The secretary’s order, signed Friday but first made public Tuesday, came after an eye-opening investigation by ProPublica revealed Microsoft had been relying on China-based engineers to support DOD cloud computing systems.

Short on specific details, Hegseth’s order enlists the CIO — with the support of the department’s heads of acquisition and sustainment, intelligence and security, and research and engineering — to “take immediate actions to ensure to the maximum extent possible that all information technology capabilities, including cloud services, developed and procured for DoD are reviewed and validated as secure against supply chain attacks by adversaries such as China and Russia.”

Hegseth first referenced his order in a video posted to X on Friday, in which he said, “some tech companies have been using cheap Chinese labor to assist with DoD cloud services,” calling for a “two-week review” to make sure that isn’t happening anywhere else in the department’s tech supply chains.

The secretary, in both his video and the new memo, stopped short of calling out Microsoft specifically. However, a spokesperson for the company has since stated publicly that it has made changes to “assure that no China-based engineering teams are providing technical assistance for DoD Government cloud and related services.”

“This is obviously unacceptable, especially in today’s digital threat environment,” Hegseth said in the Friday video, claiming that the system at the center of the incident is “a legacy system created over a decade ago during the Obama administration.”

He added: “We have to ensure the digital systems that we use here at the Defense Department are ironclad and impenetrable, and that’s why today I’m announcing that China will no longer have any involvement whatsoever in our cloud services.”

The memo itself calls on the department to “fortify existing programs and processes utilized within the Defense Industrial Base (DIB) to ensure that adversarial foreign influence is appropriately eliminated or mitigated and determine what, if any, additional actions may be required to address these risks.” Specifically, it cites the Cybersecurity Maturity Model Certification (CMMC) — the final rule for which, as of Wednesday, is undergoing regulatory review with the Office of Management and Budget — acting CIO Katie Arrington’s new Software Fast Track program, and the FedRAMP process as existing efforts the Pentagon CIO should rely on to ensure the department’s tech is secure.

Within 15 days of the order’s signing, DOD’s Office of the CIO must issue additional implementing guidance on the matter, led by department CISO Dave McKeown.

On top of that, it taps the undersecretary of defense for intelligence and security to “review and validate personnel security practices and insider threat programs of the DIB and cloud service providers to the maximum extent possible.”

The post Hegseth calls on DOD CIO to protect tech supply chain from influence of China appeared first on DefenseScoop.

The final rule for the revamped CMMC 2.0 program went into effect in December, which means that defense contractors working with controlled unclassified information (CUI) or federal contract information (FCI) must meet one of three levels of CMMC compliance, depending on the sensitivity of the information they handle, to be eligible to win DOD contracts. After years of high-profile scoping and rulemaking efforts, the Pentagon plans to implement the new requirements by the middle of this year.

Contractors and defense industry observers have previously expressed concerns about the burdens that CMMC regulations would impose, particularly for smaller firms that have fewer resources to ensure compliance.

An industry report by Redspin published earlier this year found that over half of respondents did not feel prepared for CMMC’s requirements.

Another report published this week by Kiteworks and co-sponsored by Coalfire found shortfalls in gap analysis and advanced controls. Budgetary and resource constraints, technical complexity of implementing controls, scope complexity and definition challenges, and understanding requirements and documentation were cited as some of the biggest challenges related to CMMC.

“It is my understanding that the cyber capabilities of the companies in the DIB vary greatly. If confirmed, I look forward to reviewing the current state of DoD cybersecurity requirements for our industry partners and working to ensure we balance a need for security with the burdens of excessive regulation,” Duffey wrote in his responses to advance policy questions from lawmakers ahead of his confirmation hearing Thursday with the Senate Armed Services Committee.

He noted that cyberattacks on defense industrial base information systems threaten the Pentagon’s mission execution and warfighting capabilities, and put at risk U.S. technological superiority, intellectual property and national security information.

