tekzar

Dec. 26, 2023  The Department of Defense publishes for a 60-day comment period a proposed rule for the Cybersecurity Maturity Model Certification (CMMC) program at https://www.regulations.gov/docket/DOD-2023-OS-0063. CMMC is designed to ensure that defense contractors and subcontractors are compliant with existing information protection requirements for federal contract information (FCI) and controlled unclassified information (CUI) and are protecting that sensitive unclassified information at a level commensurate with the risk from cybersecurity threats, including advanced persistent threats. The proposed rule published today revises certain aspects of the program to address public concerns in response to DoD’s initial vision for the CMMC 1.0 program, as originally published on Sep. 29, 2020. With its streamlined requirements, the CMMC program now provides for: • Simplified compliance by allowing self-assessment for some requirements • Priorities for protecting DoD information • Reinforced cooperation between the DoD and industry in addressing evolving cyber threats As discussed in the proposed rule, CMMC requires cybersecurity assessment at only three levels, starting with basic safeguarding of FCI at CMMC Level 1. General protection of CUI will require assessment at CMMC Level 2, and a higher level of protection against risk from advanced persistent threats will require assessment at CMMC Level 3. This rule also adds flexibility by allowing for limited use of Plans of Action and Milestones and a government waiver request process. DoD estimates overall program costs will be reduced by allowing for self-assessments for Level 1 and some Level 2 assessments and minimizing cost to industry for Level 3 assessments by having Government assessors from Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) conduct these assessments. Additionally, CMMC aligns directly with the cybersecurity requirements described in National Institute of Standards and Technology (NIST) Special Publications 800-171 and 800-172. Concurrent for comment with the CMMC proposed rule, DoD is also requesting comment on eight CMMC guidance documents, which can be accessed at https://www.regulations.gov/docket/DOD-2023-OS-0096, and several new information collections, which are available at https://www.regulations.gov/docket/DOD-2023-OS-0097. More information on the overall CMMC program can be found at https://dodcio.defense.gov/CMMC/. A follow-on Defense Federal Acquisition Regulation Supplement (DFARS) rule for CMMC will be provided for public comment in 2024. The existing 48 Code of Federal Regulations (CFR) Rule will be modified to align with the 32 CFR rule for CMMC. More information on the timing of the proposed DFARS rule can be found at https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202310&RIN=0750-AK81. CMMC 1.0 was published as an interim DFARS rule (2019-D041): Assessing Contractor Implementation of Cybersecurity Requirements, which can be found at https://www.federalregister.gov/documents/2020/09/29/2020-21123/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of. The DoD CMMC program is now fully defined by the current rulemaking in the 32 CFR regulatory process.  

NIST 800-171 Rev 3 Rev 2 is the current version we have all been using for a number of years. The draft of Rev 3 came out in May. The updated draft is due (and highly likely to show up) in late October. Expect to see the final version published late this year or early next. This is a major rewrite with significant new requirements. So as enforcement is rolling out on Rev 2, the goal line is moving with Rev 3. The goal line is moving in a different axis with the changes in Scope coming out in the new rule too. So not only more requirements, but more requirements applying to more stuff. Couple that “more requirements on more stuff” with the potential for 100% enforcement of all requirements or no contracts with the DoD. Fun times in cybersecurity compliance for the DIB. External Service Providers Part of this is the expansion of 171/CMMC requirements (in their entirety including certification!) to everything that provides security for CUI. Previously FedRAMP, per 7012, applied only to processing, handling, or storing CUI. Under the new regulation (and the new CMMC 2.1 documentation) now all security information must be likewise protected. I.e., it must be in a FedRAMP cloud or a FedRAMP certified tool or if not in the cloud, then it must be CMMC certified to the same level the Organization Seeking Certification is. This includes all Managed Service Providers or Managed Security Service Providers. Outsource your IT? Now they will have to be CMMC certified too. Now for those of us geeking out on this stuff (as I do) this is not a terrible surprise. The DoD has been indicating they were heading in this direction for some time. This language is already in the draft CMMC Assessment Process that was published last year. Many complained about it and the DoD and the Cyber AB were showered in feedback. Clearly, they have not changed their mind. So, if you outsource your IT, and need to be certified, your IT service provider will have to be certified also.

DOD, OMB expect September release of proposed CMMC rule. The Defense Department and Office of Management and Budget are planning to release the proposed Cybersecurity Maturity Model Certification (CMMC) rule in September. This rule aims to move the defense industry away from self-attestations for compliance with National Institute of Standards and Technology (NIST) guidelines and will require third-party assessors to audit contractors for compliance. The release of the proposed rule was delayed and is now expected in September. Once released, there will be a public comment period, and the Defense Department will collect and respond to comments, potentially leading to a final rule sometime in 2024. The CMMC rule has been eagerly anticipated by the industry, and some companies have already started preparing for it, while others have taken a more cautious approach. In the meantime, third-party assessors certified by Cyber AB have been conducting joint assessments with the Defense Industry Base Cybersecurity Assessment Center to validate compliance with NIST 800-171, which is expected to translate to CMMC Level 2 once the rule is finalized.      

