Cybersecurity Threats to DoD Contractors: A CMMC Perspective
The defense supply chain is serviced by contractors of varying sizes, with small and medium sized businesses (SMBs) comprising more than 75% of the Defense Industrial Base (DIB).
However, SMBs also have limited financial and technical resources compared to their prime contractor counterparts. A recent study shows that 87% of defense contractors do not currently meet cybersecurity requirements. This has led to subcontractors becoming more attractive targets for threat actors.
CMMC 2.0 aims to close the compliance gap and enhance our nation’s overall cybersecurity posture by standardizing adherence to NIST 800-171 controls across the DIB. These controls address many of the common threats contractors face on a regular basis.
Common Threats to DoD Contractors
No matter where your organization falls within the Defense supply chain, your organization is at risk of a cybersecurity attack. Threat actors use a variety of methods to access sensitive information. Below we identify and discuss some common threats DoD contractors face.
Phishing and Social Engineering
Phishing and social engineering attacks share a common denominator - human error.
Phishing can be described as deceptive communication which leads the user to believe they’re providing information to a trusted source. Examples could include receiving a text from someone claiming to be a C-suite executive from your organization or a potential client/consultant.
Social engineering relies more on human temptation. A common example is a hacker leaving a USB drive in a public location with the hope of an individual inserting the drive into their professional or personal laptop. From there, they can access the individual’s files and sensitive information.
Cloud Server Attacks
As more contractors switch to cloud servers, threat actors are also evolving to gear their attacks toward cloud environments. These attacks can take many forms, but let’s focus on cloud vulnerabilities and account hijacking.
Cloud vulnerability attacks occur when threat actors identify and exploit weaknesses in your cloud configuration to access data or sensitive information. These weaknesses can be linked to misconfiguration, weak access controls, or unpatched systems.
Account hijacking is when a threat actor gains unauthorized access to cloud servers through stolen credentials. Account hijacking can occur through phishing or social engineering campaigns, brute force attacks (automated tools to guess usernames and passwords), or through password reset mechanisms.
Zero-Day Exploits
While we previously talked about cloud vulnerabilities that could be scanned for, threat actors can also identify vulnerabilities that are not currently known to service providers or users. These attacks are called zero-day Exploits. With no patches available to correct the problem, zero-day exploits pose an immediate threat to those affected.
Malware
Malware is a broad term that can be defined as a software that aims to harm computer systems and servers. Malware also includes ransomware and malicious apps.
Ransomware is a software that locks or denies access to critical files and information until a ransom is paid to the hackers.
Malicious apps are a more recent form of malware. They are designed to look like helpful, trustworthy apps and can be uploaded to a public application store. However, once downloaded, threat actors can compromise your account, system, and servers.
Man-in-the-Middle (MitM) Attacks
Man-in-the-Middle attacks can be defined as a threat actor positioning themselves in between two communicating parties. If a threat actor can exploit a vulnerability where they can see, listen, or intercept messages between parties, they have the ability to steal or alter the data being exchanged. These attacks are carried out through compromising network connections or impersonation.
How Does CMMC Address These Threats?
As cyber threats evolve, the DoD realizes the need to standardize cybersecurity requirements across the defense supply chain. CMMC 2.0 is the mechanism of verifying a contractor’s NIST 800-171a rev2 compliance posturing before awarding them a DoD contract. Find some NIST 800-171 controls below.
Multi-Factor Authentication (3.5.3)
MFA adds extra security by requiring users to provide multiple forms of identification. This makes it harder for unauthorized individuals to access systems and data. NIST 800-171 recognizes three factors of MFA: Something you know (password or PIN), something you have (hardware token, smart card, or mobile device), and something you are (fingerprint, facial recognition, or voice recognition).
Perimeter Firewalls
(3.1.3, 3.1.18, 3.4.2, 3.4.6, 3.13.1, 3.13.5, 3.14.2)
While NIST 800-171 doesn't explicitly mention perimeter firewalls, the standard's requirements for access control, network security, and incident response imply they are a critical component of a robust security posture for organizations handling Controlled Unclassified Information (CUI).
Strong Password Controls (3.5.7 - 3.5.10)
NIST 800-171 requires strong, complex passwords that are regularly changed and not reused. Organizations must have a password management process and provide user education on password security.
Role-Based Access Controls (3.1.1, 3.1.6, 3.2.2)
NIST 800-171 encourages contractors to implement the principle of least privilege, meaning providing access to information that is necessary for the employee to carry out their job functions. This principle limits the risk of threat actors, both internally and externally, accessing sensitive information as it reduces access and potential targets.
Vulnerability Scans (3.11.2 & 3.11.3)
Not only does NIST 800-171 mandate comprehensive vulnerability scans, but it also mandates timely remediation to any vulnerabilities discovered. 3.11.2 requires vulnerability assessments on any potential risk, including printers, scanners, and copiers.
Malicious Code Protection (3.14.4 & 3.14.5)
To protect against malicious code and malware, NIST 800-171 requires companies to implement malicious code protection mechanisms (anti-virus signature, reputation-based technologies, … etc.) and periodic and real-time scans of systems and files.
How Do I Report a Cybersecurity Incident to the DoD?
If a cyber incident occurs, the first thing to do is to make your Facility Security Officer aware of the incident. From there, a report must be made to the DoD-Defense Industrial Base (DIB) Collaborative Information Sharing Environment (DCISE).
What Are the Latest Updates to DoD Cybersecurity Requirements?
CMMC 2.0 currently requires adherence to NIST 800-171a rev2. However, there is a published, new revision of NIST 800-171 (rev3) that will be adhered to in the future. In addition to updating terminology and clarifying existing controls, rev3 also:
- Reduces the number of controls from 110 to 97
- Has an increased focus on supply chain security
- Revised to be more aligned with other NIST regulations
There is no firm timetable on when CMMC 2.0 will require adherence to rev3, but we can expect this to happen at some point in the not-too-distant future.
How CMMC Builds on NIST 800-171
CMMC does not “build” on NIST 800-171 in the sense of adding cybersecurity controls. However, CMMC 2.0 is designed to simplify the maturity levels of cybersecurity requirements and verify a contractor’s compliance posturing before awarding a DoD contract.
ISI Helps DoD Contractors Meet the Newest Cybersecurity Requirements
Because cyberthreats are ever evolving, the world of compliance is always shifting to enhance our nation’s security posture. Working with an expert partner like ISI can help reduce the administrative and financial burden of compliance.
Click here to speak with one of our advisors to see how we can support your cybersecurity program!