“Bolstering cybersecurity across the DIB without placing undue burdens on small and medium-sized businesses is critical. These businesses are often more vulnerable to cyberattacks due to resource constraints, yet they play a vital role in our nation’s defense,” Duffey wrote. “I recognize the critical importance of ensuring that contractual requirements for protecting DoD information are met by defense contractors. If confirmed, I will review the current requirements of the CMMC program and evaluate options to improve the requirements and implementation so that industry can affordably maintain pace with current cybersecurity best practices.”

Additionally, he told lawmakers that he would review current and potential mechanisms to assess CMMC compliance — including third-party assessment organizations — and accreditation procedures “to ensure our requirements keep pace with the threat and manage the burden on the industrial base.”

Duffey also noted that access to secure compartmented information facilities (SCIFs) can be costly for smaller companies. If confirmed, he said he will “actively explore” the feasibility of multi-use SCIFs and other shared resource models to reduce that burden for small firms and facilitate their access to classified information.

The CMMC program previously fell under the responsibility of the undersecretary of defense for acquisition and sustainment, but was transferred to the DOD Office of the Chief Information Officer in 2022. Katie Arrington, who was viewed as a key architect of the original iteration of CMMC within A&S during the first Trump administration, recently returned to the Pentagon and was quickly appointed as the acting CIO.

Duffey also has prior government experience, including at the Pentagon. He served as associate director of national security programs in the Office of Management and Budget during the first Trump administration. He’s also served as deputy chief of staff to the secretary of defense and chief of staff to the undersecretary of defense for research and engineering, among other roles.

The post Trump’s Pentagon acquisition chief nominee vows to review controversial CMMC program appeared first on DefenseScoop.

The final rule for the revamped CMMC 2.0 program went into effect in December, meaning defense contractors working with controlled unclassified information (CUI) or federal contract information (FCI) must meet one of three levels of CMMC compliance depending on the sensitivity of the information they handle. After nearly five years of high-profile and oftentimes controversial scoping and rulemaking efforts, the Pentagon plans to implement the new cybersecurity requirements for contractors by mid-2025.

However, a report published Tuesday by Redspin — an authorized CMMC third-party assessment organization (C3PAO) — found there is a significant gap in readiness for CMMC 2.0 requirements across the defense industrial base. The assessment is based on a survey conducted in September 2024 that received 107 responses from a range of military contractors.

“The largest share (42%) of respondents feel Moderately Prepared, and 16% still have a long way to go by being Slightly Prepared or Not at All Prepared. This means that 58% of respondents are not ready for a rule that is now final and effective,” according to the report, titled “Aware but Not Prepared: The State of Defense Industrial Base CMMC Readiness.”

Furthermore, 13 percent of participants indicated they haven’t taken any preparatory action to meet CMMC compliance. The report highlighted that as a “critical concern” given companies have been mandated to maintain a Supplier Performance Risk System self-assessment score since 2020, “meaning those companies are significantly behind and at risk of non-compliance and not properly safeguarding their CUI.”

While the statistic is alarming, Redspin Vice President and Chief Information Security Officer Thomas Graham told DefenseScoop that the lack of action isn’t surprising considering the CMMC program’s contentious history, and that companies should not feel like they’re alone if they are unprepared.

“Since CMMC started, you’ve had a lot of misnomers, you’ve had a lot of rumors, you’ve even had a lot of naysayers. And they are even now saying this is never going to happen,” Graham said Monday during an interview. “The reality is, it is a formal program. It’s not your implementation — your implementation has been in place for a number of years now. All CMMC is doing is just verifying that implementation.”

Graham also noted that so many contractors could be feeling unprepared because they’ve just been waiting to see if the program would actually happen.

CMMC was first conceived in 2019 as a way to protect contractor information from being exploited by adversaries by putting these types of cybersecurity requirements for the defense industrial base into federal regulations, with Pentagon leadership arguing that companies should already have those protocols in place simply because they’re working with the department. 

However, the program received pushback from others who argued CMMC would be too difficult to follow. The Defense Department later pared down the program’s scope and contractor expectations in 2021, unveiling a three-tiered framework now known as CMMC 2.0.

The new model allows contractors working with less sensitive information to conduct self-assessments of their cybersecurity compliance. More sensitive information will require companies to validate their posture from either third-party assessors or the Defense Industrial Base Cybersecurity Assessment Center.

