Meeting the Defense Department’s Cybersecurity Maturity Model Certification (CMMC) with real performance data.
Just outside the door of the the Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics, when Frank Kendall and Ash Carter ran the organization in 2008, Kendall put up a sign that said:
“In God we trust. All others must bring data.”
When I first saw that Edwards Deming quote I had just entered the Pentagon as a fresh-faced 32 year old with a religious studies degree and a masters in international relations and little exposure to the role that data plays in managing security risks and investments. When I left the building six years later, after years of decision meetings and revising policy papers for the Secretary of Defense and the White House, the aphorism stuck: When you’re dealing with a sprawling military and a complex world, you need real, verifiable data for decisions, whether they are about striking an adversary, investing in a major force or weapons program, or hiring a new senior leader to command an organization. In every case, you need data to make hard choices. The absence of it makes effective management impossible and increases risk.
The statement is true for life and death decisions but also for “steady state” decisions about procurement, contracting, and defense readiness, the business of Ash Carter and Frank Kendall’s old shop. The business of the outgoing chief DoD buyer, Ellen Lord, who recently announced the new Cybersecurity Maturity Model Certification for the Defense Department’s vast universe of contractors.
When he was Secretary of Defense, Ash Carter used to say that “the Defense Department doesn’t build anything on its own”, and he is right: contractors supply everything from weapons platforms to information technology to personnel to support the U.S. Defense Department’s missions. This new regulation mandates that DoD contractors remain in strict compliance to protect unclassified information within the DoD supply chain. Contractors who fail to meet the Department’s standards may find themselves denied DoD business.
No one really likes more “regulation.” Regulation is, ultimately, a bureaucratic change that can make the business of government and the ease of doing business more complicated. Even if folks don’t like regulation, they like hostile nation-states poking around national security-related networks and stealing defense data even less. A well-known example: the Chinese government stole Joint Strike Fighter’s data from a major defense contractor in 2009 to build their own version. Another: the Iranian government’s assertive and worrying interest in U.S. military unclassified networks, including their successful breaches of Navy networks in 2014. The list, however, is unfortunately endless.
For years the Defense Department has been trying to elevate the cybersecurity of its contractors to prevent data intrusions. When we wrote the DoD Cyber Strategy in 2015, the lion’s share of our time was spent trying to set objectives for securing DoD’s own data and missions. Sadly, too many contractors consistently failed to meet cybersecurity standards, driving defense regulators towards an increasingly intrusive, data-demanding posture. Michael Gilmore, a prior head of DoD’s office of operational test and evaluation, asserted in 2014 that DoD’s weapons programs were woefully behind in their cybersecurity effectiveness, leaving the Combatant Commands and Military services unprepared to fight in a contested cyber environment. The trend continues today. The Government Accountability Officer reported this summer that despite major initiatives across the Department, too many major defense programs have often failed to meet their cybersecurity standards. This reflects a historic problem: Red teams too often have a field day marching through DoD cyberdefenses. The time for change is nigh.
While the CMMC requires defense contractors to change quickly, it is a good news story for national security.
So how are contractors to ensure that they are in compliance? As Deming said, the first required ingredient is data.
Delivering Security Performance Data to Ensure Compliance
If you are a chief information security officer working for a defense contractor, you want to be able to prove that your cybersecurity program works as it should. To do so you need real, granular performance data to show security auditors that you are operating at the level of effectiveness required. That is ultimately what the CMMC story is about. And that’s what AttackIQ is about too.
We at AttackIQ have been in the business of creating cybersecurity performance data for six years. The Security Optimization Platform operates at scale in production environments, and across your security program to test, measure, and validate your cyberdefense program effectiveness continuously and in an automated fashion. Through automated testing, the Security Optimization Platform discovers gaps in the security stack (in people, process, and technology) that the team may otherwise miss. It discovers misconfigurations. It reveals operator errors. It helps you make the most of your scarce resources by driving up effectiveness across the entire security program, sharpening your defenses and capabilities in a way that manual testing struggles to do at scale. This is immensely helpful in any management environment—but especially when you have a baseline certification to try to meet, and you need real data to prove your cybersecurity maturity to DoD auditors.
With the Security Optimization Platform, you can execute the security control validation cycle, test your security, and make adjustments and investments until you meet the Defense Department’s certification.
For those that require the certification (ask your lawyers whether, how, and to what degree), how exactly will AttackIQ’s Security Optimization Platform help you meet DoD’s requirements?
Using the AttackIQ Security Optimization Platform to Validate CMMC Effectiveness
The AttackIQ Security Optimization Platform enables organizations to emulate the largest set of adversary behaviors that are aligned to the ATT&CK framework. AttackIQ assessments require minimal oversight by security staff, and they can run in the background as your organization goes about its business. This means they become regular and routine, rather than infrequent one-off events precipitated by an audit or an emerging threat.
AttackIQ’s automated security control validation has always supported an organization’s internal assessment of its people, processes, and technologies in detecting and thwarting identified adversary behaviors from an organization’s own cyberthreat intelligence, ATT&CK, and outside threat streams. Now we have introduced new Assessments into the Security Optimization Platform to validate CMMC security controls. These Assessments take adversary behaviors from the AttackIQ Library to guide your testing and produce evidence, so that you can easily understand how well your defenses perform to the CMMC standard. Your team can then use that data to show DoD’s auditors how well you are performing.
How does this work exactly? The Security Optimization Platform produces data that reads “[CMMC control] mitigates [ATT&CK technique].” In other words, the platform provides specific evidence about how an organization’s defenses comply with a specified CMMC control against a specific ATT&CK technique.
Here is an image of an Assessment Template showing MITRE ATT&CK Tactics and associated Scenarios in the Security Optimization Platform that are ready to run on your security technologies as aligned to CMMC capabilities, listed on the left.
The below image shows the threat behaviors in MITRE ATT&CK Navigator deployed against a specific CMMC security control.
In addition to these images, AttackIQ Security Optimization platform also provides output in an easy-to-understand visual presentation, which can be delivered as a report for reference and briefings. The platform also offers API access to its results to support a host of other integration and automation solutions across an organization’s security program.
Through this testing method, the AttackIQ Security Optimization Platform makes CMMC compliance feasible for agencies and organizations of all sizes.
These new capabilities in the AttackIQ Security Optimization Platform create significant new insight and opportunity for the platform’s users, essentially allowing it to serve as a CMMC Validation Platform. Through the relationship established between these frameworks, AttackIQ can now directly illustrate gaps and identify risks that arise through non-compliance.
The benefit is that defense contractors that design their security infrastructure around CMMC can quickly and easily prove that their security environment is in compliance with the control objectives of the certification.
As in so much of national security policy planning, data is at the center of the process. With real data about how security organizations perform, leaders can make better risk management decisions to ensure both security effectiveness and stronger compliance.