about how Cyber Command may or may not be using them. I just don't think we've seen enough to judge whether or not ... [it is] meaningfully changing adversary behavior.” Others have also expressed reservations about how effective Iran can even be in cyberspace toward U.S. networks. “Iran is a capable cyber actor, Iran is a wiling cyber actor. That means Iran will conduct cyberattacks,” said Jacquelyn Schneider, Hoover fellow at the Hoover Institution at Stanford University. “It's not like they have this capability and they've been deterred in the past and maybe now they're going to turn it on. I think they've been trying this entire time.” Complicating matters further could be other actors trying to take advantage of U.S.-Iran imbroglio for their own interests. Priscilla Moriuchi, senior principal researcher and head of nation-state research at threat intelligence firm Recorded Future, said over the past several months, there have been reports of Russian state-affiliated actors hijacking Iranian cyber infrastructure to conduct operations masquerading as Iranians. “That creates its own uncertainty,” she said at the same event. “Another level of potential what we call inadvertent escalation if a country perceives that they are attacked by Iran but in reality, it” wasn't. https://www.fifthdomain.com/dod/2020/01/09/how-tensions-with-iran-could-test-a-new-cyber-strategy/
-
17 septembre 2018 | International, Naval
Fincantieri, Leonardo, tussle over acquisition ahead of French tie-up
By: Tom Kington ROME — Italy's two state-controlled defense champions, Leonardo and Fincantieri, have fought an unusual battle over the acquisition of a smaller company as they jockey for position ahead of their expected integration of naval work with French industry. Shipyard Fincantieri thought it had sewn up the purchase of Italian firm Vitrociset in August, only for Leonardo to snatch it from under its nose on Sept. 7, leaving the Italian government to step in to mediate. The tussle between two firms that both answer to the Italian state and closely cooperate on naval programs around the world is due to new rivalry as both edge toward teaming on naval programs with France's Naval Group. The Italo-French deal is still being thrashed out, but may see a 10 percent share swap between Naval Group and Fincantieri and joint export campaigns to reduce the fractured nature of the European shipbuilding industry. The deal automatically involves Leonardo since it provides electronics, guns and radars for Fincantieri's ships. But Leonardo CEO Alessandro Profumo has expressed concerns that regarding ships built or marketed jointly by Fincantieri and the French, his systems may be overlooked in favor of those produced by Thales, which is a shareholder in Naval Group. Full article: https://www.defensenews.com/industry/2018/09/14/fincantieri-leonardo-tussle-over-acquisition-ahead-of-french-tie-up