NDIA PERSPECTIVE CYBER
Cybersecurity: Front and Center for Industry
“Deliver Uncompromised,” the “Fourth Pillar of Acquisition” or “Securing the DoD Supply Chain” — no matter what turn of phrase one uses to discuss protecting the defense industrial base and the equipment and support it provides warfighters from cyber threats, this issue stands front and center for the Pentagon and for the people and companies that provide its capabilities.
Experts estimate losses of about $600 billion per year in the transfer of wealth, expertise and trade secrets due to cyber crime. Adversaries and bad actors specifically target the defense industrial base, using the pilfered data to close capability gaps with the United States, its allies and partners.
The National Defense Strategy and the National Cyber Strategy lay it bare, “Our competitors — including … foreign adversaries such as Russia and China — are also using cyber to try to steal our technology.” Protecting U.S. advantages demands better government-industry collaboration. Fortunately, that is happening with the end state an effective, holistic cyber defense.
Despite being the home of cyberspace and the innovative tech giants who used it to transform society and the economy, America — both its government and its traditional industries — has responded slowly to growing and increasingly adaptive cyber threats. That said, stakeholders now recognize the challenge and have begun responding with concrete actions. Called out in the series of 2018 strategy documents, the cyber hygiene of U.S. government contractors, especially those in the defense industrial base, will likely soon require third-party cybersecurity certification for contractors to participate in any Defense Department contract.
No longer will lower-tier members of the supply chain meet standards by merely self-reporting their success following their own plan to meet NIST 800-171 standards. The tried and true adage that “what gets measured gets done” will rule.
Importantly, as the Pentagon tackled this issue, its thinking rapidly evolved. Beginning with a MITRE study titled, “Delivered Uncompromised,” there was a call to make security a fourth pillar of acquisitions separate but equal to the pillars of cost, schedule and performance.
However, this approach fails because unlike the tradeoffs that can balance the three traditional pillars, no one advocates trading security for lower cost, a faster schedule or better performance. Instead, defense leaders see security as the foundation below the pillars.
Kevin Fahey, assistant secretary of defense for acquisition, recently said, “We need risk management solutions to assess, measure and mitigate risk in real-time across multi-tier partner and supplier networks to achieve our goal of cost, schedule and performance, as they are only effective in a secure environment.”
The Defense Department is thus moving from a model of optional, self-reported cybersecurity to a model based upon mandatory measurable standards. Working with outside partners, the department is reviewing and combining unaligned cybersecurity requirements into one unified standard.
The resulting Cybersecurity Maturity Model Certification (CMMC) system will provide tiered certifications to the entirety of the defense industrial base. According to senior defense officials, certification will serve as the ticket to entry into the defense supply chain — no certification, no contract. Recognizing the larger prime vendors have robust cybersecurity programs, the department will soon begin a pilot program implementing the CMMC on their processes and programs to identify lessons learned and enable further refinement.
Hearteningly, the department, through the National Defense Industrial Association and other organizations, engaged industry throughout this process.
Industry’s challenges, inputs and concerns have strengthened and continue to inform CMMC refinement. Specific industry input includes the imperative to deliver a system cost-effective enough to ensure innovative small businesses remain incentivized to enter and remain a part of the supply chain, both as prime contractors and subcontractors.
To amplify government-industry dialogue, defense officials plan an aggressive rollout of the CMMC using listening sessions with industry across the country. The first of these sessions will coincide with the NDIA San Diego Chapter’s Navy Gold Coast event July 25. Several others will soon follow, providing supply chain members firsthand knowledge of the program, and the certification system, while giving them opportunities to voice their concerns.
The department’s stated goal and efforts to include industry demonstrate a desirable, necessary partnership and any company interested in remaining in or joining the defense industrial base should participate. Once the department finalizes the full schedule of the listening sessions, NDIA will publicize dates, times and locations.
The Pentagon’s push for security as a foundation of our acquisition system is welcome but overdue. Most importantly, the department recognizes this initiative only works as a collaborative effort between government, industry and academia. Members of the supply chain must remain aggressively engaged across every aspect of its development, providing inputs and sharing the experiences necessary to define and deliver a feasible, affordable and effective security system.
America’s competitive advantage, economically and in the national security arena, depend on its success.
Retired Air Force Col. Wesley Hallman is senior vice president of strategic programs and policy at NDIA.