BY LARRY CLINTON AND ANNA MISKELLY
As the Pentagon’s Cybersecurity Maturity Model Certification (CMMC) program rulemaking looms over the defense industrial base (DIB), the Pentagon released a two-page fact sheet highlighting free services offered to companies to help reach compliance. Services such as Project Spectrum and the Blue Cyber Initiative focus on small businesses, targeting concerns over the disproportionate impact of compliance on small businesses. Many of the services outlines fall under the DIB Collaborative Information Sharing Environment (DCISE), which provides a collaborative approach to cybersecurity by sharing network traffic monitoring, threat detection, asset discovery, and vulnerability scanning.
The Internet Security Alliance discusses the merits of collaboration across the DIB, the shift towards compliance models, and the need for a collective defense approach in Fixing American Cybersecurity: Creating A Strategic Public-Private Partnership. The Department of Defense’s (DoD) emphasis on collaborative strategies to assist small businesses in improving their cybersecurity posture is a positive step forward.
In the late 2000s, the collaboration strategy emerged as a response to the observation that attackers were targeting multiple companies and industries with identical tactics and infrastructure. The strategy focused on industry-government collaboration and the sharing of information to improve cybersecurity. The DIB Framework Agreement and the Defense Security Information Exchange (DSIE) were implemented to facilitate information sharing among defense contractors. While collaboration improved cybersecurity for the primes, it faced limitations in reaching smaller suppliers due to infrastructure and talent constraints. The limitations of the collaboration strategy led the DoD to shift towards compliance models. Compliance was enforced through contract clauses and audits, with the aim of compelling suppliers to implement cybersecurity controls. The release of NIST 800-171 and the subsequent DFARS Rule 252.204-7012 mandated compliance with specific controls. However, compliance alone did not guarantee security, as compromises continued to occur. The compliance approach highlighted the need for a more nuanced evaluation of cybersecurity effectiveness. Recognizing the shortcomings of a binary compliance regime, the DoD introduced the CMMC as a fifth-generation model. The CMMC establishes a tiered compliance model with a focus on process maturity. It provides guidance to SMBs on prioritizing defensive measures and aligns cybersecurity goals with economic incentives. The phased implementation of certification requirements for defense contracts aims to raise the overall cybersecurity posture of the defense industry.
As the DoD finalizes the CMMC program, it has taken steps to assist DIB members in improving their cybersecurity posture. The department offers free cybersecurity-as-a-service offerings to DIB organizations. These services include network traffic monitoring, threat detection and blocking, cybersecurity program evaluation, vulnerability scanning, and more. The DCISE and the National Security Agency Cybersecurity Collaboration Center play a crucial role in providing these services. Additionally, initiatives like Project Spectrum and the Blue Cyber Initiative cater specifically to small businesses, offering resources, tools, and training to enhance cybersecurity readiness.
While collective services provide resources to SMBs in achieving compliance, a shift towards collective defense solutions could better incentivize security for small contractors. The goal is to make the security of a small supplier’s network largely irrelevant by collectively defending suppliers outside their networks. This strategy should be cost-effective, easy to implement, and accessible to a larger base of smaller defense contractors. It emphasizes the need for a collaborative partnership between industry and government, with an emphasis on affordability and effectiveness.
The evolution of cybersecurity strategies, from collaboration to compliance and the call for collective defense, reflects the ongoing efforts to adapt to the dynamic threat landscape. While collaboration and compliance models have had their limitations, the introduction of the CMMC and the provision of collaborative cybersecurity services by the DoD demonstrate a commitment to enhancing cybersecurity across the defense industry. The collective defense approach offers a promising path forward, with a focus on affordability and effectiveness. As the cybersecurity landscape continues to evolve, it is crucial to embrace innovative approaches and foster collaboration to safeguard critical assets.
NB For additional detail on this issue, see Fixing American Cybersecurity: Creating a Strategic Public-Private Partnership Chapter 8 “Defense: Leveraging the Dual Economies of the Defense Industrial Base” by Jeffry C. Brown, J.R. Williamson, Michael Gordon, Michael Higgins, and Josh Higgins (Georgetown University Press 2023).