August 1, 2022

Last Updated on January 19, 2024

A major driver behind many recent changes to US government cyber policy has been Cyberspace Solarium Commission (CSC) report from March 2020, which suggests over 80 recommendations on “defending the United States in cyberspace against cyber attacks of significant consequences.”

Some of the more interesting/controversial CSC recommendations relate to threat intelligence sharing programs both within the “dot-gov” and across critical infrastructure verticals. Will these initiatives expand beyond the current 72-hour cyber incident reporting requirements? Will orgs outside the DIB be implicated?

To discuss all aspects of the CSC report and the changes it supports, a recent episode of The Virtual CISO podcast features Mark Montgomery, former CSC Executive Director and currently Senior Fellow at Foundation for Defense of Democracies. John Verry, Pivot Point Security CISO and Managing Partner, hosts the show.

Belated DoD comments

Mark laments that the current 72-hour breach notification requirement is too lax. Obviously the sooner other orgs know you’ve been attacked, the better for everyone.

“I don’t think it’ll go outside the DIB,” states Mark. “We’re asking DoD to comment on this, but they would refuse to comment on anything outside the DIB. So, I think they’d keep it inside the DIB. I know that’s not a perfect answer and we’re still waiting on responses from DoD… The DoD is late on every report I’ve asked for, and I’ve probably asked for 50 to 100, as a Senate staffer.”

Incentivizing flowdown

A critical question for many DIB orgs and other federal contractors is how the DoD will incentivize prime contractors to “disclose their subcontractors” to DoD?

“I’ll go out on a limb and say, ‘It’s a stick incentive, not a carrot incentive,” Mark jokes.

In other words, it’s likely to be “nonoptional.” Ultimately, it’s about thoroughly understanding and securing the defense supply chain.

What’s next?

When you’re ready to listen to the complete podcast episode with Mark Montgomery, click here.

Are you subject to flowdown cybersecurity requirements from a prime contractor? This blog post explains the situation: CMMC 2.0 and NIST 800-171—Pressure from Primes Could Accelerate Compliance Timeframes