A key criticism of CMMC has been that the requirements would penalize small businesses that can’t afford to comply with them, but Redspin’s survey found that concern isn’t exclusive to smaller companies and subcontractors. According to the report, 52 percent of respondents who indicated cost as a top preparation challenge were prime contractors and dual-role companies. 

Graham said the concern was likely caused by inaccurate information released about CMMC over the years, as well as misunderstandings about what the program is trying to accomplish.

“Larger organizations that I’ve talked with, a lot of times there’s a separation between the decision makers and the folks that are actually implementing this stuff,” he said. “And when you break it down to them, then the light bulbs start coming on and they’re like, ‘Oh my god, I never realized we were supposed to be doing this stuff for years.’ Then it becomes a different conversation.”

Despite the readiness gap, Redspin’s survey did show that three-fourths of respondents have already or are in the process of establishing a required system security plan (SSP), which outlines the cyber defenses needed to protect sensitive information.

Over half of the respondents also indicated that they were working with an external service provider (ESP) to reach CMMC certification, underscoring the importance third-party organizations have and will continue to play in maintaining compliance, according to the report. 

That means moving forward, ESPs must also ensure their own cybersecurity protocols meet requirements, Graham emphasized.

“ESPs have got to understand they’re going to be part of this, that they are being given access to information that is not theirs — much like the contractors are being given access to information that is not theirs, either,” he said. “With working with these organizations, there’s going to be certain requirements that they are going to have to provide to the [organizations seeking assessment] so now they can get through their own assessment.”

The post Report finds large gap in CMMC readiness among defense industrial base appeared first on DefenseScoop.

As part of the new role, McKeown will stand up and lead the CIO’s Cybersecurity Center of Excellence, which will focus on tackling long-range and complex innovation challenges for cybersecurity modernization. He will be responsible for a range of programs and operations that will ensure the Pentagon is prepared to meet emerging cybersecurity threats, the DOD CIO noted in a statement posted on LinkedIn.

“Establishing this new office divorces the day-to-day activities such as zero trust implementation, defense industrial base cybersecurity programs and policy development from the requirement to look over the horizon and take on the following cybersecurity threat,” the statement said. “With the Special Advisor for Cybersecurity Innovation, we are building an office to create transformational breakthroughs and drive strategic invention in cybersecurity.”

McKeown most recently served as both the deputy CIO for cybersecurity and chief information security officer since 2020 — a dual-hatted position where he led the department’s wide-ranging cybersecurity modernization efforts and associated policies. His tenure has seen the introduction of cutting-edge technologies and robust protocols to fortify the Pentagon’s cyber defenses.

He has been at the forefront of implementing the DOD’s zero trust strategy while overseeing adoption of the new cybersecurity standards at organizations across the Pentagon. McKeown has also worked to strengthen cybersecurity within the defense industrial base and helped the department revamp the Cybersecurity Maturity Model Certification (CMMC) standards. 

McKeown has over three decades of experience working in the Defense Department, including 27 years serving in the Air Force and 8 years as a government civilian employee. His prior roles include working as an Air Force cyberspace operations officer; the director of enterprise information and mission assurance for the Army’s Information Technology Agency; and the cybersecurity center chief and enterprise services center chief for the Defense Information Systems Agency’s Joint Service Provider.

Prior to joining the DOD CIO, McKeown also led the Department of Justice’s Service Delivery Staff. Prior to that role, he ran enterprise services and cybersecurity for the DOD’s Joint Service Provider.

Gurpreet Bhatia will assume the duties of acting deputy CIO for cybersecurity and CISO. He previously served as the DOD’s principal director for cybersecurity and deputy chief information security officer.

The post DOD taps McKeown to serve as new special assistant for cybersecurity innovation  appeared first on DefenseScoop.

The rule was released for public inspection on the Federal Register on Friday, and the Defense Department anticipates officially publishing the new guidelines Oct. 15, according to a Pentagon press release.

