apply to components of nonfederal systems that store, pro- cess or transmit controlled unclassified information or when designated in a critical program or high-value asset. Crucially, although NIST’s baseline cybersecurity requirements are man- datory for all defense contractors, agencies must be sure to specifically include the requirements for high-value assets in any contracting or procurement documents.
Just what constitutes a critical program or high-value asset is another complicating factor. The clearest definition comes from the Department of Homeland Security, which adopted the phrase in a binding operational directive and has cycled through two iterations of a definition thus far, while leaving it largely up to agencies to identify specific assets that fit the bill.
“We’re still refining \[the definition\]; I don’t know that that will ever be perfect,” said Alan McClelland, an information security specialist at the Cybersecurity and Infrastructure Security Agency at DHS. “Really, it’s open to interpretation. The agencies determine themselves based on these defini- tions what their high-value assets are.”
Although DHS has offered technical expertise, military assets are not covered under the department’s binding opera- tional directive or its definition. However, McClelland told FCW that officials at DHS and DOD are discussing ways to cooperate and further align their efforts.
A broader cultural change
The new NIST guidance is designed to scope out the technical requirements necessary to protect contractor systems, while DOD’s CMMC program is a way to ensure that contractors are in fact complying. Rather than allow contractors to self- certify, third-party auditors will review companies’ systems to ensure they’re implementing the appropriate protections.
DOD’s desire for stricter contractor cybersecurity received a boost earlier this year when the government convinced a
judge to allow a lawsuit against Aerojet Rocketdyne Holdings to proceed. The lawsuit alleges that the company violated the False Claims Act by misrepresenting its compliance with baseline cybersecurity requirements listed in the Defense Federal Acquisition Regulation Supplement.
As with NIST’s new guidance, however, defense contractors and experts have expressed concern and confusion about how CMMC will work, how it will apply to their systems and whether the military can resolve the issues before a contractor’s certification level begins affecting the kind of procurements it can pursue. The differing levels of maturity one can achieve (measured on a scale from 1 to 5) adds to the confusion about what a particular contractor may need to implement to continue doing business with the military.
Furthermore, contractors may genuinely believe they’re compliant when they’re not — a problem that again goes back to the uncertainty and doubt that arises when general principles about security are applied to specific systems and programs.
Earlier this year, DOD assigned Arrington to lead CMMC and institute a broader cultural change in the defense con- tracting community. A former contractor, Arrington said she saw companies falsely self-certify or embellish their compli- ance with cybersecurity regulations in pursuit of business.
Those days must come to an end, she added, and she called for the community to move away from its tendency to fixate on cost, schedule and performance while ignoring security.
“It doesn’t matter how much I pay for something if it’s already been exfiltrated,” Arrington said. “If I’m worried about getting it on time but by the time I get it delivered to me it’s worthless, why am I worrying about the schedule? Yeah, I wanted it to perform at this capacity, but if my adversaries already have it, they’re outperforming me before I get there. We have to change the culture.” n
September/October 2019 FCW.COM 31
“Unless agencies are mandated to state applicability in funding announcements, this proposed change could be incredibly
burdensome.”
— ROGER WAKIMOTO,
UNIVERSITY OF CALIFORNIA, LOS ANGELES