Transcription
Third-party risk managementCybersecurity in the Defense Industrial Base (DIB)
Brochure / report title goes here Section title goes here ContentsExecutive summary1Background2Current regulation and guidance3Challenges with regulation and guidance adoption4Government response5Defense prime contractors now have an increased responsibilitytoward achieving compliance6Taking a cybersecurity framework approach to manage requirements7Additional nonregulatory approaches toward achieving cyber resiliency9Paving the way for cyber resiliency10Definitions11Authors and Contacts1402
Third-party risk management Cybersecurity in the Defense Industrial Base (DIB)Executive summarySupply chain attacks, which exploit securityweaknesses in third-party services to strike a target,increased 78 percent between 2017 and 2018according to Symantec’s 2019 Internet Security ThreatReport, and the trend is increasing in 2019.1 As thepotential for these types of attacks continues to grow,defense industry affiliates will need to look beyondthe minimum requirements within the self-reportedcompliance checklist and build a proactive, broaderapproach to managing risks within their enterprises.This approach should include formalized policies andthe identification of patterns and practices mapped toexisting Department of Defense (DoD) requirements toassess supply chain risks and better manage potentialsupply chain vulnerabilities.Defense Industrial Base (DIB) affiliates, encompassingglobal supply and logistics chains, can have a connectionto the DIB network and have access to sensitive orclassified technologies and information. Cyber iseverywhere, and as attackers continue to look for newentry points, these affiliates are increasingly becomingmore susceptible to espionage and may be a target fortheft and sabotage where counterfeit or otherwise faultycomponents could enter the supply chain. These threatsare amplified by the complexity of modern supply chains,which may include foreign entities, bringing concerns of“upstream” targeting. The globalization and virtualizationof the business landscape presents new challengesto ensuring risk management of national securityinterest programs and associated information systems’components and information.Defense contractors are increasingly investing indigital technologies to help accelerate productdevelopment, improve existing processes, and increaseefficiency. Digitization results in highly sensitive andconfidential data being stored long term and sharedinternally as well as externally. Defense contractorshave a heightened responsibility to protect this datain its digital form so as to not negate the benefits.National security concerns elevate the importanceof data security for defense contractors. They share,exchange, and create Covered Defense Information(CDI) and Controlled Unclassified Information (CUI) onprogram specifications, technology, and equipmentperformance as they collaborate across research,DIB third-party risk management strategy1. It is imperative that defense contractors be well preparedto manage cybersecurity risks within their supply chain toprotect against national security threats.2. To prepare for the future, DoD prime contractors andsuppliers should consider integrating a supply chaincyber governance program that clearly maps out thesteps to be compliant and cyber resilient.3. Consider leveraging emerging technologies such asdigital process automation, blockchain technology,artificial intelligence, and advanced analytics to scaleillumination and prioritization of high-risk third partiesacross the DIB.design, development, and deployment of defenseproducts. Apart from a national security threat,cyberattacks can also cause significant financial andreputational damage to defense contractors, whichmay disrupt supply chains and result in cost andschedule overruns.The US governing authorities have issued severalregulations related to cybersecurity compliance bydefense contractors and subcontractors. Initially,there seemed to be some ambiguity in determiningwho is accountable and responsible across the DIB forevaluating suppliers’ adherence with the requirementsin the National Institute of Standards and Technology(NIST) SP 800-171.2 This approach allowed for thepossibility of inconsistent adoption of these regulations;however, with a recent announcement by the Office ofthe Secretary of Defense, the DoD is now moving toenforce compliance with the Defense Federal AcquisitionRegulation Supplement (DFARS) 252.204-7012,3including the cybersecurity flow-down requirements.In this article, we will explore some of the majorchallenges related to cybersecurity regulationsfor defense contractors in the supply chain riskmanagement domain. We will also define steps keystakeholders should consider in becoming compliantwith regulations enforced by the DoD and ideas to makeprogress toward a more cyber-resilient security posture.1
Third-party risk management Cybersecurity in the Defense Industrial Base (DIB)BackgroundStakes are high for DIB affiliates who provide researchand development, manufacturing, mission assurance,engineering, logistics and acquisition, cybersecurity andIT, and testing and integration services.DIB affiliates are constantly innovating to producetechnologically advanced products, and the speedof innovation results in creating a significant amountof intellectual property (IP), which must be digitallyprotected by all participants in the supply chain. The riskof aggregated CDI and CUI with respect to future defensecapabilities or IP being exposed to cyberattacks is a majorthreat to the national security of the United States.Defense manufacturing often involves a complexglobal supply chain, involving tier-1, tier-2, and tier-3contractors. This complexity introduces numerouscybersecurity risks as the involvement of multipleorganizations places confidential information inenvironments with greater opportunity for compromiseand exploitation. Moving further down the supply chain,lower-tier suppliers generally face even more difficultiesto secure sensitive data because of costly, inconsistent,or incompatible cybersecurity controls implementationsor from a misinterpretation of the required regulations.The United States has faced numerous and variedcybersecurity threats in the past, which have involvedattempts at infiltrating the networks of US publicand private institutions, to gain access to sensitiveinformation.4 If the defense manufacturing supplychain is vulnerable to cyberattacks such as counterfeitparts insertion, corporate espionage, IP theft, networkcompromise, foreign influence, etc., it can pose majorrisks that may compromise a nation’s safety: IP theft by hostile nations or terrorist groups toadvance defense capabilities, develop more effectivecountermeasures, produce technologies for sale on theglobal arms market, and erode US military superiority Data theft to monitor and possibly infiltrate defensesystems and capabilities, thus reducing the lethality ofmilitary tactics2Level of perceived cybersecurity risks highest forinformation technology (IT)/IP and businesssystem threatsIn a study titled “Implementing Cybersecurity inDoD Supply Chains,” the National Defense IndustrialAssociation (NDIA) conducted a survey of 227 NDIAmembers engaged in the manufacturing or supply ofcomponents and services to the DoD to assess theapparent risks of three dimensions of cybersecuritythreats that defense contractors face: IT/IP threats,business system threats, and factory/shop floor threats.The level of perceived cybersecurity risks by defensecontractors was the highest with respect to IT/IP threats,where 87 percent of respondents believed the risks tobe either “high” or “extremely high.” This was followed bybusiness system threats, where 76 percent of respondentsperceived the risks to be high.The level of cybersecurity investment correlated with theattitude toward the perceived level of risk as most of therespondents designated greater importance to IT/IP andbusiness system threats.Source: Steven A. Melnyk, Chris Peters, Joseph Spruill, and KennethW. Sullivan, Implementing cybersecurity in DoD supply chains, NDIA, July2018, -chains.ashx?la en.In 2018, cybercriminals hacked into a US Navy contractor’ssystem to steal data on plans to build an anti-ship missileby 2020 for use on US submarines. Hackers breached thesystems of the contractor and stole sensitive data related tosensors, cryptographic information, the electronic warfarelibrary of the Navy, and information on a secret projectnamed “Sea Dragon.”Source: Ellen Nakashima and Paul Sonne, “China hacked aNavy contractor and secured a trove of highly sensitive data onsubmarine warfare,” The Washington Post, June 8, 2018, 2018/06/08/6cc396fa-68e6-11e8-bea7c8eb28bc52b1 story.html?utm term .0499ebf4afdd.
Third-party risk management Cybersecurity in the Defense Industrial Base (DIB)Current regulation and guidanceDFARS regulations and NIST guidance play an importantrole in the United States to enable cybersecurityrobustness. For defense contractors and subcontractors,regulations can provide a minimum guidance to assistthem with becoming cybersecure, as referenced infigure 1 and described below: In the United States, the DFARS requirements andcompliance with the NIST SP 800-171 govern the DIBand associated contractors.5 The DFARS 204.73006requires contractors and subcontractors to protect CDIby applying specified network security requirementsand necessitates reporting of cyber incidents. DFARS252.204-70127 further expands the definition of CUIand identifies the NIST SP 800-171 framework as asource document for cybersecurity requirements. NIST SP 800-171, which lays down specific measuresto safeguard sensitive information, acts as a minimumstandard for companies in the DIB.To provide guidance for implementation andenforcement of DFARS, a report by The MITRECorporation was published in August 2018, whichadvised the DoD to “revise DoD 5000.02 and DefenseAcquisition Guidance to make security the ‘4th Pillar’of acquisition planning, equal in emphasis to cost,schedule and performance.” 8Figure 1. DFARS base clause requirements for defense contractorsProvides adequate securityfor all covered defenseinformationProvides flow-downrequirements tosubcontractorsAssigns minimumsecurity controls fromNIST SP 800-171Applies a 72-hour rapidreporting requirementfor breachesRequires multifactorauthenticationRequires leastprivileged accessSource: Deloitte analysis of DFARS regulation.3
Third-party risk management Cybersecurity in the Defense Industrial Base (DIB)Challenges with regulation and guidance adoptionSignificant importance is being given to cybersecuritybecause of a robust regulatory system. However,these regulations will need to be clearly defined toavoid straining defense contractors in their adoptionand implementation, and to help avoid unidentifiedrisks. Defense contractors and their suppliers in theUnited States face various challenges when it comes toadhering to cybersecurity regulations (see figure 2).Figure 2. Current regulations can pose a challenge for prime contractorsMultiple defenseprograms with CDI10,000 suppliersinvolved in theseprogramsIdentifying suppliers inthe DIB handling CDIValidating NISTcompliance for10,000 suppliersTracking progress madeby suppliers to betteradhere to regulatoryrequirementsSource: Deloitte analysis.1. Regulations have not fully clarified the degreeto which prime contractors should verify cybercompliance throughout the supply chain. Untilrecently, the DFARS required that defenseprime contractors contractually “flow down” theresponsibility to comply with NIST SP 800-171 tosubcontractors. Unfortunately, no formal governanceprogram was established to assess risk and enforcecompliance throughout the supply chain.2. DoD prime contractors do not typically verify suppliers’compliance with NIST SP 800-171. This is especially truefor small- and medium-sized contractors. Moreover, itis becoming increasingly difficult and costly for primecontractors to understand and manage the risks ofmultiple subcontractors.3. Small- and medium-sized defense contractorsface several issues with respect to regulatorycompliance, including awareness and fullunderstanding of the compliance regulationsand the lack of financial resources to establishbroad-reaching governance programs.44. The DIB cybersecurity information sharing programprovides for mandatory reporting on cybersecurityincidents, but much of the nonreportingrequirements remain voluntary; widespreaddissemination of threat information could potentiallybenefit lower-tier contractors and provide improvedsituational awareness throughout the sector.Regulatory requirement challenges and noncompliancecould drive the DoD to intervene and take thenecessary steps to achieve compliance, which mayinclude stricter actions, based on the severity ofnoncompliance. If the DoD observes that the industry isslow at adopting these regulations, they may considertaking incremental steps, which could be a wide rangeof options, including risk assessing the contractorsand their subcontractors, holding prime contractorsaccountable for noncompliance across the DIB, orcontinuous monitoring of high-risk DIB partners.
Third-party risk management Cybersecurity in the Defense Industrial Base (DIB)Government responseDoD agencies are taking various steps to understand thelevel of compliance of the supply chain on their programsto NIST SP 800-171. While certain DoD agencies areassessing or “auditing” the prime contractors’ compliancewith the DFARS standards, some of them are alsoassessing the compliance to NIST SP 800-171 of thelower-tier suppliers in their supply chain. All these effortsare helping the DoD form an understanding as to thelevel of adoption in the industry (see figure 3).According to a report from the DoD Inspector General(DoDIG) released in March 2018, the DoD conductedan audit focused on cybersecurity controls at sevenMissile Defense Agency (MDA) contractor facilities.The audit revealed that these “MDA contractors didnot consistently implement security controls andprocesses to protect classified and unclassified ballisticmissile defense system (BMDS) technical information.”The DoD’s increased enforcement of DFARS flow-downrequirements is evidenced by the DoDIG report,which was critical of a DoD agency for not aggressivelyensuring all its suppliers complied with the NIST SP800-171 and for not making enough progress on aPlan of Actions and Milestones (POA&M) put in placeto address these vulnerabilities.9Figure 3. The extent to which the DoD could go to address noncompliancePresent stateNoncompliance exposure5.4.2.1.DoD agencies startto assess primecontractors, tier-1 andtier-2 vendors, andlower-level supplierson their own accord3.DoD holdsprime contractorsaccountable for tier-1subcontractors tocomply with NISTstandardsDoD enlistsDefense ContractManagement Agency(DCMA) to audit primecontractors’ processesfor assessing tier-1suppliers’ compliancewith NISTDoD requiresprime contractorsto assess cyber at alllevels of their supplychain that process orreceive CUI/CDIDoD enforcespenalties fornoncompliancewith NISTstandardsDoD proactiveness toward complianceSource: Deloitte analysis.5
Third-party risk management Cybersecurity in the Defense Industrial Base (DIB)Defense prime contractors now have an increasedresponsibility toward achieving complianceThe DoD has recently clarified the direction in whichit plans to move to drive greater NIST adoption downinto the DIB. On January 21, 2019, Under Secretaryof Defense for Acquisition and Sustainment EllenLord issued a memorandum requesting the DCMA tovalidate prime contractors’ compliance with DFARS252.204-7012.10 The memorandum focused on theDCMA assessing two key elements: Ensuring contract terms flow down to tier-1 levelsuppliers correctly Reviewing prime contractors’ procedures to assesscompliance of their tier-1 level suppliers with DFARS252.204-7012 and NIST SP 800-171Subsequently, on February 26, 2019, the DCMAofficially updated its Contractor Purchasing SystemReview (CPSR) Guidebook to include new proceduresfor its procurement analysts to assess the twoaspects stated in the memo issued by Ellen Lord.11Specifically, it stipulated that:“The prime contractor must validate thatthe subcontractor has a Covered ContractorInformation System (CCIS) that can receiveand protect CUI. The prime contractormust show documentation that they havedetermined that the subcontractor has anacceptable CCIS to include an adequateSystem Security Plan (SSP).”6These steps assist the prime contractors to have aprocess to assess and validate the cyber controls acontractor has in place and to address, at a minimum,the NIST SP 800-171 requirements and that items thatwere identified in previous POA&Ms are being resolvedas part of their self-certifications.
Third-party risk management Cybersecurity in the Defense Industrial Base (DIB)Taking a cybersecurity framework approachto manage requirementsAs the DoD starts to enforce evaluation ofsubcontractors’ cybersecurity controls by the DoDprime contractors, there are several measures thatdefense contractors, the DoD, and the government cantake to become cyber resilient and compliant.Prime contractors and original equipmentmanufacturers (OEMs) should focus on creating arobust cybersecurity framework, both to protect theirown and their supply chain partners’ cybersecurity.To be prepared, defense contractors should focuson both regulatory and nonregulatory approaches toaddressing cybersecurity issues.Figure 4. Supply chain governance programSupply ERSSupplier ID and governance processesEstablish supplier risk framework Who are suppliers? Supplier risk-profile parameters What data do they get? Inherent risk of suppliers (IRQ) How will we monitor remediation? How often are suppliers assessed? How will we transition off suppliers that donot remediate? What level of depth are suppliers assessed?Establish assessment programEstablish a system of record for program Which suppliers to assess? How often? Running the supplier risk-profiling process Data collection of NIST status of suppliers Capturing NIST questionnaire Verification of supplier responses Capturing results of assessments Follow-up with suppliers Tracking supplier deficiencies andremediations Communicate deficiencies and remediationsSupplier assessmentsLevel 1: Quick looksLevel 2: NIST assessments Type A: Review questionnaire responses Type B: Remote validationSource: Deloitte analysis. Type C: On-site validation7
