Como adelantamos en otros art\u00edculos, a principios de este a\u00f1o, el Departamento de Defensa de EE UU public\u00f3 la Certificaci\u00f3n del Modelo de Madurez de Seguridad Cibern\u00e9tica (CMMN) versi\u00f3n 1.0, destinadas a obligar a la base industrial de defensa a proteger mejor sus redes y controlar la informaci\u00f3n no clasificada contra los ataques cibern\u00e9ticos y el robo de competidores como China. La industria de defensa se est\u00e1 preparando para las auditor\u00edas a medida que el CMMC comienza a implementarse este verano. Sin embargo, el hardware y el software no detectados en las redes de la empresa pueden plantear desaf\u00edos.<\/p>\n
The defense industry is gearing up for audits as the Pentagon\u2019s highly anticipated set of new cybersecurity standards begin to be implemented this summer. However, undetected hardware and software on company networks may pose challenges.<\/p>\n
Earlier this year, the Defense Department unveiled new rules \u2014 known as the Cybersecurity Maturity Model Certification version 1.0 \u2014 aimed at compelling the defense industrial base to better protect its networks and controlled unclassified information against cyberattacks and theft by competitors such as China. The rules will eventually be baked into contracts, and the Pentagon wants to include them in requests for information as early as this summer on pathfinder programs.<\/p>\n
Audits will be conducted by third-party assessment organizations, known as C3PAOs. Auditors will be trained and approved by a new accreditation body.<\/p>\n
As companies seek to comply with CMMC \u2014 which features different standards depending on the nature of the work being done, with level 1 standards being the least demanding and level 5 the most burdensome \u2014 they should be aware of undetected devices on their networks that could pose risks to their certifications, said Katherine Gronberg, vice president of government affairs at Forescout Technologies, a San Jose, California-based security firm.<\/p>\n
\u201cOn average we can go into a company in any sector and find about 30 to 40 percent more devices than they knew about,\u201d she said.<\/p>\n
Since last summer, Forescout has worked with about three dozen medium and large defense companies as they prepare for CMMC audits. During assessments, Forescout discovered numerous issues that could complicate compliance with the cybersecurity rules.<\/p>\n
During one contractor\u2019s assessment, Forescout discovered two smart speaker devices placed in sensitive locations, five unknown or previously unidentified wireless devices and wireless access points, instances of unknown or high-risk software platforms on the network and other issues.<\/p>\n
Worryingly, it found 27 instances of Kaspersky software and Kaspersky-furnished files on the network of the contractor, according to Forescout. Kaspersky is Russian-made security software that is banned by the U.S. government for civilian and defense agencies.<\/p>\n
Other policy violations the firm discovered included two examples of networks believed to be air-gapped, or closed, but shown by Forescout to be accessible remotely, according to the company. This could have occurred by accident or because of poor design.<\/p>\n
Forescout\u2019s goal is to \u201cmake people understand that tools that they have for identifying devices are usually inadequate,\u201d Gronberg said.<\/p>\n
When it comes to reaching CMMC compliance, a defense contractor\u2019s visibility into its network will be critical, she said.<\/p>\n
\u201cIf you have \u2026 all of these reporting requirements under CMMC, do you want to be doing it for only 70 percent of your environments?\u201d she asked. \u201cYou\u2019re not going to have very good reporting if you\u2019re only reporting on the assets that you know about today. You\u2019ve got to have a really comprehensive way to discover all of those.\u201d<\/p>\n
The devices that represent a risk for a defense company may differ substantially from a financial services company, Gronberg noted.<\/p>\n
\u201cWe called out Kaspersky for example,\u201d she said. Kaspersky is \u201ca widely commercially available tool that if you\u2019re in another sector might be fine. \u2026 But in the defense sector \u2014 and certainly for the federal agencies themselves \u2014 they\u2019re not allowed to have that.\u201d<\/p>\n
Chinese-made products could also be problematic for many defense companies, she noted.<\/p>\n
Not having an accurate count of networked devices is not limited to the defense industry, she added. Forescout is part of the Department of Homeland Security\u2019s Continuous Diagnostics and Mitigation program, a sprawling effort that is meant to reduce cyber risk and provide visibility across the civilian agencies throughout the federal government.<\/p>\n
\u201cWe\u2019re not the only tool delivering in that program, but we\u2019re the ones who went to the networks to detect all the hardware,\u201d Gronberg said. \u201cWhen we did that, on average, the program discovered 75 percent more assets than the federal agencies knew about. That\u2019s a lot.\u201d<\/p>\n
Once a company improves its ability to discover assets, it needs to be better about classifying them from a security standpoint. \u201cKnowing that something is there is important, but it\u2019s only the first step of importance,\u201d she added.<\/p>\n
Meanwhile, while the COVID-19 pandemic may cause some Pentagon program delays, CMMC is still on track, said Katie Arrington, chief information security officer at the office of the undersecretary of defense for acquisition and sustainment.<\/p>\n
\u201cWe\u2019re having to retool some of the training because the actual inspections \u2026 have to happen,\u201d she said in April. \u201cThe actual audit has to be done on site.\u201d<\/p>\n
The Pentagon is working on ways around that, she said during a webinar.<\/p>\n
\u201cWe\u2019re still on track,\u201d she said. \u201cWe\u2019re still doing the pathfinders. We\u2019re working through those. We\u2019re still on target to release some initial RFIs in June with the CMMC in it so we can all kind of get a feel for it.\u201d<\/p>\n
CMMC requirements are expected to be included in pathfinder program requests for proposals later this year.<\/p>\n
Speaking during another webinar hosted by Bloomberg Government, Arrington said potential delays of a couple of weeks would be insignificant to the broader initiative.<\/p>\n
\u201cA two-week push on something is not going to … have a massive impact to our rollout of this,\u201d she said. \u201cMaybe we\u2019ll have a two-, three-week slip on actually doing the first audits, the pathfinders, but nothing of significance.\u201d<\/p>\n
Auditors may have to wear masks or social distance while conducting their work, she added.<\/p>\n