Las nuevas regulaciones de ciberseguridad del Departamento de Defensa est\u00e1n programadas para implementarse este a\u00f1o a pesar de los posibles contratiempos ocasionados por la pandemia de COVID-19. El Pent\u00e1gono comenzar\u00e1 a implementar las reglas de la versi\u00f3n 1.0 de la Certificaci\u00f3n del Modelo de Madurez de Seguridad Cibern\u00e9tica (CMMC) este a\u00f1o. Tiende a que las empresas proveedoras operen con el DoD en forma segura, y sus productos sean seguros en t\u00e9rminos de ciberseguridad.<\/p>\n
The Defense Department\u2019s new high-profile cybersecurity regulations are on schedule for implementation this year despite potential setbacks from the COVID-19 pandemic.
\nKatie Arrington, chief information security officer at the office of the undersecretary of defense for acquisition and sustainment, said the Pentagon will begin rolling out the Cybersecurity Maturity Model Certification version 1.0 rules this year.<\/p>\n
The requirements are part of the Defense Department\u2019s push to protect industrial base networks and controlled unclassified information from cyber\u00adattacks. The CMMC rules will require contractors to be certified by third-party auditors, which will ensure that companies are adhering to certain standards. Organizations will be required to meet different levels of security requirements depending on the type of work they are doing, with level 1 being the lightest and level 5 the most stringent.<\/p>\n
Acquisition officials unveiled their roadmap for implementation in January, before the COVID-19 pandemic roiled U.S. society and industry. The plans included releasing solicitations with CMMC requirements baked in for pathfinder programs this year.<\/p>\n
\u201cWe are on track to do that,\u201d Arrington said during a Project Spectrum webinar in May. \u201cWe\u2019re still on target to release some initial [requests for information] in June. \u2026 Stay tuned, but the work hasn\u2019t stopped and we\u2019re still doing our absolute best to stay on track.\u201d Project Spectrum is intended to help small businesses improve their cybersecurity and is supported by the Defense Department\u2019s Office of Small Business Programs.<\/p>\n
The biggest challenge presented by COVID-19 includes figuring out how to conduct third-party audits of companies\u2019 cybersecurity readiness, she noted. Auditors are required to perform on-site visits to assess compliance.<\/p>\n
\u201cWe\u2019re trying to figure out ways around that,\u201d Arrington said.<\/p>\n
During a webinar hosted by Bloomberg Government, Arrington said auditors may need to \u201cfind a new way of doing business\u201d to adjust to COVID-19 safety concerns. This will include wearing personal protective equipment while visiting companies.<\/p>\n
\u201cI think that you\u2019ll wear a mask, and you\u2019ll maintain some social distancing and you\u2019ll be able to do the audit,\u201d she said. \u201cJust like the cable guy today \u2014 they come into your home, or they meet you, they wear a mask and we respect each other\u2019s personal space to ensure safety for all.\u201d<\/p>\n
There could potentially be a two- to three-week delay on carrying out the first round of audits due to corona\u00advirus, she noted. However, the potential schedule slip is expected to be \u201cnothing of significance,\u201d she added.<\/p>\n
\u201cOf course, COVID-19 is \u2026 impacting every aspect of our life,\u201d she said. \u201cBut a two-week push on something is not going to have a massive impact to our rollout of this. \u2026 I don\u2019t think it\u2019s going to be anything impactful to the schedule.\u201d<\/p>\n
Defense contractors should still expect to see new CMMC requirements in requests for proposals issued in November, Arrington noted, but the Pentagon plans to help companies adapt.<\/p>\n
\u201cWe understand this is a big cultural shift and we want to ensure that we\u2019re doing everything we can to bring our small business partners right along with us,\u201d she said at the annual Special Operations Forces Industry Conference, which was held virtually in May by the National Defense Industrial Association due to safety concerns about COVID-19.<\/p>\n
\u201cWe are working on different plans and strategies to help.\u201d<\/p>\n
For instance, contractors bidding on a program may not need to have their CMMC certifications until the time of contract award, she noted.<\/p>\n
\u201cAs we release the RFIs, we\u2019ll have the certified and trained auditors who will be able to go out to industry and certify companies at the level of maturity required for the work that they\u2019re bidding on,\u201d she said.<\/p>\n
Corbin Evans, director of regulatory policy at NDIA, said the Defense Department has yet to recruit, train and certify auditors.<\/p>\n
\u201cIt does seem like they\u2019re getting close\u201d to doing that, he said. \u201cOnce they start up that process, we\u2019ll start to get a better idea of how long that certification is going to take.<\/p>\n
\u201cAt this point in time, I think it\u2019s safe to say mid- to late summer is probably a good estimation for when those auditors will likely start to go out into the field, although that may be a little on the early side,\u201d he added.<\/p>\n
Meanwhile, the Defense Federal Acquisition Regulation Supplement 252.204-7012 is undergoing a rule change, Arrington noted. This will be completed in October. DFARS 252.204-7012 and National Institute of Standards and Technology Special Publication 800-171 are the current regulations for storing, transmitting and processing defense information.<\/p>\n
\u201cYou will not see the CMMC in any Department of Defense contracts or RFPs until the rule change is completed,\u201d Arrington said.<\/p>\n
Evans said the Pentagon is changing the Defense Federal Acquisition Regulation in accordance with CMMC. The department has developed a draft rule requiring that CMMC regulations be attached to future contracts.<\/p>\n
\u201cThis process is a little bit more formalized,\u201d he said.<\/p>\n
To pass the rule, officials will first need to have a public meeting to gather feedback from stakeholders and outside parties including NDIA, Evans noted. However, this process may be affected by the inability to gather large crowds in public spaces due to COVID-19 restrictions.<\/p>\n
They \u201chave started to have conversations around delays in that process because of the limitations on their ability to have a public meeting,\u201d he said. \u201cThe rule-making process is potentially stalled because of the fact that they can\u2019t do a public meeting.\u201d<\/p>\n
The new rules will still take time to implement because they cannot be inserted into an active contract, Arrington noted.<\/p>\n
\u201cWe have to go through an acquisition cycle,\u201d she said. \u201cMost of our acquisition contract strategies are one base year plus four option years. So if you\u2019re on a contract today that is not due to come out for recompete for three years, you are not going to be required to get a CMMC certification if you\u2019re bidding only on that work for the next few years.\u201d<\/p>\n
By 2026, all Pentagon contracts will require CMMC certification, according to officials.<\/p>\n
The majority of companies will need to achieve CMMC level 1 certifications, Arrington said. Prime contractors will likely need to meet higher levels than subcontractors.<\/p>\n
\u201cMost of you \u2026 just need to get the level 1 which is simple things like access controls and passwords and making sure you have antivirus software on your computers and that you\u2019re actually updating them and you have a way to download patches if needed,\u201d she said.<\/p>\n
Evans said that he is \u201ccautiously optimistic\u201d that CMMC will continue to stay on track despite COVID-19. Although some Defense Department programs may be experiencing delays of up to 60 to 90 days, CMMC is one of the department\u2019s high priorities, he noted.<\/p>\n
\u201cIt is plausible that they\u2019re kind of allocating resources internally to prioritize keeping CMMC implementation on track,\u201d he said.<\/p>\n
Stuart Itkin, vice president of product management and marketing at Exostar, a Herndon, Virginia-based supply chain management company, said members of the defense industrial base are already working on bolstering their cybersecurity practices to prepare for the new rules and stop intellectual property theft.<\/p>\n
\u201cSome suppliers are looking at it from a risk perspective and they understand that the intellectual property, the [controlled unclassified information] that is being exfiltrated \u2014 that is being stolen \u2014 actually belongs to them,\u201d he said. \u201cThey are the ones that are experiencing the loss.\u201d<\/p>\n
In May, Exostar released a cybersecurity tool geared toward helping companies score their existing policies and procedures, he said. The firm is not charging customers to use its tool to reach the first level of CMMC certification, he noted.<\/p>\n
Implementing CMMC regulations is intended to help companies reduce the risk of losing their IP, he said. The United States has been working to deter adversaries such as China from stealing information from defense contractors.<\/p>\n
\u201cCompliance is intended to be a proxy for security,\u201d he said. \u201cImplementing those practices or implementing those regulations should reduce the risk \u2026 of IP loss.\u201d<\/p>\n
The increase in teleworking due to COVID-19 has highlighted the need for companies to review their policies to ensure employees are following safe cybersecurity practices from home, he noted.<\/p>\n
\u201cThe teleworking has had a real impact on expanding the attack surface that adversaries look at,\u201d he said. It is \u201cexposing vulnerabilities that may not have been as apparent as in the past. \u2026 One of the things that we\u2019ve emphasized to organizations is that they look and they review their work-from-home policies.\u201d<\/p>\n
Evans said improving cybersecurity practices in advance of the CMMC rollout may help companies stave off a potential increase in cyber threats as contractors continue teleworking.<\/p>\n
\u201cThat\u2019s going to help them not only prepare for the CMMC adoption down the road, but also allow them to thwart some of those increased number of threats as \u2026 their workforce is more dispersed,\u201d he said.<\/p>\n
Arrington encouraged industry to get a head start on meeting the new requirements, noting that companies can download the model and begin implementing some practices that would help them meet level 1 standards<\/p>\n
\u201cWaiting isn\u2019t an option for any of us,\u201d she said. \u201cThis is just a \u2026 when life gives you lemons, make lemonade\u201d situation.<\/p>\n
However, meeting these requirements may be more difficult for smaller businesses that are already hurting economically from the pandemic, Evans noted. The Small Business Administration and other government agencies are in discussions about potentially providing financial assistance for certification, he said.<\/p>\n
\u201cThere are the financial constraints that are likely affecting small businesses that may inhibit their ability to make cyber-related investments at this point in time,\u201d he said.<\/p>\n