Como adelantamos en otros artículos, a principios de este año, el Departamento de Defensa de EE UU publicó la Certificación del Modelo de Madurez de Seguridad Cibernética (CMMN) versión 1.0, destinadas a obligar a la base industrial de defensa a proteger mejor sus redes y controlar la información no clasificada contra los ataques cibernéticos y el robo de competidores como China. La industria de defensa se está preparando para las auditorías a medida que el CMMC comienza a implementarse este verano. Sin embargo, el hardware y el software no detectados en las redes de la empresa pueden plantear desafíos.
The defense industry is gearing up for audits as the Pentagon’s highly anticipated set of new cybersecurity standards begin to be implemented this summer. However, undetected hardware and software on company networks may pose challenges.
Earlier this year, the Defense Department unveiled new rules — known as the Cybersecurity Maturity Model Certification version 1.0 — aimed at compelling the defense industrial base to better protect its networks and controlled unclassified information against cyberattacks and theft by competitors such as China. The rules will eventually be baked into contracts, and the Pentagon wants to include them in requests for information as early as this summer on pathfinder programs.
Audits will be conducted by third-party assessment organizations, known as C3PAOs. Auditors will be trained and approved by a new accreditation body.
As companies seek to comply with CMMC — which features different standards depending on the nature of the work being done, with level 1 standards being the least demanding and level 5 the most burdensome — they should be aware of undetected devices on their networks that could pose risks to their certifications, said Katherine Gronberg, vice president of government affairs at Forescout Technologies, a San Jose, California-based security firm.
“On average we can go into a company in any sector and find about 30 to 40 percent more devices than they knew about,” she said.
Since last summer, Forescout has worked with about three dozen medium and large defense companies as they prepare for CMMC audits. During assessments, Forescout discovered numerous issues that could complicate compliance with the cybersecurity rules.
During one contractor’s assessment, Forescout discovered two smart speaker devices placed in sensitive locations, five unknown or previously unidentified wireless devices and wireless access points, instances of unknown or high-risk software platforms on the network and other issues.
Worryingly, it found 27 instances of Kaspersky software and Kaspersky-furnished files on the network of the contractor, according to Forescout. Kaspersky is Russian-made security software that is banned by the U.S. government for civilian and defense agencies.
Other policy violations the firm discovered included two examples of networks believed to be air-gapped, or closed, but shown by Forescout to be accessible remotely, according to the company. This could have occurred by accident or because of poor design.
Forescout’s goal is to “make people understand that tools that they have for identifying devices are usually inadequate,” Gronberg said.
When it comes to reaching CMMC compliance, a defense contractor’s visibility into its network will be critical, she said.
“If you have … all of these reporting requirements under CMMC, do you want to be doing it for only 70 percent of your environments?” she asked. “You’re not going to have very good reporting if you’re only reporting on the assets that you know about today. You’ve got to have a really comprehensive way to discover all of those.”
The devices that represent a risk for a defense company may differ substantially from a financial services company, Gronberg noted.
“We called out Kaspersky for example,” she said. Kaspersky is “a widely commercially available tool that if you’re in another sector might be fine. … But in the defense sector — and certainly for the federal agencies themselves — they’re not allowed to have that.”
Chinese-made products could also be problematic for many defense companies, she noted.
Not having an accurate count of networked devices is not limited to the defense industry, she added. Forescout is part of the Department of Homeland Security’s Continuous Diagnostics and Mitigation program, a sprawling effort that is meant to reduce cyber risk and provide visibility across the civilian agencies throughout the federal government.
“We’re not the only tool delivering in that program, but we’re the ones who went to the networks to detect all the hardware,” Gronberg said. “When we did that, on average, the program discovered 75 percent more assets than the federal agencies knew about. That’s a lot.”
Once a company improves its ability to discover assets, it needs to be better about classifying them from a security standpoint. “Knowing that something is there is important, but it’s only the first step of importance,” she added.
Meanwhile, while the COVID-19 pandemic may cause some Pentagon program delays, CMMC is still on track, said Katie Arrington, chief information security officer at the office of the undersecretary of defense for acquisition and sustainment.
“We’re having to retool some of the training because the actual inspections … have to happen,” she said in April. “The actual audit has to be done on site.”
The Pentagon is working on ways around that, she said during a webinar.
“We’re still on track,” she said. “We’re still doing the pathfinders. We’re working through those. We’re still on target to release some initial RFIs in June with the CMMC in it so we can all kind of get a feel for it.”
CMMC requirements are expected to be included in pathfinder program requests for proposals later this year.
Speaking during another webinar hosted by Bloomberg Government, Arrington said potential delays of a couple of weeks would be insignificant to the broader initiative.
“A two-week push on something is not going to … have a massive impact to our rollout of this,” she said. “Maybe we’ll have a two-, three-week slip on actually doing the first audits, the pathfinders, but nothing of significance.”
Auditors may have to wear masks or social distance while conducting their work, she added.
