The role and impact of SMBs in DoD cybersecurity

Last month, the GovCyberHub sat down with Parham Eftekhari, the Executive Director of the Institute for Critical Infrastructure Technology (ICIT), to talk about the key trends and topics of discussion at the organization’s 2019 Fall Briefing. During that discussion, Mr. Eftekhari talked about the need for more leadership in federal cybersecurity and also discussed some of the unique cybersecurity challenges that the U.S. Department of Defense (DoD) faces as a result of its large ecosystem of vendors and contractors.

“If you look at the sheer volume of the acquisitions that the DoD does every year from a software and hardware and equipment perspective, securing that supply chain is something that is going to be a multi-decade effort,” Mr. Eftekhari said. “This is not something that’s going to happen in one administration, and that’s something people need to acknowledge and not get frustrated with. This is a marathon, even multiple marathons.”

But it’s not just the scope and size of the DoD vendor and contractor ecosystem that causes cybersecurity challenges. Cybersecurity vulnerabilities also result from the sophistication of some of the smaller contractors that the DoD works with – a problem that is compounded when larger contractors work with smaller subcontractors further down the supply chain.

ICIT recently conducted an insightful interview with Ernie Magnotti, the CISO at defense contractor, Leonardo DRS. During the interview, Mr. Magnotti laid out some of the reasons why smaller government contractors may struggle to meet DoD cybersecurity standards and how new regulations could make the DoD even less secure.

Here is an excerpt from that conversation:

ICIT: How would you describe the composition of the defense industrial base (DIB) third-party ecosystem? In your opinion, what aspects are underreported and what are the resulting impacts on supply chain security?

Ernie Magnotti: According to Aeroweb, the top 100 Defense Contractors accounted for 63.5 percent of the prime contracts awarded in 2018, with the top 6 accounting for 30 percent of the total. But naturally, the Department of Defense (DoD) begins to lose sight of subcontractors beyond the third tier of the supply chain.

I’ve heard estimates that there are between 100,000 and 300,000 companies holding contracts with DoD flow downs, approximately 98 percent of these companies have fewer than 100 employees, and there are over a million contracts in the DIB ecosystem that contain DFARS clause 252.204-7012.

DFARS clause 252.204-7012 requires that data breaches involving controlled unclassified information (CUI) be reported through DIBnet. However, the clause and associated requirements are not easy to understand, and companies with fewer than 100 people might have one to three IT people who mainly do break/fix work, leaving them with little manpower for cybersecurity.

Thus, it’s very likely that small companies do not have a sophisticated cyber program capable of defending against nation state threat actors, let alone understand how to comply under the clause. This is why the bad guys are focusing their cyberattacks further down the DIB supply chain.

ICIT: What risks do small contractors introduce to the DIB ecosystem when they cannot meet the security requirements set by the government or when the minimal requirements are insufficient to mitigate emerging threats?

Ernie Magnotti: In June 2019, the DIB announced an aggressive plan to require a Cyber Maturity Model Certification (CMMC) for all contractors and subcontractors that will require an independent third party to assess a company’s cyber maturity before they can win contracts that contain DFARS clause 252.204-7012.

Many in the DIB are concerned that the CMMC introduces new risks in the supply chain due to smaller companies’ inability to meet necessary maturity levels. On the other hand, the intent of the CMMC is to simplify the number of cyber requirements necessary for smaller companies.

The DFARS clause requires companies to meet 110 requirements for each information system, but, under CMMC, smaller companies will only need to meet a focused subset of the 110 controls to be eligible for contracts. The net-net is that by narrowing the number of requirements and using 3rd party assessments, subcontractors will focus on lower maturity cyber-hygiene.

To restate, the DIB needs the smaller contractors to build a foundation that deliberately focuses on cyber-hygiene. For example, are we doing timely patching? Do we have good endpoint protection? Are we ensuring robust access management to important information systems? Do we have robust gateway protection with multifactor remote access?

Consider a small company that has outsourced software development. This might come as a surprise to some people, but software developers are not usually concerned with secure software development. It’s easy to imagine a well-resourced threat actor dwelling in such a company’s network indefinitely, inserting malicious code to achieve their objectives.

Extend this consideration to small companies who make programmable devices, often aggregating those devices from several sources. How were those devices tested for integrity? How do we ensure the devices weren’t tampered with while in transit from the subcontractor?

When you think about software code or programmable devices sourced from small companies, it’s easy to imagine how they can be compromised. The government’s minimal requirements are not yet enough to mitigate these existing threats.

To read the entire conversation with Ernie Magnotti, click HERE. To download a copy of the 2019 OverWatch Mid-Year Report and learn more about the threat landscape facing the DoD and federal government, click HERE.