It was encouraging to see the Cybersecurity Maturity Model Certification (CMMC) and its goals on a greater stage in May when recently appointed (02/2021) Deputy Assistant Secretary of Defense of Industrial Policy (DASD-IP), Mr. Jesse Salazar, presented an eight page statement and report to the Senate Armed Services Committee. Specifically, the Subcommittee on Cybersecurity received Salazar's statement and responded with questions ranging from the efficacy of recent acquisition rulings to the DoD's ability to track cryptocurrency transactions from ransoms paid to adversaries.
To assist Mr. Salazar with the wide array of questions, Rear Admiral Bill Chase, Deputy Principal Cyber Advisor to the Secretary of Defense, provided the vast majority of answers. Notably Ms. Katie Arrington was not present during the hearing, though there is nothing to infer.
Subcommittee on Cybersecurity Members
|Senator Manchin, Chairman (WV)||Senator Rounds, Ranking Member (SD)|
|Senator Gillibrand (NY)||Senator Wicker (MS)|
|Senator Blumenthal (CT)||Senator Ernst (IA)|
|Senator Rosen (NV)||Senator Blackburn (TN)|
The original recording can be found here or below.
Review of the Opening Statement by Jesse Salazar on "Defense Industrial Base Cybersecurity"
Mr. Salazar's Opening Statement starts at 11:37 and can be read here.
Salazar first defines the threat landscape and mentions notable attacks of late, the increased spread and multiplicity of attacks (one vulnerability or compromised software impacts all who possess it and all tiers above the organization), as well as the depth and breadth of the total addressable Defense Industrial Base. The following are some of his noteworthy statistics:
- "Average American aerospace company today has about 200 tier 1 suppliers"
- "The second and third tiers of the supply chain may be comprised of more than 12,000 companies"
- "74% of the DIB are small businesses [and comprise] … the third and fourth tiers of the supply chain"
He wraps his opening remarks by expressing the unique constraints small businesses face with limited staffing and resources - though none of his anecdotes were new or revelations.
The rest of his Statement details three objectives of CMMC:
- To incorporate a unified set of cybersecurity requirements into the acquisition processes and contracting language.
- To provide the Department assurance, via external assessment, that all contractors and subcontractors participating in a given award meet mandatory cybersecurity requirements.
- To develop supporting resources, information, and training to help contractors improve cyber readiness and comply with the Department’s requirements.
Salazar follows these objectives by also differentiating CMMC with regulations of old. His primary argument centers around the assessment process versus self-attestation, which he reports "has already led to DIB companies taking action". He adds another distinction that CMMC has undergone a significant review exercise. The DFARS Interim Rule (DFARS 7019, 7020, 7021) received over 850 sizeable comments, and OUSD has conducted more than 1,000 conversations with members of Congress and the industry (which is likely less than the actual figure).
The primary threads from these comments were:
- The costs for small businesses could be detrimental. As the esteemed Jacob Horne describes in his widely popular "Fascinating History of CMMC" presentation at CS2, this argument has cropped up in public discourse time and time again across multiple frameworks.
- "Clarifying... requirements". This section is one of the most interesting because of two specific statements. The first, Salazar states the DoD needs to "deconflict" requirements - which harkens to an idea that the additional 20 requirements on top of NIST 800-171 for CMMC Level 3 need to be removed. During the initial CMMC drafts, any additional requirements received equal amounts of scrutiny and praise.
The second noteworthy statement was around the DoD's need for an "assessment approach for contractors that use cloud service provider offerings". Highly respected attorney on cybersecurity regulation, Bob Metzger, spoke recently about the lack of cloud-related guidance and relevance in previous NIST and CMMC publications. His arguments must have resounded in the comments.
- CMMC must continue to garner trust and support from Government and industry alike. Salazar mostly comments about the need for clearly defined operational lines and adequate transparency. Also, he hints at the delays and common concerns about the lack of able-bodied assessors to complete the mission and assures the overall CMMC stakeholders are working towards remedying any possible shortcomings.
Questions Asked and Takeaways
Senator Manchin - "Of particular interest to me is how DOD is going to hold prime contractors [accountable] for the cybersecurity performance of their subcontractors in the conduct of the programs for the DOD. I have been making this point for a couple of years now and I hope the Department has taken this to heart." The word accountable was uttered six times throughout the hearing.
Senator Manchin - "The relationship between DOD and its private industry contractors should be the gold standard for cybersecurity across the federal government" A theme of cooperation and greater adoption across all federal agencies was common throughout the hearing.
Senator Rounds -"Two years ago on April 10, 2019, the subcommittee held a classified hearing on DIB cybersecurity policy. Unfortunately, we still face many of the same problems today that we faced back then."
