COVID-19 NEWS: New Cybersecurity Regulations ‘On Track’ Despite Virus
Work on the Defense Department’s highly anticipated set of new cybersecurity standards — known as the Cybersecurity Maturity Model Certification version 1.0 — is still on track despite the ongoing COVID-19 pandemic, said an official in charge of the effort April 22.
The new rules, which the Defense Department rolled out earlier this year, are meant to force the defense industrial base to better protect its networks and controlled unclassified information against cyberattacks and theft by competitors such as China. The rules will eventually be baked into contracts, and the Pentagon had targeted including them in requests for information as early as this summer on pathfinder programs.
Under the plan, CMMC third-party assessment organizations, known as C3PAOs, will be trained and approved by a new accreditation body. They will have to certify that a company has met the CMMC standards before it can win contracts. CMMC features different levels, with the level 1 standards being the least demanding and level 5 the most burdensome.
Katie Arrington, chief information security officer at the office of the undersecretary of defense acquisition, said CMMC is still on track despite hurdles created by the ongoing COVID-19 pandemic that has roiled the world.
“We are on track, but we're having to retool some of the training because the actual inspections … [do] have to happen,” she said. “The actual audit has to be done on site.”
The Pentagon is working on ways around that, she said during a webinar called “Protecting Small Business in a COVID-19 Environment” hosted by Project Spectrum, which is part of the Cyber Integrity Initiative and is supported by the Pentagon’s Office of Small Business Programs.
“We're still on track,” she said. “We're still doing the pathfinders. We're working through those. We're still on target to release some initial RFIs in June with the CMMC in it so we can all kind of get a feel for it.”
Additionally, the Pentagon still plans to get the first class of C3PAOs rolling out in late May or early June, she said.
The biggest sticking point will be conducting in person audits, as is required, Arrington said.
“Until we get the directive from the president and from Secretary [of Defense Mark] Esper with the DoD we have our stay-at-home orders,” she said. However, “the work hasn't stopped and we're still doing our absolute best to stay on track.”
Last week, speaking during a Bloomberg Government webinar, Arrington said potential delays of a couple of weeks would be insignificant to the overall program. “A two-week push on something is not going to ... have a massive impact to our rollout of this,” she said. “I don't think it's going to be impactful to the schedule. I think maybe we’ll have a two, three week slip on actually doing the first audits, the pathfinders, but nothing of significance.” Auditors may have to wear masks or social distance while conducting their work, she said.
Meanwhile, Arrington noted that businesses should consider implementing the first level of the CMMC requirements now to protect themselves as more employees in the defense industrial base work from home.
“CMMC level one are 17 controls, no cost, that you can implement today that can help you be secure,” she said. “Waiting isn't an option for any of us right now.” She also stressed the importance of good cyber hygiene, and recommended that employees frequently change their passwords and be mindful of spearphising attempts. “Do your best to be diligent and remember that ... the weakest link is where the adversary will come in,” she said. “Don't be the weakest link.”
Nathan Magniex, a senior cybersecurity expert at Project Spectrum, also noted during the webinar that contractors should be wary of conducting meetings on the popular video platform Zoom.
“I would not use it as a business owner,” Magniex said. “There are certain red flags. There are connections with China that are concerning especially for the defense industrial base.”
Project Spectrum recently released a white paper on potential security risks with Zoom which said, “Zoom's numerous vulnerabilities are not unique to them because every software company and application has them. Zoom's links to China, however, are particularly concerning because those links expose the DIB and its supply chain, thus jeopardizing American innovation, IP and proprietary information.”
Project Spectrum recommended Cisco Webex, Facebook Workplace, Google Hangouts, GoToMeeting and Microsoft Teams as potential alternatives.