DoD Unveils Cybersecurity Strategy for Defense Industrial Base: What You Need to Know

Patrick Austin, Anthony Mazzeo, Jerry Miles, Elizabeth Burgin Waller
Woods Rogers Vandeventer Black
Contact
LinkedIn
Facebook
X
Send
Embed

The United States Department of Defense (“DoD”) recently published its Defense Industrial Base Cybersecurity Strategy 2024. For context, the DIB is comprised of more than 100,000 domestic and foreign companies or organizations that perform “research and development, design, production, delivery, and maintenance of DoD systems, subsystems, and components or parts, as well as those who provide software and other critical services to meet U.S. defense requirements,” according to the strategy document.

The primary mission of the DIB cybersecurity strategy is to “ensure the generation, reliability and preservation of warfighting capabilities by protecting operational capabilities, sensitive information, and product integrity.”

The Strategy outlines four goals to secure the defense industrial base, including objectives to advance the development of regulations such as the Cybersecurity Maturity Model Certification program and protect the confidentiality of sensitive defense information held by contractors.

Key Takeaways from the DIB Cybersecurity Strategy

  • CMMC 2.0 is Coming: Throughout the strategy document, DoD makes clear that the 2.0 version of its Cybersecurity Maturity Model Certification program (“CMMC”) is going to be finalized and will play a significant role in DoD’s overarching cybersecurity strategy and to help “evaluate DIB compliance with DoD’s cybersecurity requirements.” This is noteworthy since there remains a level of skepticism within the DIB that CMMC will actually be implemented, considering the 1.0 version of the program failed to fully launch and the 2.0 version of the program remains in the rulemaking phase. Nevertheless, DoD’s cybersecurity strategy indicates CMMC is a key component for its compliance efforts. For example, the cybersecurity strategy envisions DoD routinely evaluating contractor compliance with its cybersecurity requirements “largely through the [CMMC].” DoD goes on to state that CMMC will serve as the fulcrum of a “large-scale verification capability” allowing self-assessment for some requirements while leveraging independent assessments of DIB companies that receive Controlled Unclassified Information (“CUI”) associated with DoD programs. In addition, assessments will be conducted on the subset of DIB companies that “will receive CUI associated with the Department’s most critical and sensitive programs and technologies.” CMMC will reinforce cooperation between the DoD and industry in addressing evolving cyber threats.
  • Embrace of the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”): DoD acknowledges that its cybersecurity strategy for the DIB was “informed by the NIST CSF,” which is a voluntary set of standards, guidelines, and practices developed in coordination with stakeholders, including private industry. In addition, DoD declares that the NIST CSF is the “primary framework the Department recommends for both public and private sector organizations to reference when managing and reducing cybersecurity risks.”
  • Expanded Information Safeguarding Obligations Forthcoming: In its cybersecurity strategy, DoD states its intention to “expand existing information safeguarding requirements” for the DIB by “implementing supplemental guidelines,” as defined in NIST SP 800-172 (pdf). DoD explains that “while DFARS specifies the minimum DIB cybersecurity requirements for companies that process, transmit, and store CUI, the Department must also support efforts by the DIB to make risk-informed decisions to exceed these requirements” (emphasis added).

Overview of the Four Goals Set Forth in the DIB Cybersecurity Strategy

The four primary goals, summarized below, involve coordination and collaboration with numerous DoD components, Program Managers, other federal agencies and, of course, the DIB. Many of the initiatives identified within the four goals “have already begun or have been an element of the Department’s approach to DIB cybersecurity spanning decades or more. The four goals are intended to help DoD “sharpen the focus, collaboration, and integration” of various cyber programs to improve the resiliency of the defense cybersecurity ecosystem.

Goal 1: Strengthen DoD Governance Structure for DIB Cybersecurity

DoD’s first goal is embedded with two primary objectives: (1) strengthen inter-agency collaboration and (2) advance the development of regulations for DIB contractors and subcontractors.

On the collaborative front, DoD stated the importance of “government stakeholders, internal and external to the Department” collaborating to bolster DIB cybersecurity. To meet this challenge, DoD’s Chief Information Officer (“CIO”) is going to task a DIB Cybersecurity Executive Steering Group (ESG) to “develop strategies to improve the cybersecurity of the DIB” to help strengthen “cross-departmental mechanisms for a coordinated response to managing cyber risk.”

DoD also highlighted the importance of the “Enduring Security Framework” which is a public-private cooperative comprised of DoD and the DIB that was established to work on shared cybersecurity challenges. DoD emphasized the need for participants in this framework, along with law enforcement and counterintelligence agencies, the Department of Homeland Security, and the Cybersecurity and Infrastructure Security Agency (“CISA”) to collaborate to help conduct an assessment of “the current risk environment, outline the nexus between cyber and information security, as well as cyber and physical security, and address the interdependence between the DIB sector and other critical infrastructure and critical program and technology sectors.”

On the regulatory front, DoD emphasized its reliance on key contractual obligations to serve as an “important part of the DIB cybersecurity ecosystem.” Those key contractual obligations include:

  • Defense Federal Acquisition Regulation Supplement (DFARS) 252.204–7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting;”
  • DFARS 252.204-7020, “NIST SP 800-171 DoD Assessment Requirements;”
  • DFARS 252.239-7010, “Cloud Computing Services”

DoD acknowledged an ongoing “challenge” associated with strengthening visibility about subcontractors being subject to, and having to comply with, DFARS 252.204-7012’s NIST 800-171 cybersecurity requirements. DoD states that “regulations governing the flow-down of cybersecurity requirements for DIB subcontractors is an evolving and shared responsibility” involving multiple stakeholders in pursuit of the “guidance and processes to establish, mature, and maintain cybersecurity best practices applicable at the lower tiers.” To help address this “challenge” DoD stated its intent to work with the DIB, interagency stakeholders, and DoD stakeholders to “build a governance framework for maintaining a secure subcontractor cybersecurity environment.

