While SoundWay entered the CMMC ecosystem back in late 2020, our new Vice President of Cybersecurity – Carter Schoenberg has been engaging in these areas for over 5 years. There is an increasing level of pushback from industry about requirements defined under CMMC. The following was originally written in 2016 and is just as relevant today.
CLEAR AND NOT SO PRESENT DANGER
- The volume and value of each cyber breach is increasing.
- Most business owners still could care less.
“Don’t care? Isn’t that a bit harsh of a comment to make?” Okay, let’s look at some data points. There is an increase in the number of articles being published highlighting that cyber risk is now at the forefront of boardroom meetings. There is also information to support that more organizations are acquiring cyber breach insurance policies. Does this not indicate a genuine interest that cyber threats are a clear danger to the enterprise?
I liken this to the notion of somebody (back in the day) saying they would own a Porsche and were very embolden by the brand and when they bought the model 914, came to learn it had a very small VW engine in it. So let’s examine “the engine” of how an enterprise believes they address cyber threats that present a risk.
The majority of you that read this article either have sold a cyber solution or have been present at a meeting where a security vendor asks some very basic questions only to have the enterprise C-Suite advise, “I understand what you are saying but we are pretty solid on our end”. When pressed as to how they came to that conclusion, they respond, “My IT person” told me”.
Regardless, what are the qualifications of the IT person who made this braggadocios claim? In reality, there are many superb IT professionals out there who also understand basic cybersecurity concepts and in fewer cases, are successful at wearing both hats. Given that I have a home in the National Capital Region, I will focus on some data points that apply to the DC region.
- How many Government Contractors are out there? Roughly 300,000
- How many of these are small businesses? Roughly 150,000
- How many small businesses sell technology, technology as a service, or services for technology (ISSO/ SOC support, etc.)? Roughly 100,000
- How many of these roughly 100,000 businesses have industry-accepted levels of cyber hygiene? (Defer back to comment on what the IT guy said)
In December of last year, the Department of Defense made some very distinct cyber hygiene provisions of what is now required upon contract award. Earlier this year, the Federal Register via the National Archives and Records Administration (NARA) amended similar changes that apply to all General Services Administration (GSA) contract vehicles as well as impacting the National Aeronautical and Space Agency (NASA). The proposed new norm is something called “Controlled but Unclassified Information” or (CUI). How in the heck can something be required as protected if not classified?
This is an issue brewing since President Obama’s Presidential Executive Order 13636. Without boring you about the chronology of events since 2013, we now have a laundry list of what is defined as CUI. This should not be confuse with “Protected Defense Information”, which is defined by the Department of Defense as materials the contractor has on their system that is labeled as protected and deemed the property of the military.
I postulated back in early 2015 that these future state requirements would be mandated around October 2016. Little did I know that there would be a “proactive” push by the U.S. Government in the face of the OPM breach to fast-track these requirements? These requirements are described under the National Institute of Standards and Technology Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-Federal Systems”. I know, right? The USG proactive, go figure.
The Federal Register states that 60 days from the date published, their requirements shall be mandatory. So we are now in November of 2016. How many businesses actually even know about this? Very few.
This article is titled “Clear and Not so Present Danger”. What is not so present about it?
If you have a very important set of requirements that nobody is aware of, does that sound present? No. If the Government does not specifically call these new requirements out in solicitations, does that sound present? No.
Some notable points about these requirements:
- 109 controls derived from NIST SP800-53
- You must self-identify or have an IV&V (Misrepresenting may qualify as a False Claims Action) Regarding Self Identifying – see the IT guy claims 🙂
- If you support DoD, you must also demonstrate Plans of Actions and Milestone’s on how you will address controls that are not implemented at the time of assessment
- If you support DoD, a remote pentest is also in play as a requirement (not the widget you sell them…on your actual company’s network)
- These 109 controls do absolutely nothing to address State data breach reporting requirements
- These controls provide no enhanced legal defenses to a civil claim unlike the Safety Act
- Businesses that are aware of CUI freak out that the costs are too prohibitive failing to understand they can push these costs back to the Government
What else is not so present in the risk factoring?
- 47 States have unique data breach reporting requirements (Great example is a Maryland company that supports the Navy in San Diego. If they have a breach and they notify DoD but fail to notify the State of California regarding California contractors impacted…. WATCH OUT)
- Most companies fail to identify or acknowledge the breadth of Personally Identifiable Information they maintain
- Most companies fail to acknowledge the extent of Personal Health Information (PHI) they maintain
To conclude, I do believe most companies acknowledge the threats associated with cyber but ultimately we have to ask ourselves the following:
- If more money is spent on cyber solutions today than ever before and our risk postures are not improving proportional to the spend, do you fault the vendors or the organization’s ability to really understand the risks these threats impose?
- If you rely on the “IT person told me so” approach, how many companies that make headlines (TARGET, TalkTalk, Yahoo, OPM, and on and on) didn’t make the exact same claims because of how they defined the threat as merely a technical issue an not an operational issue?
- If the Securities and Exchange Commission (SEC) and Federal Trade Commission (FTC) expand their authorities to govern a business’ cyber hygiene, do you fault Big Brother? Or, do you fault those that have turned a blind eye for decades where either the taxpayer, insured party, or even bank customers take it on the chin with increased costs to subsidize the volume and value of cyber claims resulting in fraud, system disruption, or breach of privacy?