As companies in the defense industrial base (DIB) start preparing to meet CMMC compliance that will be specified in future contracts, companies are discovering numerous undetected hardware devices along with prohibited software being used on their networks.
Mock Assessments Reveal Insecurities
The security firm Forescout Technologies worked with about three dozen medium and large defense companies last summer performing mock contract assessments in preparation for them to meet the future CMMC requirements. The issues they found were not only numerous (and astounding), but ones that if not fixed would jeopardize a company from attaining CMMC compliance and ultimately prevent them from securing future government contracts.
Overall what the inspections pointed out is that companies did not know what they didn’t know. For example during one assessment, the inspectors found two smart speaker devices that were located in sensitive locations. These could be hacked by a foreign adversary and sensitive information leaked. In that same company, five unknown wireless devices and wireless access points were found, along with high-risk (and unauthorize3d) software platforms that were being used on their computer networks.
In another inspection, inspectors discovered two networks that the company believed were air-gapped or closed networks to the outside, only to be found by the inspectors to be open able to be accessed remotely. This violation could be accidental or just due to poor network design.
Out with Russia and China
As far as high-risk software, Forescout inspectors found 27 instances of Kaspersky software or Kaspersky-sourced files on the contractors’ network. Because Kaspersky is a Russian-based software company, it is banned for use by U.S. Government agencies including both civilian and defense contractors doing business with the government. Yet it was still being used at the time of the inspection.
It is interesting to note that Kaspersky software is still widely available and in use. And in a different industry sector, it may be perfectly acceptable to use … but not in the defense sector. Also Chinese-made software or hardware can also be problematic for companies serving the defense sector and should not be used.
The Department of Homeland Security’s Continuous Diagnostics and Mitigation program is a large effort that is meant to provide civilian companies cyber risk visibility and help them take measures to reduce their cyber risk. Forescout’s work for the DHS program found that on average, companies had 75% more assets that what they had reported to the Department; in many cases assets they did not know they had.
Improvements Still Needed
In the end, what this sampling of inspections pointed out is two-fold. One, defense companies must use improved tools to better monitor their networks and detect unknown assets. Two, once assets are discovered, they need to do a better job of classifying them. Companies must start doing these two things (along with several others) if they are to attain CMMC compliance at their required level and continue doing business with the government. Because it takes time and money to accomplish these things, now is the time to get started.
Due to the high-risk discrepancies found by Forescout in this inspection sampling, it is easy to see why CMMC is needed to not only protect our nations intellectual assets, but to also remain competitive in the global defense marketplace.