Goal 2: Enhance Cybersecurity Posture of the DIB

Defense contractors and subcontractors should pay particular attention to the second goal of DoD’s DIB cybersecurity strategy. This goal, which focuses on enhancing the “cybersecurity posture of the DIB” contains information regarding DoD’s intended reliance on the CMMC 2.0 program. DoD states that “robust cybersecurity may be achieved through iterative risk assessments and mitigation of gaps in security posture combined with facilitating DIB contractor adherence to cybersecurity regulations” (emphasis added). Those “iterative risk assessments” and mitigation measures will involve an active CMMC 2.0 program, which DoD indicates will ultimately have sprawling verification capabilities that utilize a combination of self-assessments for certain requirements and “independent assessments” conducted by Commercial Third-Party Assessment Organizations for other requirements, particularly for DIB companies receiving CUI. DoD also stated its plan to “conduct voluntary cybersecurity readiness assessments of DIB contractors’ policies and controls to ascertain their cybersecurity posture or facilitate self-assessments.”

Another objective contained in Goal 2 of DoD’s DIB cybersecurity strategy is to improve the sharing of “threat, vulnerability, and cyber-related intelligence with the DIB.” To help achieve this objective, DoD states that its CIO will oversee a relaunch of the DIBNet Portal in Fiscal Year 2024 to “continue the evolution of threat sharing capabilities.” A key feature of the new DIBNet Portal will be the application programming interface-based retrieval of threat information. A related objective identified in DoD’s DIB cybersecurity strategy is improving processes around the identification of vulnerabilities in DIB information technology (IT) cybersecurity ecosystems. To help achieve this objective, DoD is encouraging DIB companies to voluntarily implement an “advanced sensor program” managed by DoD’s Cyber Crime Center (“DC3”) that is designed to “detect and respond to adversary targeting of commercial critical infrastructure entities, including DIB contractors.” DC3 is responsible for executing programs that “analyze an organization’s vulnerability to threat actors based on network architecture, software, and processes. It includes technical, process, and policy evaluations in a single, actionable framework.” In addition, DC3 conducts “penetration testing, which includes network mapping, vulnerability scanning, phishing assessments, and web application testing.”

As part of DoD’s overarching goal to implement a “more robust compliance regime,” the Department states in its cybersecurity strategy that it will “actively collaborate with the DIB to plan and execute pilots to test the efficacy of new and existing DIB cybersecurity capabilities, services, and processes.” These proposed tests would include measuring the “effectiveness of cybersecurity requirements associated with programs, pilots, and services to inform subsequent efforts and iterative improvements.”

Goal 3: Preserve Resiliency of Critical DIB Capabilities in a Cyber-Contested Environment

The third goal identified in DoD’s DIB cybersecurity strategy is to preserve and augment the resiliency of critical production capabilities, in light of the United States’ reliance on single-source and foreign suppliers.

DoD recommends deploying a segmentation strategy for DIB companies to help ensure that the “limited resources of stakeholders can be focused on the most impactful protection activities.” The segmentation strategy would entail collaboration between DoD, the DIB Government Coordinating Council (comprised of Government agency members), and the private industry-led DIB Sector Coordinating Council. DoD states that the two DIB councils, along with the Critical Infrastructure Partnership Council, will work to “identify and share information on threats, assess and mitigate vulnerabilities, and monitor the security and resiliency of the DIB.”

Goal 4: Improve Collaboration with the DIB

This goal has been described as a “strategic priority” for DoD. Collaborative efforts with the DIB are expected to include the following:

  • Pilot programs in cybersecurity
  • War-gaming
  • Routine engagement with industry working groups
  • Cybersecurity training pathways
  • Crosscutting education and awareness campaigns provided by multiple federal agencies.

For example, the National Security Agency’s Cybersecurity Collaboration Center (“NSA CCC”) manages “bidirectional cooperatives” across an array of technology sectors, including cloud service providers, Internet service providers, threat intelligence firms, and so forth. DoD’s cybersecurity strategy envisions that when malicious cyber activity is identified by the NSA, the CCC will inform the impacted entities and share this information with the DIB, which will enable the DIB “to harden billions of endpoints across the globe against emerging sophisticated cyber threat[s].”

Looking Ahead

Future rulemaking appears to be the proverbial 800-pound gorilla awaiting defense contractors and subcontractors. As mentioned, the CMMC 2.0 program is currently in the rulemaking phase, with a final rule expected in the coming months, or possibly early 2025. A similar time horizon applies to the proposed cyber incident reporting obligations imposed on critical infrastructure entities – which includes the DIB – by CISA. According to the Cyber Incident Reporting for Critical Infrastructure Act of 2022, CISA must publish final rules within 18 months of proposed rules, or by no later than September 2025.

Defense contractors and subcontractors should start taking proactive steps now to strengthen their compliance posture as it relates to CMMC 2.0, CISA cyber incident reporting obligations, and DoD’s overarching cybersecurity strategy.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Woods Rogers Vandeventer Black | Attorney Advertising

Written by:

Woods Rogers Vandeventer Black
Woods Rogers Vandeventer Black
Contact
more
less

Woods Rogers Vandeventer Black on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide