Professional development

Securing the Defense Industrial Base against supply chain attacks is critical

July 17, 2021 by Tony Buenger

The Department of Defense (DoD) invests almost $2 trillion each year in new systems, including aircraft, ships, land vehicles and space systems — along with the IT systems to enable these capabilities. This investment is through a combination of research, prototyping and other procurement paths within the Defense Industrial Base (DIB). 

These investments create and produce new and improved technologies and intellectual property (IP) entrusted with over 300,000 DoD contractors across the DIB. 

DoD contractors targeted by adversaries

Adversaries continue to target the confidentiality, integrity and availability of sensitive government data throughout the entire defense supply chain, causing significant damage to the DoD’s offensive and defensive capabilities. The adversaries are active, and they are succeeding.

Here are some high-profile examples from the past few years:

  • In March 2021, the U.S. issued an emergency warning after Microsoft caught China hacking into its email and calendar server program (Microsoft Exchange). Microsoft Vice President Tom Burt stated that hackers have spied on a wide range of U.S. targets, including disease researchers, law firms and defense contractors.
  • Between September and December 2019, cyberespionage actors compromised the emails and LinkedIn accounts of DoD contractors.
  • In January and February 2018, China hacked a Navy contractor and secured a trove of highly sensitive data on submarine warfare.

The theft of intellectual property and sensitive information from all industrial sectors due to malicious cyber activity threatens economic security and national security.

Enter Cybersecurity Maturity Model Certification

As a result, every DoD prime and subcontractor will require a cybersecurity certification from an independent, certified Cybersecurity Maturity Model Certification (CMMC) assessor. Requiring certification benefits the security of contractors and the DIB, along with aiding the DoD to avoid future losses due to cyber breaches.

The CMMC Model is designed to combat the threat against a target-rich environment within the defense supply chain. 

Before CMMC was developed, DoD contractors were required to self-attest that they were compliant with government regulatory standards. However, self-attestation proved to be ineffective.

As a result, the DoD developed the CMMC Model to verify that proper cybersecurity practices and processes are in place to adequately protect sensitive government data, specifically Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within DIB networks. 

Most importantly, CMMC certification, based on a third-party assessment of the contractor’s cybersecurity hygiene and maturity, allows for an independent, impartial review before the contract award. CMMC Third-Party Assessor Organizations (C3PAOs) are credentialed to conduct CMMC assessments of current and potential DoD contractors to evaluate their readiness to protect sensitive data within the defense supply chain.

What is the CMMC Model?

The CMMC Model combines various cybersecurity standards and best practices mapped to maturity levels ranging from basic to advanced cyber hygiene.

The CMMC Model has four major components: domains, capabilities, practices and processes.

  • Domains are sets of capabilities based on cybersecurity best practices. There are 17 domains within the CMMC Model, and each domain is assessed for practice conformity and process maturity across 5 Maturity Levels.
  • Capabilities are achievements to ensure cybersecurity within each domain. There are 43 capabilities, which are met through the employment of practices and processes.
  • Practices are activities that an organization does. In some respects, these can be thought of as security controls used to manage operational resilience.
  • Processes are activities that make the practices “stick.” The intent is to ensure that practices are repeatable and lasting, even when an organization is under stress. They also demonstrate the maturity of the contractor’s cybersecurity program.

What does it mean for the contractor?

The success of a compliance model, such as the CMMC Model, depends on the defense contractor’s understanding and ability to protect sensitive government data while stored, processed or transmitted within a controlled environment. 

The bottom line is that the organization must understand the data that must be protected. The contractor must be able to control the flow of that data. Allowing adversaries to continue to target this data hinders the nation’s ability to maintain its strategic advantage.

Learn more about CMMC

To help cybersecurity practitioners within the DIB improve their understanding and skills to protect the nation’s supply chain, I have, in collaboration with Infosec, created the DoD CMMC Overview Learning Path.

This learning path teaches you the foundational components of the CMMC Model to prepare you to assist your organization for a formal CMMC assessment for certification — or to prepare you to become a Certified CMMC Professional or Certified CMMC Assessor. 

You will build the necessary skills to assist your organization in preparing for a CMMC assessment, including understanding the federal government regulations and guidelines, the CMMC ecosystem, and the CMMC  model and assessment methodology. You’ll also learn how to develop the assessment scope, gain familiarity with deliverables and understand what to expect from a CMMC assessment.

The learning path is available in Infosec Skills for anyone interested in understanding the fundamental concepts that make up the CMMC Model and how they apply to you, whether as a DoD contractor or on the assessment side of the fence.

Explore Infosec Skills


US issues warning after Microsoft says China hacked its mail server program, NBC News
Operation In(ter)ception: Aerospace and military companies in the crosshairs of cyberspies, WeLiveSecurity
China hacked a Navy contractor and secured a trove of highly sensitive data on submarine warfare, Washington Post

Posted: July 17, 2021
Articles Author
Tony Buenger
View Profile

Tony Buenger retired from the USAF as a Lieutenant Colonel in 2007. After retiring from the USAF, Tony became a full-time information security professional fulfilling various roles as an information system security officer, security manager, National Institute of Standards and Technology (NIST) certifying authority, NIST security controls assessor, chief information security officer (CISO) and cybersecurity consultant. He has approximately 15 years of hands-on experience with NIST in many of these roles, including working as a key member of a team at the Pentagon to convert the USAF from a static compliance-based framework to the risk-based NIST Risk Management Framework. Tony is currently with Redspin, the first Authorized CMMC Third Party Assessing Organization, as a CMMC Provisional Assessor.

Leave a Reply

Your email address will not be published. Required fields are marked *