The CMMC program is based on a tiered cybersecurity framework that requires defense contractors working with controlled unclassified information (CUI) or federal contract information (FCI) to meet one of three levels of CMMC compliance, depending on the sensitivity of the information. The effort was conceptualized as a way to protect DOD data on contractor systems from being exploited by U.S. adversaries by ensuring those firms comply with widely accepted National Institute of Standards and Technology security controls.

The publication of the final rule comes after several years of work to revamp the original CMMC assessment framework initially developed during the Trump administration. Under CMMC 2.0, the Pentagon has reduced the number of assessment levels from five to three to streamline the compliance process for small and medium-sized contractors.

The Defense Department published its proposed rule for CMMC 2.0 in December 2023 to kickstart the federal rulemaking process. Another proposal to amend the Defense Federal Acquisition Regulation Supplement (DFARS) and implement cybersecurity compliance requirements in Pentagon contracts was later released in August of this year.

Moving forward, the Pentagon intends to publish the follow-on DFARS rule change by mid-2025, according to the department. 

“Once that rule is effective, DoD will include CMMC requirements in solicitations and contracts. Contractors who process, store, or transmit FCI or CUI must achieve the appropriate level of CMMC as a condition of contract award,” the Pentagon press release stated.

The new model will allow contractors working with less sensitive information to conduct self-assessments of their cybersecurity compliance. More sensitive information will require companies to complete either third-party assessments or one conducted by the Defense Industrial Base Cybersecurity Assessment Center that will verify the implementation of the standards.

The CMMC program has received criticism in the past, as some defense contractor advocates have argued that it will be expensive, difficult and confusing for companies to comply with — especially small businesses and non-traditional contractors. In response, the Pentagon has worked to provide industry with resources to assist in their efforts to meet the cybersecurity standards.

In addition, the revised CMMC program will introduce “Plans of Action and Milestones” (POA&Ms), which allows contractors that do not meet every cybersecurity standard to receive a conditional certification for 180 days as they work to achieve compliance, according to the Pentagon.

“The Department understands the significant time and resources required for industry to comply with DoD’s cybersecurity requirements for safeguarding CUI and is intent upon implementing CMMC requirements to assess the degree to which they have done so,” the press release stated. “Businesses in the defense industrial base should take action to gauge their compliance with existing security requirements and preparedness to comply with CMMC assessments.”

The post DOD releases final rule for CMMC, setting the stage for implementation next year appeared first on DefenseScoop.

The Defense Department’s Cyber Crime Center (DC3) announced Friday that it is partnering with the Defense Counterintelligence and Security Agency to set up a fully operational Defense Industrial Base-Vulnerability Disclosure Program, also known as DIB-VDP. Participation is free and voluntary for companies.

The initiative looks to “bring vulnerability disclosure capabilities to the DIB, and the strategic alignment will further enhance DC3 and DCSA support to the DIB in the vulnerability, analytical, cybersecurity, and cyber forensics domains,” a press release stated.

The fully operational program comes after the two organizations worked with cybersecurity company HackerOne on a yearlong pilot, which concluded in 2022.

During the pilot, contractors were asked to accept vulnerability disclosures so that independent hackers could seek out, document and report security vulnerabilities to the companies and the Pentagon.

Now with an official program, firms can voluntarily submit assets and platforms for “ethical research analysis and vulnerability threat assessment,” according to the release.

In recent years, the Pentagon has sought to protect the defense industrial base from adversaries looking for critical system information via cyber attacks and intrusions. Following the updated proposed rule for Cybersecurity Maturity Model Certification 2.0 in December, the department released a Defense Industrial Base Cybersecurity Strategy in March that outlined how it will work with companies of all sizes in enhancing their digital resiliency.

The new DIB-VDP aims to be part of that effort by building on lessons learned from the pilot and the department’s own vulnerability disclosure program, and passing those insights on to military contractors.

“Implementation of a DIB-VDP is the most effective means of sharing DIB-sourced vulnerabilities with DIB companies. It promotes timely mitigation of identified vulnerabilities on DIB company internet-facing information systems,” a release stated. “This enables vulnerability remediation in DIB companies at a much earlier point than in traditional vulnerability management efforts.”

The post DOD launching fully operational vulnerability disclosure program for defense industrial base appeared first on DefenseScoop.

