Sunday, October 13, 2024

Federal Register announcing CMMC - to be published Tuesday Morning. How'd we get here?

Well, if there was ever a question...  Here's the Federal Register, which will appear Tuesday morning. 

https://www.govinfo.gov/content/pkg/FR-2024-10-15/pdf/2024-22905.pdf

OK, folks, at this point, there will be no more government mealy-mouthing, miscommunication, or fragmentation in messaging. It's real, and it will become law on December 16th.

Here's how I see it:

  1. CMMC was born only after self-attestation failed (and it was tried multiple times, starting in 2009).
  2. CMMC, while not optimal, can actually help (wait for it, this is big).
  3. I had an old boss who used to tell me "Don't let perfect get in the way of good."
So how did we get here?

I'm going to tackle point number one today. 

CMMC was born only after self-attestation failed (and it was tried multiple times, starting in 2009).

I worked at the DoD Cyber Crime Center. In 2009, we developed a self-attestation request based on a relatively straightforward set of best information security practices. It could have been better, but it was a first step, and it was mainly based on SANS Top 20 and later, as it evolved, NIST 800-171.

We sent a request to all of the large contractors and asked them to tell us what they had (mostly to help us analyze incident reports if/when necessary). Every company submitted one.

This practice was retained, and we hoped for the best. 

Sadly, as the practice grew, self-attestation, as it turns out, didn't work.

Fast Forward to 2018... 

In June 2018, a significant cybersecurity breach occurred involving the U.S. Navy and one of its contractors, resulting in the loss of sensitive data related to the Sea Dragon project [1][2]. Chinese government hackers were identified as the perpetrators of this sophisticated cyberattack [2].

The Breach

The hackers successfully compromised the computers of a Navy contractor, gaining access to a substantial amount of highly sensitive information [2]. The stolen data amounted to 614 gigabytes, primarily related to the classified Sea Dragon project [1][3][4]. This project was a closely held initiative believed to be associated with undersea warfare capabilities [4].

In addition to the Sea Dragon project data, the hackers also obtained:

  • Signals and sensor data
  • Submarine radio room information
  • Data related to cryptographic systems
  • Electronic warfare library

This breach was particularly concerning due to the nature and volume of the compromised information, which could provide significant insights into U.S. naval capabilities and technologies [2][5].

Implications and Response

The incident highlighted the vulnerabilities in the defense supply chain, particularly with contractors handling sensitive information [1]. In response to this and other similar breaches, the Department of Defense (DoD) took steps to enhance cybersecurity measures:

  • Development of the Cybersecurity Maturity Model Certification (CMMC) in 2019
  • Implementation of stricter security protocols for contractors
  • Increased focus on supply chain security

The CMMC was designed to ensure that companies working with the DoD, including contractors, meet specific cybersecurity standards based on the sensitivity of the information they handle [1].

This breach was not an isolated incident. It was part of a larger pattern of cyber attacks targeting U.S. defense contractors and universities working on military projects[1]. The Chinese government consistently denied involvement in these attacks, but the frequency and sophistication of such breaches raised significant concerns about the security of sensitive military information [1][5].

The Sea Dragon data breach is a stark reminder of the ongoing challenges in cybersecurity, especially in the defense sector, and the persistent efforts of foreign actors to obtain classified information through digital means.

(Sourced with Perplexity.ai to summarize the story of the Sea Dragon)

[JLS Comments] 

Sadly, self-attestation didn't work. When the Navy validated the self-attestation reports (as I heard it secondhand), only a few of the thousands of contractors in the program (I heard less than 3%) had actually done what they said they'd done in their self-attestations of their cyber posture. 

This is one of THOUSANDS of stories of lost data in our defense supply chain. Have a look back through my blog. Take a look at this blog: https://henrybasset.blogspot.com/2013/04/red-sky-weekly-woshihaoren.html. It's my most-read blog and showcases a beer and cigar conversation with a friend who lived this. This CISO had hackers logging into his network during business hours, leaving only when their work week was over and returning after the weekend. 

CMMC is the "Trust but Verify" model that came out from the Navy Sea Dragon story.

BT

I am the CEO of Trusted Internet, LLC, a Managed Security Service Provider that services defense contractors. We have no government contracts and don't handle CUI, but we can show you our POAM toward completed NIST 800-171. We've done the work to help small contractors survive this. For more information, contact us at staysafeonline@trustedinternet.io or sign up for a no-cost baseline assessment workshop at https://trustedinternet.io/compliance

Citations:

[1] https://redriver.com/security/navy-contractor-hacked

[2] https://www.washingtonpost.com/world/national-security/china-hacked-a-navy-contractor-and-secured-a-trove-of-highly-sensitive-data-on-submarine-warfare/2018/06/08/6cc396fa-68e6-11e8-bea7-c8eb28bc52b1_story.html

[3] https://www.nexusitc.net/sensitive-data-stolen-from-naval-contractor-by-chinese-hackers/

[4] https://www.c4isrnet.com/cyber/2018/06/08/chinese-hackers-steal-sensitive-navy-program-data/

[5] https://www.reuters.com/article/world/china-hacked-sensitive-us-navy-undersea-warfare-plans-washington-post-idUSKCN1J42MK/