GRC Viewpoint

The Fourth Domain of Cyber – Acquisition

For years, cybersecurity and Government executives have focused on a variety of tried and true approaches to mitigating exposure to cyber risk. Unfortunately, what may have worked in past decades to reduce this exposure no longer adds the same degree of value in today’s environment. Perhaps this is why more money is spent today than ever before on cybersecurity defensive technologies, yet our risk posture is not improving proportionately to these spending trends.

Most of us in the cybersecurity industry reading this are probably very familiar with the concept of how “People”, “Process” and “Technology” need to be carefully evaluated to mitigate exposure to cyber threats that may cause harm to business owners. While the concept was originally designed in the 1960’s, it regained popularity in the 1990’s with the .com boom. However, the days of the 90’s are long behind us now and the interdependency between those that provide technology goods and services and those that buy them is very stark. This is why “People”, “Process”, “Technology”, and now “Acquisition” is now much more relevant when evaluating how to reduce exposure to harm stemming from the supply chain. Some examples of why acquisition needed to be embedded in the selection process dates back as far as 2013 with TARGET to as recent as the 2019 SolarWinds attack when malicious code wreaked havoc and cost billions. In many cases, cost was the determining factor during the acquisition process vs. the provenance and security of the solution. 

This is especially concerning for Federal and Defense procurement activities. So much so that starting back in 2019, the U.S. Government began a path towards implementing a new program that would be exclusively designed for improving acquisition activities of the Defense Department known as the Cybersecurity Maturity Model Certification (CMMC). CMMC would obligate every company who is a Defense Contractors to be independently certified before being allowed to engage in new contracts. The newest iteration known as CMMC 2.0 no longer requires all t be independently certified but still impacts over 80,000 companies. 

Over the past three years, more and more critical matter has been developing as a result of the DoD and the CMMC Accreditation Body working closely to develop training and guidance to onboard contractors to prepare them. A target date of Spring 2023 is slated for CMMC to be fully codified for incorporation into solicitations and their supporting contracts. However, in this same period of time, very little has been done to address how solicitations and contracts are crafted to dramatically reduce exposure to harm stemming from the supply chain. DoD recognizes that many of these companies need to work together in many of these contracts.  In some cases, we have hundreds of companies working together and sharing data to complete the projects on time and in within budget. By allowing contracts to share information without a secure framework in place will continuously keep our doors open to the illicit actors. Examples beyond SolarWinds includes China’s poaching of the United States 5th generation fighter programs and tactical weapons system for the NAVY so they could develop their 6th generation technology to outperform the United States capabilities.

Oddly enough, the concept of needing to improve training of Government personnel was identified in a white paper co-written by General Services Administration (GSA) and The Department of Defense (DoD) to The White House dating back to 2013. (See Section II on page 14)

The larger the enterprise the more challenging it becomes to change operational and cultural paradigms. The Government is justified in reevaluating how it actually constructs acquisition/procurement narratives that lead to legally binding agreements. Current approaches have heavily leaned on cutting and pasting cybersecurity language from older agreements that sometimes do not align with the goals and objectives of the current opportunity or even worse, have contradictory statements that are know as “self-deleting clauses”. Having spoken with legal experts that specialize in this area, self-deleting clauses are not upheld when challenged in a court of law. This creates confusion on behalf of Industry that desires to sell to the Government and potentially expands the opportunity for challenges in the form of a bid protest. This ultimately results in a variety of outcomes that result in greater costs to the U.S. taxpayer.

While this may appear to be a challenging set of circumstances, it does not have to be. An opportunity to improve and reduce these risks exists if it’s the will of the Government and the will of the people that directly influence these programs (Congress) work together with the Departments and Agencies to improve our national cyber posture. We have plenty tools, techniques, and processes when tweaked that take these challenges head on in way that is actionable, repeatable, and whereby success can be measured.

About the Author:

Carter Schoenberg is the Vice President of Cybersecurity at SoundWay Consulting, Inc. a CMMC Third Party Assessor Organization (C3PAO).  He has over 28 years of combined experience in criminal investigations, cyber threat intelligence, cybersecurity, cyber risk management, and cyber law. His past works include comprehensive assessments of U.S. Government Contractors to align with what are now formal requirements set forth by the Defense Department including NIST SP 800-171 and now the Cybersecurity Maturity Model Certification (CMMC).

Related Articles

Latest Articles