The Defense Industrial Base Cybersecurity Strategy, released Thursday, is intended to steer the department and industry’s response to threats. Signed by Deputy Secretary Kathleen Hicks, it aims to strengthen companies doing business with the Pentagon — including small businesses and subcontractors — against adversaries seeking access to sensitive data, proprietary information and intellectual property of weapon systems and production nodes.

As part of that effort, the Pentagon will work with the defense industrial base (DIB) to enhance their network posture while also providing more cohesive strategic guidance for companies, according to David McKeown, deputy chief information officer for cybersecurity.

“Over the last several years the DIB has made great strides in improving cyber resiliency, security, compliance and understanding the threat landscape,” McKeown told reporters Thursday ahead of the document’s release. “Together through the DIB cybersecurity strategy, we will further advance our goals and improve DIB cybersecurity.”

The document outlines four main goals as well as corresponding objectives that cover activities from fiscal 2024 to 2027. It notes that while many of the efforts listed have either already begun or are part of the Pentagon’s broader approach to industrial base cybersecurity, the strategy will “sharpen the focus, collaboration and integration” of those objectives.

A key aim for the Pentagon will be working with the DIB to enhance companies’ protection against advanced threats. To do so, the department will continue to routinely evaluate contractor compliance with its cybersecurity requirements — largely through the Cybersecurity Maturity Model Certification (CMMC) program.

However, “[the] increasing number of threats resulting from the evolution and expansion of the digital ecosystem drives the need for enhanced requirements for a subset of critical programs or high value assets,” the strategy states. Therefore, the department will engage in future rulemaking that will expand on current requirements for the industrial base and introduce supplemental guidelines for those handling controlled unclassified information, it noted.

Compliance efforts like CMMC have come under scrutiny in the past, especially among small businesses and non-traditional defense contractors that believe the regulations will be expensive and arduous to keep up with.

McKeown emphasized that the new strategy takes contractors of all size into consideration, and that the department is committed to helping small firms strengthen their cybersecurity posture through a number of free resources.

In addition, McKeown’s office has been working with the Office of Small Business on a pilot to develop a secure, cloud-based environment for smaller companies to use and conduct work in, he said. Officials want to have around 50 to 75 companies involved in the program and begin work this year.

The goal will be to “prove out whether or not we can leverage the cloud to ensure that the data is secure in this cloud environment for the small businesses,” McKeown said. “And then we’ll have to look at how we scale that up and offer that to more and more small businesses over time, or how we get a price point which they can afford and just start leveraging themselves.”

The department also wants to create a new framework for sharing threat information with the industrial base; conduct analysis on potential cyber vulnerabilities in contractors’ IT ecosystems; improve how firms recover from malicious cyber activities to minimize loss of information; and measure the overall effectiveness of the DOD’s cybersecurity requirements. 

Other goals detailed in the strategy include strengthening the Pentagon’s internal governance structure for DIB cybersecurity, preserving the cyber resiliency of the defense supply chain, and boosting overall collaboration among government agencies and contractors on cybersecurity matters.

Stacy Bostjanick, chief of defense industrial base cybersecurity in the CIO’s office, emphasized that the Pentagon is dedicated to working with contractors, as well as an array of stakeholders across government, to execute the strategy.

“Our mission is to protect sensitive information, operational capabilities and product integrity by ensuring the generation, liability and preservation of U.S. warfighting capabilities,” Bostjanick told reporters. “Our vision is simple: a secure, resilient, technologically superior DIB.”

The post New DOD strategy aims to improve contractors’ cybersecurity, resiliency appeared first on DefenseScoop.

The updated estimates were included in a proposed rule for CMMC 2.0 that was published Tuesday in the Federal Register.

The program would mandate that defense contractors and subcontractors who handle federal contract information and controlled unclassified information (CUI) implement cybersecurity standards at various levels — depending on the type and sensitivity of the information — and assess their compliance.

“The CMMC initiative will require the Department of Defense to identify CMMC Level 1, 2, or 3 as a solicitation requirement for any effort that will cause a contractor or subcontractor to process, store, or transmit FCI or CUI on its unclassified information system(s). Once CMMC is implemented in 48 CFR, DoD will specify the required CMMC Level in the solicitation and the resulting contract,” the proposed rule explains.

