America's Plan to Protect its Defense Industry from Cyber Threats

America’s defense industrial base has always been a target for nation-states. As great power competition heats up, America is preparing to defend against an increase in state-sponsored cyberattacks targeting its defense industry.

Massive defense contractors like Lockheed, Boeing, and Raytheon have strong cyber defenses. Attackers are aware of this and choose to attack the supply chain instead. Roughly 24% or $72 billion worth of DoD contracts go to small defense contractors. Many of them have limited cyber defenses. Most of them have access to “controlled unclassified information” and “federal contract information”, both lucrative targets for America’s adversaries.

The DoD tried to improve the cybersecurity posture of it’s defense industrial base by mandating the implementation of the NIST SP 800-171 set of security controls. The implementation of these cybersecurity controls by contractors was not audited. Many companies failed to implement them and the requirements did not cover the entire industrial base. Things are changing with the DoD’s new approach.

The U.S. Department of Defense released the new cybersecurity maturity model certification (CMMC) program to help protect the defense industrial base from cyber threats. The CMMC program comes with a new cybersecurity framework that is built on older frameworks such as NIST SP 800-171 and 800-171B as well as several international frameworks. This new certification has five levels with one being the lowest, mandating basic cyber hygiene, and five being the highest requiring advanced cyber capabilities.

Implementing cybersecurity controls at the 300,000 companies making up the defense industrial base and having them undergo a third-party audit is no easy task. In coordination with the newly created CMMC Accreditation Board, an army of roughly ten thousand assessors will be trained and certified to accredit defense contractors. The DoD would like to have all 300,000 companies making up the defense industrial base CMMC certified within the next five years. The DoD also says that it will make the cost of the CMMC certification an “allowable cost” to alleviate this new financial burden.

I am optimistic that it will. Most companies will have level one CMMC requirements. Level one requirements are not terribly difficult to implement. Level two requirements are more difficult but shouldn’t be very costly. Due to COVID-19, we have seen a delay in CMMC and there will likely be bumps on the road to a more secure defense industrial base. The DoD is adamant about getting this done and contractors will need to comply if they wish to continue working with the DoD. In the future, America's defense industrial base will be more secure resulting in a reduction of stolen R&D and other sensitive information.