An F-35A Lightning II Fighting flies past the Wasatch Mountains by Hill Air Force Base on Dec 7, 2016. The F-35A is a single-seat, single engine, fifth generation, multirole fighter that’s able to perform ground attack, reconnaissance and air defense missions with stealth capability. (U.S. Air Force photo by Staff Sgt. Andrew Lee)

Information from the F-35 program was stolen when a subcontractor’s system was hacked in 2007.

ALBUQUERQUE: The Pentagon’s program of standards for every company in the supply chain exists because it is not enough to trust that companies will follow the right security protocols. That sort of approach let the Chinese steal huge amounts of data from the F-35 program to help them build their most advanced fighter, the J-31. When it comes to handling information about weapon designs, the Pentagon must verify cybersecurity best practices, Stacy Bostjanick, director of CMMC, told an AFCEA Nova event.

“A lot of the time people didn’t understand what the requirements were. They just said ‘yeah I comply,’ so I can get business,” Bostjanick said Wednesday. “Hence the reason we have that J-31 over in China that looks very much like our F-35.”

The verification requirements integral to the Cybersecurity Maturity Model Certification (CMMC) Policy program are needed because, even with prior voluntary guidance, the Pentagon was losing too much vital information through the mishandling of data by contractors. The stakes are as high as the integrity of military’s most important weapons.

China’s J-31 stealth fighter is built in part on plans taken from the US as part of a long-running espionage program. The breach occurred in 2007, and came through a subcontractor to Lockheed Martin, the principal maker of the F-35.

While it’s impossible to say if the CMMC would have prevented such a breach by a determined nation-state actor, the CMMC mandates rules and protocols that restrict the flow of classified information only to companies that have demonstrated they can keep it secure. The persistence of nation-state efforts to conduct industrial espionage and steal intellectual property means there is value in making every entry point harder to breach.

The CMMC features tiers of security, and if program managers and prime contractors are mindful of those tiers, suggests Bostjanick, they ensure smaller subcontractors are not given controlled unclassified information that they cannot protect.

“What we find is they pack the whole data package up and shoot it down the line, and say they’ll figure what data they need out of this,” said Bostjanick. “Well, now you’ve put somebody who doesn’t need controlled unclassified information in receipt of controlled unclassified information. If you were mindful about what you were passing down the line, and disaggregated it from the whole, that’s a contract they only need to be CMMC 1.”

For companies working exclusively in supplying commercial off-the-shelf technologies (COTS) to the military — as long as they never expect to get controlled information — they may not even need to be verified at CMMC 1, though it is recommended.

CMMC 1 is “what you’ve got to have to make sure your neighbor is not in your Netflix,” quipped Bostjanick. “It’s very easy, and commensurate with basic cyber hygiene. I recommend that everyone get there, but as a COTS provider, you don’t have to.”

For every other company expecting to contract with the military, building cybersecurity to a verifiable standard is no longer optional. It will ensure that any attempts at industrial espionage through computer systems are that much harder. It’s part of a holistic, almost public-health inspired approach to reducing harm through better practices across the board.

“If you look at the pandemic, and all the things we had to go through where we were getting bad protective gear, the providers were not up to snuff,” said Bostjanick, drawing an explicit parallel to the shoddy PPE — much of it from China — rushed into service early in the pandemic.

Getting security right means adhering to consistent standards, even on the small stuff, so that it works right when it matters. Bostjanick continued: “We have to make sure we have the means to protect ourselves and get the goods that we have to have for our nation.”