On the 18th of May 2021 the Senate Armed Services Subcommittee on cyber held a hearing on the ‘Cybersecurity of the Defence Industry Base (DIB)’, under the 2021 NDAA, focusing on the issue of cyber security of the DIB. The targeting of the DIB by other Nation States, ‘affectively subsidising their own defence development’ is a complex issue which has yet to be addressed. Should the DoD be holding prime contractors accountable for cyber security during the execution of defence contracts. In March 2021 a review of CMMC was requested and is underway and is expected to deliver its recommendations on CMMC, a review which is complete with recommendations being finalised and which is expected to significantly modify the Interim CMMC ruling.
A robust presentation was given by Mr. Salazar and Rear Admiral William Chase, highlighting the issues the DIB faces in embedding cybersecurity and challenges in protecting DoD data from threat actors and developing appropriate solutions to support the DIB embed cybersecurity into core operational and business practices. Is the DoD holding prime contractors responsible and accountable for ensuring that their subcontractors protect DoD data and overseeing subcontractors, effectively providing oversight and assurance over the security of DoD data across their supply chains. The committee requested feedback if any contractors have been held accountable for the oversight and assurance of their subcontractors and the loss of DoD data.
It was confirmed that under Section 1736 of the 2021 NDDAA, the DoD is working to assess feasibility to implement sensors inside and outside the DIB to assess internal and external intrusion. That there are mandatory cyber reporting requirements by contractors and subcontractors to report cyber incidents to the DoD. The siloed approach across Federal Agencies needs to be addressed with better coordination between the DHS, DoD, DJ and FBI in response to cyber threats, removing barriers for information sharing. Striking the right balance between private and public responsibilities for cyber protection. With small DOB contractors often being the target of cyber attacks, having to ensure that they protect DoD information, which is costly.
The subcommittee raised some challenging questions. This is worth watching to understand the developments in cyber security oversight and assurance, the problem that cybersecurity presents to US Federal Government and what will be next for CMMC?