Third-party risk management Cybersecurity in the Defense Industrial Base (DIB)From a regulatory compliance perspective, primecontractors should migrate toward a supply chain cybergovernance program based around NIST SP 800-171.First, DoD prime contractors should have processesin place to continually assess their own companies’compliance with NIST SP 800-171 controls and theprogress of action plans for improvement. Second, theyshould create awareness among subcontractors andsmall- and medium-sized suppliers as to what NIST SP800-171 compliance means. For instance, providingtraining and education to the chief information securityofficers (CISOs) of subcontractors and realistic solutionoptions that can help demystify what it takes to provideadequate cybersecurity for small- and medium-sizedsuppliers. Lastly, DoD prime contractors should takesteps to demonstrate initiative in taking responsibilityfor the flow down of NIST SP 800-171 compliancerequirements to their supplier ecosystem—for example,creating a third-party cyber assessment program orperforming regular cybersecurity evaluations of theirsuppliers to improve confidence that the supply chainis well prepared for cybersecurity risks and is makingprogress on their POA&M.To prepare for the new cybersecurity flow-downprocedures and the DCMA’s upcoming CPSRs, integratinga supply chain cyber governance program as depicted infigure 4 could potentially help improve compliance, bothwithin the organization and by their suppliers. Illuminate the ecosystem of suppliers on yourdefense programs: Conduct a due-diligencediscovery of suppliers using a detailed surveycombined with a passive Open Source illuminationto identify the suppliers that are in the supply chainecosystem. While the DCMA is currently lookingto evaluate prime contractors’ assessments oftheir tier-1 suppliers, this should go down to tier-5suppliers at a minimum, depending on the criticalityof the program and how far down CDI flows in thesupply chain.8 Risk rank the criticality of those suppliers: Toensure the right assessment approach is applied tothe right suppliers, organizations can consider usingrisk-ranking criteria to rank the suppliers in risk tiers.Risk-ranking factors could include CDI exposure,company reputation, company size, financial stability,foreign influence, foreign operating locations,corporate leadership, cyber breach history, theimportance of their role in the DoD program, etc. Identify the riskiest suppliers and assess theextent of their exposure: Adjust the approachesfor assessing NIST SP 800-171 compliance to therisk tier of the supplier. For the highest-risk tiersuppliers, prime contractors should consider on-sitevalidation of cybersecurity controls, whereas, forlower-risk tiers, options such as passive cybersecuritynoncompliance evaluation, or short-term adversarialassessments using advanced analytics to determinebasic cyber hygiene can be considered.
Third-party risk management Cybersecurity in the Defense Industrial Base (DIB)Additional nonregulatory approaches towardachieving cyber resiliencyIn addition to approaches concerned with regulatorycompliance, defense contractors might considerleveraging solutions from a nonregulatory standpointthat can be deployed to mitigate the cybersecurity risks. Digitize and automate supply chain functions –Digitize supply chain functions to bolster access controland traceability (e.g., the use of collaboration and supplychain solutions for high-security and high-complianceenvironments). Moreover, defense contractors shouldincreasingly automate repetitive analysis workflows usingcommoditized tools for assessing the cybersecurityprofile of subcontractors before accepting them assuppliers. Work to eliminate the reliance on self-reportedsurvey results. Integrate blockchain technology to strengthensecurity – Blockchains could help boost cybersecurityas the technology can prevent fraudulent activitiesthrough consensus mechanisms and detect datatampering based on its underlying characteristicsof immutability, transparency, auditability, dataencryption, and operational resilience. Artificial intelligence (AI) and machine learning(ML) – As adversaries are using new channels andvectors through modern infrastructure attacksurfaces, active defense technologies and advancedanalytics that incorporate AI and ML can enableorganizations to gain broader, real-time visibility intotheir changing threat landscape and more efficientlydetect anomalous activity. With the help of AI andML, threat detection and incident response time canbe significantly reduced. Software that uses AI andML can provide security threat alerts on a real-timebasis. That software, coupled with advanced securityautomation techniques, can increase the ability todefend cybersecurity attacks in near realtime.Raytheon, a US-based defense contractor, has investedmore than 3.5 billion in cybersecurity initiatives overthe last decade. The company expects to further increaseinvestments in cybersecurity-related R&D and acquisitions,as combating cyber threats is becoming a priority forRaytheon and its customers, which includes the USDepartment of Defense. Since 2007, Raytheon has made17 cyber-related acquisitions, and it continues to scoutfor more, according to the chief technology officer of thecompany’s cybersecurity and special missions division.Source: Raytheon, 2016 10-K report; Raytheon, “Building a cyberpowerhouse,” August 18, 2015, https://www.raytheon.com/news/feature/cyber powerhouse, last updated February 5, 2018.Lockheed Martin, one of the primary weapons suppliersof the world, partnered with Guardtime Federal tointegrate blockchain technology into their existing datasystems. Their goal is focused on taking steps to preventthe manipulation of their advanced weapons technologyand related information.Source: Lockheed Martin, “Lockheed Martin partners with GuardtimeFederal for innovative cyber technology,” Press release, July 9, nnovative-Cyber-Technology.9