More than 200,000 companies in the defense industrial base could be affected by the rule.

The Pentagon is planning for a phased implementation. It intends to include CMMC requirements in all solicitations issued on or after Oct. 1, 2026, when applicable, although waivers could be issued in certain cases before solicitations are issued.

Depending on the required security level, contractors and subcontractors will have to do self-assessments or be evaluated by a third-party organization — known as a C3PAO — or government assessors.

Costs would be incurred for related activities such as planning and preparing for the assessment, conducting the assessment and reporting the results.

“In estimating the Public costs, DoD considered applicable nonrecurring engineering costs, recurring engineering costs, assessment costs, and affirmation costs for each CMMC Level,” per the proposed rule.

“For CMMC Levels 1 and 2, the cost estimates are based only upon the assessment, certification, and affirmation activities that a defense contractor, subcontractor, or ecosystem member must take to allow DoD to verify implementation of the relevant underlying security requirements,” it notes. “DoD did not consider the cost of implementing the security requirements themselves because implementation is already required by FAR clause 52.204–21, effective June 15, 2016, and by DFARS clause 252.204–7012, requiring implementation by Dec. 31, 2017, respectively; therefore, the costs of implementing the security requirements for CMMC Levels 1 and 2 should already have been incurred and are not attributed to this rule.”

An annual Level 1 self-assessment and affirmation would assert that a company has implemented all the basic safeguarding requirements to protect federal contract information as set forth in 32 CFR 170.14(c)(2).

For Level 1, the Pentagon estimates that the cost to support a self-assessment and affirmation would be nearly $6,000 for a small entity and about $4,000 for a larger entity.

Triennial Level 2 self-assessments and affirmations would attest that a contractor has implemented all the security requirements to protect CUI as specified in 32 CFR 170.14(c)(3). A triennial Level 2 certification assessment conducted by a C3PAO would verify that a contractor is meeting the security requirements.

“A CMMC Level 2 assessment must be conducted for each [organization seeking certification] information system that will be used in the execution of the contract that will process, store, or transmit CUI,” the proposed rule notes.

A Level 2 self-assessment and related affirmations are estimated to cost over $37,000 for small entities and nearly $49,000 for larger entities (including the triennial assessment and affirmation and two additional annual affirmations). A Level 2 certification assessment is projected to cost nearly $105,000 for small entities and approximately $118,000 for larger entities (including the triennial assessment and affirmation and two additional annual affirmations).

“Receipt of a CMMC Level 2 Final Certification Assessment for information systems within the Level 3 CMMC Assessment Scope is a prerequisite for a CMMC Level 3 Certification Assessment. A CMMC Level 3 Certification Assessment, conducted by [the Defense Contract Management Agency] Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), verifies that an [organization seeking certification] has implemented the CMMC Level 3 security requirements to protect CUI as specified in 32 CFR 170.14(c)(4),” per the proposed rule.

A triennial Level 3 certification assessment would have to be conducted for each company information system that will process, store, or transmit CUI, in the execution of the contract.

Level 3 certification would require “implementation of selected security requirements from NIST SP 800–172 not required in prior rules. Therefore, the Nonrecurring Engineering and Recurring Engineering cost estimates have been included for the initial implementation and maintenance of the required selected NIST SP 800–172 requirements,” according to the proposed rule.

The total cost of a Level 3 certification assessment includes the expenses associated with a Level 2 certification assessment as well as the outlays for implementing and assessing the security requirements specific to Level 3.

For a small organization, the estimated recurring and nonrecurring engineering costs associated with meeting the security mandates for Level 3 are $490,000 and $2.7 million, respectively. The projected cost of a certification assessment is more than $10,000 (including the triennial assessment and affirmation and two additional annual affirmations).

For a larger organization, the estimated recurring and nonrecurring engineering costs associated with Level 3 safeguards are $4.1 million and $21.1 million, respectively. The projected cost of a certification assessment and related affirmations is more than $41,000 (including the triennial assessment and affirmation and two additional annual affirmations).

