No CMMC Penalty for Companies Hit By Solar Wind Hack

ALBUQUERQUE: The massive SolarWinds hack was exposed just as the Pentagon was, ironically, rolling out a new approach to cybersecurity. The Cybersecurity Maturity Model Certification is designed to ensure companies in the Pentagon’s supply chain are as secure as they claim to be.

The process is designed to protect against negligence, not to punish companies for an inability to see the future, Katie Arrington, CISO for the undersecretary of Defense for acquisition and sustainment, says.

“SolarWinds wasn’t normal. No one is going to take that against you and take your certification away against a nation-state actor penetrating in a way that has never been done before — absolutely not,” said Arrington. “You’re too critical to us.”

Arrington’s remarks came at a Lunch and Learn by AFCEA focused on the state of the CMMC and how companies can comply with it. The CMMC is designed to ensure that companies are as cybersecure as they promise when bidding on contracts, and is designed to reward companies for meeting expectations. It is also designed to punish companies that fail to perform as expected. The certification lets companies include security as part of the cost when making a bid, to ensure companies that skimp on protection can’t win out as lowest bidders.

The SolarWinds hack, which exposed enormous amounts of data on networks from potentially thousands of companies, as well as all five branches of the military, was announced December 13th, less than two weeks after the first CMMC rules went into effect.

Believed to be executed by Russia, the sophisticated hack was at a scale and competency that far exceeds most security threats, especially those that companies can be expected to plan against on their own.

An attack at a scale and competency beyond what the Pentagon anticipated and defended against sits as a catastrophic outlier. There will be no punishment for companies that failed, like the military, to anticipate SolarWinds and plan accordingly. But once patches are developed to plug any known vulnerabilities from SolarWinds, the CMMC security standards allow the Pentagon to only contract with companies that have applied those patches.

“A determined adversary with the right capabilities is going to find their way in, especially if they put all their resources to bear on it,” Karlton Johnson, the chair of the CMMC Accreditation Body board of directors, says. “So it really comes down to, have you done everything you possibly can, have you been truthful about it.”

CMMC is about building a knowable, provable baseline of security for companies that want to compete for Defense Department contracts. These steps can mitigate many lower-effort attacks, and also make it easier to trace how successful attacks bypassed existing security. It is not, by design, meant to guard against unprecedented attacks.

“If you get hit by something like SolarWinds, which everybody is going through right now, you’re not going to lose it over that. That’s something that the TTP was new. Nobody had planned for that,” said Arrington. “But if you come in, and there’s a cyber incident at your company and it happened because you weren’t deploying your multi-factor authentication, then you do run a risk.”

The various levels of CMMC security, as well as the self-test process before audits, are designed to let companies build security that meets Pentagon needs, and does so honestly. It may mean companies redirect their efforts at contracts that only require level 1 certification, and it may mean that once a company has built itself to meet level 3, it can treat that as an asset and bid for future contracts on that level.

“One of the reasons we are doing CMMC is, people were not being truthful about it,” said Johnson. “If we go in and find out that you were not doing something, that’s negligence and we have to go that route.”

Fundamentally, it replaces a system built on trust with one built on verification.

“If you had a serious incident, that the government in the cyber forensics found out that you knowingly, willingly negligent in maintaining a control that you had been audited on, you’re gonna have problems,” said Arrington.