March 2023 DoD is on pace to release a new DFARS Interim Rule that will codify CMMC into law via the DFARS 7021 clause. Once released, the Rule will allow for CMMC requirements to appear in contracts. May 2023 DoD expects to start to include CMMC certification requirements in new DoD contracts. CMMC requirements will apply to prime contractors and all subcontractors throughout their supply chain. Once implemented, CMMC will further increase enforcement of NIST SP 800-171 with two key requirements, including: At CMMC Level 2, self-attestation of compliance with NIST SP 800-171 will no longer be relied upon. Instead, once every three years contractors will need to undergo outside, independent assessments conducted only by accredited C3PAOs (Certified Third Party Assessment Organizations). Organizations that fail to meet CMMC requirements will be ineligible for future DoD contracts with CMMC clauses. SPRS scores from ongoing annual self-assessments of NIST SP 800-171 compliance will need to be signed off by a company or university executive who will be held accountable for the validity of the score. What does this mean for defense contractors? First and most important, it is a mistake to conflate NIST SP 800-171 requirements and the CMMC program. Contractors that do so often veer toward inaction. But as the timeline above makes clear, if you currently do work for the DoD that involves handling CUI, then you have a contractual obligation to implement NIST SP 800-171’s 110 security controls today. DoD’s message is loud and clear. The most prudent move defense contractors can make to safeguard the long-term viability of their business is to start now to raise their organization’s cybersecurity levels and comply with NIST SP 800-171. To do so, first you’ll need to get your SSP (System Security Plan), POA&M (Plan of Actions & Milestones), and other required documentation in order. The SSP and POA&M are the key documents your organization needs to support its required NIST SP 800-171 self-assessment. Next, conduct an unbiased NIST SP 800-171 self-assessment and submit your score to the DoD’s SPRS, or update that score as needed. Accurately represent your NIST SP 800-171 compliance level (aka your SPRS score). Be prepared for primes to ask for your SPRS score and know that DIBCAC is conducting random audits of SPRS scores. Know, too, that these efforts are about much more than compliance with DoD regulations. Robert Metzger, co-author of MITRE’s Deliver Uncompromised seminal report and co-chair of the cybersecurity practice at the law firm Rogers Joseph O’Donnell said it well: “The smart move is to protect yourself. Now. Not because you have to comply but because you want your enterprise to stay in business. Don’t let yourself think that it [cybersecurity] matters the day you happen to get an RFI [Request for Information] or RFP [Request for Proposals] that requires an assessment. Be secure beforehand for the sake of your employees, your lenders, your clients, your customers, your investors. And then also your regulator.”

The Cybersecurity Maturity Model Certification (CMMC) is a cornerstone of Department of Defense (DOD) supply-chain security efforts, but it is still a work in progress. The goal of protecting controlled unclassified information (CUI) that resides in the data networks of the Defense Industrial Base (DIB) is indisputable. One challenge is how to assess and certify implementation of required security practices at scale, while another is avoiding bureaucratic roadblocks and pricing hurdles that could limit small and medium-sized businesses from successfully conforming to the CMMC standard. After a pause and a reboot last fall, the CMMC office moved to the DOD CIO’s organization, the number of CMMC levels and practices were reduced, and the opportunity to do self-attestation at Level 1 was introduced. A proposed revised CMMC rule was submitted to the Office of Management and Budget in late summer of this year, and an interim rule is expected by March 2023, followed by a 60 day public comment period. Language requiring CMMC certification could be in contracts starting in May 2023. In the meantime, there are opportunities for all parties to get ahead of the game and engage in CMMC by completing self-assessments.  We have the tools and an affordable means to conduct, track and manager your self-assessment for all 110 controls. Email us at gordon.bruce@gjbandassociates.com for more information on our offerings.