Q: Senator Manchin - "What does the Department currently do to hold prime contractors accountable for the cybersecurity of their subcontractors?"
A: Salazar - We hold them accountable through our contracts and we have a number of ways to ensure that they are meeting those responsibilities, like performance reviews and contract actions.
Q: Senator Manchin - "But if you find out they haven't done it, what is the penalty? If you find out they haven't done it, do they lose --"
A: Salazar - "We have a number of possible answers. Usually, the PMO office will identify the opportunity to improve. We will also hold them accountable through the contracts and we can use a number of acquisition levers to --"
Q: Senator Manchin - "Do you know if that has ever been enforced or implemented?"
A: Salazar - "I would have to take that for the record and see what recent actions there are." This first series of questions was some of the most telling and partly why CMMC is critical for the future of national security. To no fault of Mr. Salazar's, the answer to most of Senator Manchin's questions (about how/what/when/where the DoD holds its industrial base accountable) was vague contract actions that are rarely used if at all.
Q: Senator Rounds - If there is an incursion are [DoD Contractors] required to report if it is on a project that isn't DOD-oriented?
A: Chase - There are mandatory reporting criteria that the DIB contractors have to report to the defense cybercrime entity. In things like SolarWinds, the Department ... had 37 [unique] companies that reported and 44 total reports.
Senator Rounds followed this question up with a series of logically connected inquiries: does the DoD assist the company in any way to respond to the attack, inform other agencies like DHS to take unified action, or take any steps to prevent a similar attack. The response primarily focused on the Defense Cyber Crime Center's reporting activities, the Government's adoption of Zero Trust, and the need for the DIB to raise its level of cybersecurity; however, Admiral Chase admitted the aforementioned points did not suffice and that the Government needs to "remove barriers to information sharing".
Q: Senator Gillibrand - "Given the recent Colonial Pipeline hack, I am especially concerned about ransomware attacks that can paralyze some of our important industrial partners. Are you confident in DOD's ability to respond and be helpful if an important DIB entity, industrial partner or business was hit with a ransomware attack and required DOD assistance?
A: Chase - "Well, I think first pass at that would go to the law enforcement agencies. If asked, the Department is prepared to assist there, but only in rare cases would that likely happen in national emergencies, but it would go through the same defense support system requested that any other request of the Department would go to." This answer can be translated to "other agencies handle response and assistance, not the DoD".
Q: Senator Ernst - "I am concerned about the burden of cost the Government's required security measures levy on our smaller companies ... how do we strike the right balance between our private and public responsibility for cyber protection, especially as it applies to those smaller businesses?"
A: Salazar - "Many of the things these companies can do to ensure that they have good cyber hygiene, good cyber resilience are low-cost... [but] we are thinking about, one, how can we reduce the costs for reaching a level of cyber maturity to meet our requirements and, two, what tools and resources can we make available... We have actually stood up a website called ProjectSpectrum.IO, which actually had been very helpful. We have had more than 500,000 views, 10,000 trainings disseminated on cyber hygiene. Small businesses can go and says where they currently stand today."
Q: Senator Blumenthal - "Have there been any cyberattacks on the Defense Industrial Base since we were here during the last hearing?"
A: Chase - "I am absolutely certain of it, I am just not sure which ones and where they are, Senator."
Q: Senator Blumenthal - "Have there been any successful ones?
A: Chase - "I think that probably sadly falls into the same category."
Q: Senator Blumenthal - "Let me ask you about the SolarWinds and the Microsoft Exchange attacks ... you reported that neither was successful in penetrating our Department of Defense, correct?"
A: Chase: "Yes."
Q: Senator Blumenthal - [Since 37 DIB suppliers were compromised] "Would the security controls required under the CMMC have stopped those intrusions?"
A: Chase - "They would not guarantee it, but they would have enabled them to see, possibly... If say, a level 5 CMMC would have probably had sufficient tools to give them a shot at seeing this similar lateral movement...it would certainly enable, but it would not guarantee it"
Q: Senator Rounds - "Would you accept that the finals on the CMMC rules would be in place by the end of this year?"
A: Salazar - "As I mentioned, it typically takes about a year to adjudicate comments for this kind of DFARS rule." The comment period ended on November 30, 2020. Therefore, Mr. Salazar is suggesting it could take as long as November 2021 to release the final rule.
Other questions were offered, but they were somewhat irrelevant to the discussion of CMMC and DIB Security. For example, "How do we ensure that the pace of Zero Trust implementation matches the pace of the growth with microelectronics?" - Good question but not to the topic at hand.