The leaders of the Five Eyes, a coalition of English-speaking intelligence agencies, have emphasized the critical nature of safeguarding sensitive information in cyberspace, especially in light of the escalating tensions with The People’s Republic of China, which they have dubbed as the paramount threat of this era. Recent cyber intrusions by Chinese hackers, who pilfered 60,000 State Department emails, underscore the urgency of this issue. Additionally, defense intelligence has also been a target. Surprisingly, many companies holding such vital intelligence are unaware of their role in national security.
Almost a decade ago, the Department of Defense (DoD) introduced the Defense Federal Acquisition Regulation Supplement (DFARS) to protect the nation's intellectual property. Despite being included in over a million contracts, enforcement of DFARS has been lax. The DoD is on track to release the proposed rule for Cybersecurity Maturity Model Certification (CMMC) 2.0 in November, a pivotal step in ensuring the defense industrial base adheres to robust security measures.
While security controls like multifactor authentication, network monitoring, and incident reporting have long been stipulated in government contracts with the DoD, contractors were previously allowed to self-certify their compliance. This system operated on trust, without verification. Microsoft has noted an escalation in nation-state cyber threats, particularly from Russia, China, Iran, and North Korea, who are exploiting new avenues such as the social platform Discord to target critical infrastructure.
With over 300,000 contractors in the defense industrial base, there exists a substantial opportunity for hackers to pilfer military secrets. Mandating cybersecurity standards for defense contractors should significantly reduce this risk, but there is still much ground to cover in achieving compliance with fundamental cybersecurity practices. A study by Merrill Research revealed that only 36% of contractors submitted the required compliance scores, a 10% drop from the previous year. Those who did submit had an average score well below the full compliance benchmark.
Furthermore, the study highlighted that contractors tend to be selective in their adherence to compliance areas. Only 19% implemented vulnerability management solutions, and 25% had secure IT backup systems, both crucial elements of basic cybersecurity. Forty percent took an extra step by denying the use of Huawei, a company identified by the Federal Communications Commission as a national security risk.
This selectiveness suggests that contractors recognize the risks but do not consistently address them, perhaps due to the lack of auditing for compliance. It is important to understand that the government's imposition of new rules on defense contractors is not unilateral; CMMC 2.0 is the result of a decade-long public-private partnership.
Enforcement of CMMC 2.0 is vital for safeguarding sensitive defense information and national security assets, which have been in jeopardy for far too long. Adversaries like China exploit any vulnerabilities they can find. Now that the DoD has established a compliance deadline, it is imperative for defense contractors to adopt the requirements already embedded in their contracts and fully implement mandatory minimum cybersecurity standards.
Preserving American technological superiority and safeguarding military secrets hinges on the defense industry's commitment to cybersecurity. By embracing the collaborative vision behind CMMC 2.0 and achieving certification, contractors can affirm themselves as custodians of the nation's security.