Pre-Draft Call for Comments: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations Date Published: July 19, 2022 Comments Due: September 16, 2022 Email Comments to: 800-171comments@list.nist.gov Announcement NIST plans to update the Controlled Unclassified Information (CUI) series of publications, starting with Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. To support this planned update, NIST is issuing this Pre-Draft Call for Comments to solicit feedback from interested parties to improve the publication and its supporting publications, SP 800-171A, SP 800-172, and SP 800-172A. SP 800-171 was published in June 2015 with minor updates in December 2016 and February 2020. Since the initial publication date, there have been significant changes in the cybersecurity threats, vulnerabilities, capabilities, technologies, and resources that impact the protection of CUI. In addition, there are the experiences of the organizations that have implemented SP 800-171 and its supporting publications. With these changes and opportunities to learn from implementers, NIST seeks feedback about the use, effectiveness, adequacy, and ongoing improvement of the CUI series. The following is a non-exhaustive list of topics that may be addressed in the call for comments. Comments may also include other topics related to the improvement of the CUI series. NIST will consider all relevant topics in the development of the revised SP 800-171 and its supporting publications. Use of the CUI Series How organizations are currently using the CUI series (SP 800-171, SP 800-171A, SP 800-172, and SP 800-172A) How organizations are currently using the CUI series with other frameworks and standards (e.g., NIST Risk Management Framework, NIST Cybersecurity Framework, GSA Federal Risk and Authorization Management Program [FedRAMP], DOD Cybersecurity Maturity Model Certification [CMMC], etc.) How to improve the alignment between the CUI series and other frameworks Benefits of using the CUI series Challenges in using the CUI series Updates for consistency with SP 800-53 Revision 5 and SP 800-53B Impact on the usability and existing organizational implementation (i.e., backward compatibility) of the CUI series if it were updated for consistency with SP 800-53 Revision 5 and the moderate security control baseline in SP 800-53B Updates to improve usability and implementation Features of the CUI series should be changed, added, or removed. Changes, additions, and removals can cover a broad range of topics, from consistency with other frameworks and standards to rescoping criteria for inclusion of requirements. For example: Addition of new resources to support implementation: The benefits and challenges of including an SP 800-53 Control Overlay[1] and/or a Cybersecurity Framework Profile Appendix as an alternative way to express the CUI security requirements. Change to the security requirement tailoring criteria: Impact of modifying the criteria used to tailor [2]the moderate SP 800-53B security control baseline (e.g., the potential inclusion of controls that are currently categorized as NFO – Expected to be routinely satisfied by nonfederal organizations without specification) Any additional ways in which NIST could improve the CUI series The comment period is open through September 16, 2022. Please submit comments to 800-171comments@list.nist.gov. Comments received in response to this request will be posted on the Protecting CUI project site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed.

Department of Justice Office of Public Affairs FOR IMMEDIATE RELEASE Friday, July 8, 2022 Aerojet Rocketdyne Agrees to Pay $9 Million to Resolve False Claims Act Allegations of Cybersecurity Violations in Federal Government Contracts Aerojet Rocketdyne Inc., headquartered in El Segundo, California, has agreed to pay $9 million to resolve allegations that it violated the False Claims Act by misrepresenting its compliance with cybersecurity requirements in certain federal government contracts, the Justice Department announced today. Aerojet provides propulsion and power systems for launch vehicles, missiles and satellites and other space vehicles to the Department of Defense, NASA and other federal agencies. The settlement resolves a lawsuit filed and litigated by former Aerojet employee Brian Markus against Aerojet under the qui tam or whistleblower provisions of the False Claims Act, which permit a private party (known as a relator) to file a lawsuit on behalf of the United States and receive a portion of any recovery. Mr. Markus and Aerojet reached a settlement of the case on the second day of trial. Mr. Markus will receive $2.61 million as his share of the False Claims Act recovery. “Whistleblowers with inside information and technical expertise can provide crucial assistance in identifying knowing cybersecurity failures and misconduct,” said Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division. “The qui tam action brought by Mr. Markus is an example of how whistleblowers can contribute to civil enforcement of cybersecurity requirements through the False Claims Act,” said U.S. Attorney Phillip A. Talbert for the Eastern District of California. On Oct. 6, 2021, the Deputy Attorney General announced the Department’s Civil Cyber-Fraud Initiative, which aims to hold accountable entities or individuals that put U.S information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches. Information on how to report cyber fraud can be found here. The qui tam case is captioned United States ex rel. Brian Markus v. Aerojet Rocketdyne Holdings Inc., et al., Case No. 2:15-cv-02245-WBS-AC (E.D.Cal.). The claims resolved by the settlement are allegations only and there has been no determination of liability. Topic(s):  False Claims Act Component(s):  Civil Division USAO – California, Eastern Press Release Number:  22-726 Updated July 8, 2022