Level 3 standards are expected to apply only to a “small subset” of defense contractors and subcontractors, the proposed rule states.

For the calculations, officials tried to account for organizational differences between small companies and larger defense contractors. For example, small firms are generally expected to have less complex, less expansive IT and cybersecurity infrastructures and operating environments. They are also more likely to outsource IT and cybersecurity to an external service provider, according to the proposed rule.

Additionally, officials anticipate that organizations pursuing Level 2 assessments will seek consulting or implementation assistance from an external service provider to help them get ready for assessments or to participate in assessments with the C3PAOs.

The annualized costs for contractors and other non-government entities to implement CMMC 2.0 will be about $4 billion, calculated for a 20-year horizon. For the government, they will be approximately $10 million, according to the projections.

The Pentagon is seeking public feedback on the proposed rule. Comments are due by Feb. 26, 2024.

The costs and procedural requirements associated with implementing CMMC have been a major concern for defense contractors and trade associations.

“Burdensome regulation has long been a hurdle, particularly for small and medium-sized businesses that contribute to the defense industrial base. It’s critical for defense companies to have the tools — and the standards — to keep our nation’s sensitive unclassified material secure while not deterring companies from contributing to the defense industrial base,” Eric Fanning, president and CEO of the Aerospace Industries Association, said in a statement Tuesday. “We look forward to reviewing the proposed rule and providing full feedback to ensure the Department has what it needs to implement a final rule that accounts for the complexities within the defense industrial base.”

The post Pentagon reveals updated cost estimates for CMMC implementation appeared first on DefenseScoop.

The commercial cloud giant earned a perfect 110-point score on the Joint Surveillance Voluntary Assessment Program (JSVAP), jointly conducted by DOD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) and third-party assessment organization Redspin, it announced in a blog post. The score results in a DIBCAC High certification that should translate to a level 2 CMMC certification for Microsoft when the final rule is issued and takes effect.

“At Microsoft Federal, we are constantly striving to enhance and ensure our products meet the highest standards of quality and security,” said John Bergin, director of federal security at Microsoft Federal. “The JSVAP assessment is a crucial step in this journey as it allows us to evaluate and validate the effectiveness of our cybersecurity capabilities. We are proud to take the lead in being one of the first to undergo a JSVAP assessment to reinforce our commitment to operating under strong cybersecurity protocols and providing the best technology solutions to our customers.” 

Under the CMMC 2.0 rules, expected to go into effect in the coming months, contractors that handle the department’s controlled unclassified information (CUI) will have to be certified in meeting one of three tiers of cyber requirements.

While the voluntary CMMC assessment — before the rule has taken effect and thus isn’t yet required — is important for Microsoft’s own direct work with the Pentagon and puts it ahead of the cloud provider pack in doing so, it’s perhaps a bigger win for any smaller DOD contractors who use Microsoft’s Azure commercial or government cloud offerings as they should be able to inherit Microsoft’s certified baseline of security controls in their own CMMC assessment for anything that hasn’t been customized. At least that’s the understanding prior to DOD issuing its CMMC rule.

There have been many concerns from small businesses who worry they won’t be able to afford to meet the controls to earn an onerous CMMC certification. But by being able to inherit the controls of a managed service or cloud provider, they would likely need to meet only a small portion of the 110 controls set forth by CMMC and the National Institute of Standards and Technology’s SP 800-171.

Microsoft wrote in its blog that any of its defense industrial base partners required to meet Defense Federal Acquisition Regulation Supplement (DFARS) requirements for controlled information and cyber incident reporting “can have confidence that Microsoft is able to accept the flow down terms applicable to CSPs for Azure Government Services covered by the US Federal Risk and Authorization Management Program (FedRAMP),” which Pentagon officials have said should have reciprocity with CMMC.

DOD Principal Deputy CIO Dave McKeown last September at DefenseTalks called on cloud providers to help uplift smaller contractors in the defense industrial base.

“We’re still hearing cries from industry small, medium-sized businesses that maybe it’s too onerous to uplift your environment,” McKeown said. “We have a plethora of cybersecurity tools and services that we can offer to DIB partners, as well as we are again teaming with cloud providers to see what sort of secure environments they can provide that industry can just consume in order to protect DOD information.”

