The U.S. Army and Navy are exploring arrangements to extend secure environments to their smaller defense industrial base partners who can’t afford to earn a cybersecurity accreditation with the Pentagon but provide innovative services the branches still want to leverage.
Top cybersecurity officials with the military components speaking on a panel Thursday at the Google Defense Forum, presented by DefenseScoop, said they are working on initiatives to provide those small contractors with secured virtual desktops that would ensure any transaction of sensitive Department of Defense data meets the DOD’s security requirements.
These initiatives come as the Pentagon’s Cybersecurity Maturity Model Certification nears becoming an official rule. The certification program is currently a proposed rule and the department is accepting comments on it until Feb. 26.
Under CMMC, most defense industrial base companies that handle controlled unclassified information under contract with the DOD would need to meet security requirements laid out in National Institute of Standards and Technology Special Publication 800–171 and attest — either through a self-assessment or a third-party assessment, depending on the sensitivity of information shared — to meeting those requirements.
Many small businesses are worried that the assessment process is too burdensome and could keep them from doing business with the DOD.
But the military services don’t want to miss out on the innovation generated by those smaller contractors. That’s why they’re engineering solutions that could keep that partnership alive if a company itself can’t afford to enhance its cybersecurity in the near term.
“We’re exploring virtual desktops … how we may have been able to extend virtual desktops out to our partners, how our department primes and large companies can extend virtual desktops out to medium- and small-sized businesses, affording them additional protections for their data,” Tony Plater, chief information security officer of the Department of the Navy, said on the panel.
While many of the primes the Navy works with already have the measures required by CMMC in place with robust security operations centers, Plater said the Navy has “learned that the medium- and small-sized companies struggle to meet those requirements.” So the Navy is continuing to look strategically at ways to uplift those partners.
“We have to keep in mind how they can meet those requirements,” he said.
The Army similarly is working on an initiative partnering with Google and others to “extend a secure work environment to small businesses,” said Matthew Picerno, chief cyber acquisition officer for the Army. The service is currently “thinking through the challenges of that, legalities, if we build it will they come?” Picerno said.
Both Plater and Picerno also emphasized that, outside of the technical requirements that will be enforced by CMMC, it’s important to treat those small companies as an extension of the services by supporting the development of the personnel across those organizations and ensuring that threat intelligence is shared openly.
“It’s not just about IT. I think about anything that we talked about today, a lot of it’s going to be about the people,” Picerno said. “So the training, understanding what the data is, what we’re trying to present, understanding, you know, what the crown jewels are, and ensuring that we take a holistic organizational phased approach, not just thinking that, you know, some basic IT is going to solve everything.”
For the Navy, as it looks to automate its own assessments of threats and adversaries, Plater said the service is looking for ways to push that intelligence to its defense industrial base partners.
“We need to know what our security posture looks like to the adversary,” he said. “So as we continue to learn and have to have agility and protection internally, we recognize … the importance of the information and technological advantage and innovation that our partners are holding is extremely important. So in order to be a win-win, you got to work together to share that information.”