Last Updated on April 19, 2021
It’s ironic that the timing of the SolarWinds breach, which compromised all five branches of the US military along with potentially thousands of other organizations, hit the headlines just two weeks after the initial rollout of the US Department of Defense (DoD)’s Cybersecurity Maturity Model Certification (CMMC).
Will this gargantuan supply chain hack alter CMMC’s trajectory? Or perhaps accelerate its implementation within the defense industrial base (DIB)?
This issue surfaced on a recent episode of The Encrypted Economy Podcast. Hosted by cyber/legal expert Eric Hess, the show features industry thought leader John Verry, Pivot Point Security founder, CISO and Managing Partner.
“I think every major breach that creates that level of awareness is going to accelerate people’s concerns with regard to the security of their information when they share it with a third party,” John observes. “I think it’s going to put an increased level of emphasis on validating supply chain security.”
“If I was going in to audit an organization [against CMMC], I think based on the fact that SolarWinds is so prevalent on peoples’ minds, and the requirement [for third-party risk management] is there, I’d probably dig a little deeper into their third-party risk management processes and confirm that they’ve truly done their due diligence with their vendors,” relates John.
Is the DoD likely to go headhunting among the many defense suppliers hit by the SolarWinds breach?
Not according to Katie Arrington, CISO for the Undersecretary of Defense for Acquisition and Sustainment and the point person for CMMC.
“SolarWinds wasn’t normal. No one is going to take that against you and take your certification away against a nation-state actor penetrating in a way that has never been done before—absolutely not,” said Ms. Arrington. “You’re too critical to us.”
The scale and sophistication of the SolarWinds attack could penetrate nearly any security defenses.
“A determined adversary with the right capabilities is going to find their way in, especially if they put all their resources to bear on it,” echoed Karlton Johnson, chair of the CMMC Accreditation Body board of directors.
More security is still better
Would wider adherence to CMMC—or NIST 800-171, for that matter—have shielded the DIB from the SolarWinds hack, or reduced its impact?
Most likely not. It’s axiomatic that compliance does not equate to security. Furthermore, in this case compliance with CMMC’s requirement to install vendors’ patches and updates might only have exposed more organizations to the backdoor attack.
But more security is still better. For example, just two days after the SolarWinds announcement, the Government Accountability Office (GAO) released its report on the supply chain risk management (SCRM) practices of 23 unnamed federal agencies. Not one of them had fully implemented the GAO’s seven key practices for effective SCRM, and 60% had failed to implement even one.
No wonder the report stressed the unacceptable level of risk that federal agencies face through vulnerable vendors. And no surprise that’s the case, given longstanding reports of a similar nature from researchers like the Ponemon Institute and Verizon.
“So, yes, I think if you’re a TPRM [tool vendor or service provider], CMMC is going to have a positive impact on your business,” John offers.
To hear this episode of The Encrypted Economy podcast with special guest John Verry and host Eric Hess, click here.