The post Microsoft completes voluntary CMMC assessment, a win for smaller contractors using its services appeared first on DefenseScoop.

The National Institute of Standards and Technology‘s SP 800-171 is a framework for how organizations should protect federal controlled unclassified information, and its 110 security practices will be the core requirements under CMMC — the DOD’s program for protecting its information that is shared with contractors. Once the Pentagon’s rule for CMMC goes into effect, likely in May of 2023, contractors who don’t meet the requirements of the program will be forbidden from working with the DOD.

But in the meantime, the department is planning to look at contractors’ compliance with NIST SP 800-171 as part of the evaluation criteria for competitive procurements, said Stacy Bostjanick, chief of implementation and policy reporting to the DOD chief information security officer.

“Right now, [NIST SP 800-171 compliance] is not going to impede you from garnering an award with the federal government. But we are going to start looking at it as an evaluation criteria” for contracts, Bostjanick said at a CMMC conference hosted Tuesday by NeoSystems in Alabama. “So it could have implications for you moving forward and your position on a competitive procurement.”

Bostjanick said John Tenaglia, the principal director of defense pricing and contracting, “has given direction to his contracting officers to start paying more attention” to the NIST standards.

Up to this point, both contractors and contracting officers have been “lackadaisical” about meeting the standards set by NIST SP 800-171 as “part of the responsibility determination” for contracts, she said.

“Is it being used to make award decisions? Not yet,” Bostjanick said, emphasizing that will likely soon change. “Mr. Tengalia, as part of his guidance to contracting officers, is to start looking at that and taking that into consideration.”

She said the department has the authority to account for this as part of a contract’s evaluation criteria, but it just hasn’t had the right “verbiage.” However, Bostjanick’s team within the DOD CISO’s office “might have happened to pass something over to them to help them, to say this is an evaluation criteria, right? And we’re going to use this as part of our determination factor for award, because we’re going to evaluate your compliance and security of your networks.”

In fact, it’s been part of federal law under the Defense Federal Acquisition Regulation Supplement (DFARS) for several years, she said. “The only difference is somebody might come check your homework. And it is high time that we get off our duffs and get the implementation done that you were supposed to have done and you agreed to when you signed that contract” that has DFARS clause 252.204-7012.

“We need to pay attention to this, we need to get moving on it, and we’ve got to stop procrastinating,” Bostjanick said, adding that people have become vocal with their concerns only now that DOD has said, “we’re coming to look and check.” She added: “That’s not acceptable.”

So, as contractors anticipate CMMC implementation next spring, it’s as good a time as ever to start getting things in order to attest — truthfully — that they meet the 110 requirements under NIST SP 800-171, Bostjanick and her co-panelists at the event said Tuesday.

“Do yourself a favor: Hold yourself accountable. Do not overrate yourself and put something in [the Supplier Performance Risk System] and give yourself a false sense of security, assuming that nobody’s ever going to look,” said John Ellis, director of the Defense Industrial Base Cybersecurity Assessment Center. “Don’t do that. Don’t be that company. I’m not going to sit here and threaten you or I’m not going to tell you doom and gloom things, but that could happen.”

Bostjanick backed Ellis’ thoughts: “Hold yourself accountable, be realistic, be honest where you are, because at the end of the day, 95% of this for the government is being able to understand and manage the risk,” she said.

“There’s a potential that they could say, ‘OK, we get that you’re not there, but we need your capability. But now that we understand where you really are, we can help you manage that risk and we can manage the risk to the nation by coming up with an alternative plan to protect that data until you can get certified,'” she added.

For those small and medium-sized contractors that may need help on that journey to compliance, larger IT firms — cloud service providers in particular — may be able to help them get there in a cost-effective manner. The DOD is looking to such firms to make CMMC less burdensome for smaller contractors, CISO Dave McKeown said last week at DefenseScoop’s DefenseTalks conference.

The post DOD planning to use NIST 800-171 as evaluation criteria for contracts prior to CMMC rule appeared first on DefenseScoop.