Third-party risk management Cybersecurity in the Defense Industrial Base (DIB)Paving the way for cyber resiliencyThe initial rollout of DFARS 252.204-7012 and theassociated flow-down requirements lacked clarity abouthow much responsibility prime contractors neededto take in assessing the compliance of their suppliers’cybersecurity controls. However, recent steps taken bythe DoD and DCMA to amend the CPSR process clearlyshow that the DoD expects prime contractors to beproactively and regularly assessing and documentingthe adoption of cybersecurity controls by their suppliers.A foundational step for prime contractors to achievethese objectives is through a supply chain governanceprogram that not only identifies previously unknownand high-risk suppliers but assesses the suppliers’ cyberhygiene and continuously monitors their progress towardcyber resiliency and risk mitigation. Success can beinfluenced by taking a framework approach to identify,prioritize, and address risk and compliance within a primecontractor’s ecosystem. Prime contactors’ migrationtoward a robust cyber governance program is critical tohelp enhance cyber resiliency across the DIB.10
Third-party risk management Cybersecurity in the Defense Industrial Base (DIB)DefinitionsBallistic Missile Defense System (BMDS):An integrated, “layered” architecture that providesmultiple opportunities to destroy missiles and theirwarheads before they can reach their targets.12Contractor Purchasing System Review (CPSR):Analyzes how contractors spend government funds,as well as their compliance with government policywhen subcontracting.13Covered Contractor Information System (CCIS): Aninformation system that is owned or operated by acontractor that processes, stores, or transmits federalcontract information.14Covered Defense Information (CDI): Unclassifiedcontrolled technical information or other information,as described in the Controlled Unclassified Information(CUI) Registry t.html), which requires safeguarding ordissemination controls pursuant to and consistent withlaw, regulations, and government-wide policies.15Controlled Unclassified Information (CUI):Information that requires safeguarding or disseminationcontrols pursuant to and consistent with applicable law,regulations, and government-wide policies but is notclassified under Executive Order 13526 or the AtomicEnergy Act, as amended.16Defense Contract Management Agency (DCMA):An agency of the United States federal governmentreporting to the Under Secretary of Defense forAcquisition and Sustainment (USD). It is responsible foradministering contracts for the Department of Defense(DoD) and other authorized federal agencies.17Defense Federal Acquisition RegulationSupplement (DFARS): DFARS to the FederalAcquisition Regulation (FAR) is administered by theDepartment of Defense (DoD). The DFARS implementsand supplements the FAR. The DFARS containsrequirements of law, DoD-wide policies, delegations ofFAR authorities, deviations from FAR requirements, andpolicies/procedures that have a significant effect on thepublic. The DFARS should be read in conjunction withthe primary set of rules in the FAR.18DFARS 204.7300: This subpart applies to contracts andsubcontracts requiring contractors and subcontractorsto safeguard covered defense information that residesin or transits through covered contractor informationsystems by applying specified network securityrequirements. It also requires reporting of cyberincidents. This subpart does not abrogate any otherrequirements regarding contractor physical, personnel,information, technical, or general administrative securityoperations governing the protection of unclassifiedinformation, nor does it affect requirements of theNational Industrial Security Program.19DFARS 252.204-7012: Safeguarding of UnclassifiedControlled Technical Information (CTI) clause requiresa contractor to report to the DoD the possibleexfiltration, manipulation, or other loss or compromiseof unclassified CTI; or other activities that allowunauthorized access to a contractor’s unclassifiedinformation system on which unclassified CTI is residentor transiting. CTI is technical information with militaryor space application that is subject to controls on itsaccess, use, reproduction, modification, performance,display, release, disclosure, or dissemination.20Defense Industrial Base (DIB): The DoD, USgovernment, and private-sector worldwide industrialcomplex with capabilities to perform research anddevelopment, design, produce, deliver, and maintainmilitary weapon systems, subsystems, components, orparts to meet military requirements. The DIB includeshundreds of thousands of domestic and foreignentities and their subcontractors performing workfor DoD and other federal agencies. Defense-relatedproducts and services provided by the DIB equip,inform, mobilize, deploy
Defense Industrial Base (DIB) affiliates, encompassing global supply and logistics chains, can have a connection to the DIB network and have access to sensitive or classified technologies and information. Cyber is everywhere, and as attackers continue to look for new