In a memorandum dated June 16, 2022 the U.S. Department of Defense highlighted the ongoing risks for contractors that have not yet fully implemented National Institute of Standards and Technology Special Publication 800-171.[1] The memorandum reminds contracting officers of the numerous remedies available to the government if contractors do not comply with the Defense Federal Acquisition Regulation Supplement cybersecurity requirements. The DOD is unambiguously signaling that contractors cannot be complacent and wait until the Cybersecurity Maturity Model Certification, or CMMC, program is rolled out in 2023, but must act now to meet existing contract requirements to safeguard controlled unclassified information, or CUI, or face significant consequences. Contractors also must comply with assessment requirements to be eligible for awards of contracts involving CUI. A recent bid protest decision demonstrates that if agencies award to a contractor without a compliant assessment reported in a supplier performance risk system, that is grounds for protest. The DOD is under pressure to address cybersecurity threats and will not accept the status quo from contractors while the CMMC program comes together. Contractors required to comply with NIST SP 800-171 because of a contract involving CUI and containing 252.204-7012 should take heed and ensure they have compliant system security plans and POAMs in place and can show progress toward implementing controls that are unimplemented or partially implemented to avoid the risk of contract remedies for noncompliance. Failure to comply with 800-171 and accurately report implementation status or to monitor and report cybersecurity incidents and breaches may also constitute a civil False Claims Act violation.[8] Contractors should confirm that summary scores and other details of their DOD NIST SP 800-171 assessments are posted in the supplier performance risk system to ensure that the lack of such scores does not present an obstacle to award of any contract. Cybersecurity requirements for government contractors are continually evolving, but contractors need to take steps now to ensure they are meeting their contractual obligations.

DoD Defense Industrial Base Cybersecurity Update With over 80% of DoD contractors not yet registered with SPRS it is essential that you understand the severity of not meeting these requirements. According to the existing schedule we are less than a year away from CMMC requirements. We have partnered with PreVeil and ComplyUp to assist you in quickly implementing, monitoring and demonstrating your commitment to CMMC. Please contact us at gordon.bruce@gjbandassociates.com for more information on how to jumpstart your compliance journey.    

PRC state-sponsored cyber actors readily exploit vulnerabilities to compromise unpatched network devices. Network devices, such as Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices, serve as additional access points to route command and control (C2) traffic and act as midpoints to conduct network intrusions on other entities. Over the last few years, a series of high-severity vulnerabilities for network devices provided cyber actors with the ability to regularly exploit and gain access to vulnerable infrastructure devices. In addition, these devices are often overlooked by cyber defenders, who struggle to maintain and keep pace with routine software patching of Internet-facing services and endpoint devices. Since 2020, PRC state-sponsored cyber actors have conducted widespread campaigns to rapidly exploit publicly identified security vulnerabilities, also known as common vulnerabilities and exposures (CVEs). This technique has allowed the actors to gain access into victim accounts using publicly available exploit code against virtual private network (VPN) services [T1133]  or public facing applications [T1190]—without using their own distinctive or identifying malware—so long as the actors acted before victim organizations updated their systems. PRC state-sponsored cyber actors typically conduct their intrusions by accessing compromised servers called hop points from numerous China-based Internet Protocol (IP) addresses resolving to different Chinese Internet service providers (ISPs). The cyber actors typically obtain the use of servers by leasing remote access directly or indirectly from hosting providers. They use these servers to register and access operational email accounts, host C2 domains, and interact with victim networks. Cyber actors use these hop points as an obfuscation technique when interacting with victim networks. These cyber actors are also consistently evolving and adapting tactics to bypass defenses. NSA, CISA, and the FBI have observed state-sponsored cyber actors monitoring network defenders’ accounts and actions, and then modifying their ongoing campaign as needed to remain undetected. Cyber actors have modified their infrastructure and toolsets immediately following the release of information related to their ongoing campaigns. PRC state-sponsored cyber actors often mix their customized toolset with publicly available tools, especially by leveraging tools that are native to the network environment, to obscure their activity by blending into the noise or normal activity of a network. NSA, CISA, and the FBI consider the common vulnerabilities and exposures (CVEs) listed in Table 1 to be the network device CVEs most frequently exploited by PRC state-sponsored cyber actors since 2020. Table 1: Top network device CVEs exploited by PRC state-sponsored cyber actors Vendor                                       CVE                                  Vulnerability Type Cisco CVE-2018-0171 Remote Code Execution CVE-2019-15271 RCE CVE-2019-1652 RCE Citrix CVE-2019-19781 RCE DrayTek CVE-2020-8515 RCE D-Link CVE-2019-16920 RCE Fortinet CVE-2018-13382 Authentication Bypass MikroTik CVE-2018-14847 Authentication Bypass Netgear CVE-2017-6862 RCE Pulse CVE-2019-11510 Authentication Bypass CVE-2021-22893 RCE QNAP CVE-2019-7192 Privilege Elevation CVE-2019-7193 Remote Inject CVE-2019-7194 XML Routing Detour Attack CVE-2019-7195 XML Routing Detour Attack Zyxel CVE-2020-29583 Authentication Bypass