In March, the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) published update 1.01 to its Cross-Sector Cybersecurity Performance Goals (CPG). These cybersecurity performance goals are tailored to help small- and medium-sized businesses serving the industry across every public and private sector, identify and prioritize their most impactful cybersecurity practices.
In releasing the update, CISA Director Jen Easterly stated, “Ultimately, our hope is that the CPGs will not only serve as a strong foundation for improving cybersecurity across our nation’s critical infrastructure sectors, but also as a baseline of security outcomes that merit the trust of the American people.”
It’s important to note that the CPGs are offered as voluntary measures that will help secure critical infrastructure sectors, such as healthcare, energy, finance and water, and protect our nation’s economy by better informing small and medium business cybersecurity investment strategies. The CPGs are distilled for consumption by smaller and/or less IT-savvy business entities that struggle to digest broader cybersecurity frameworks, maturity models and more mature cybersecurity guidance put forth by organizations such as the National Institute for Standards in Technology (NIST), the Center for Internet Security (CIS) or even governance associations such as the 55-year-old Information Systems Audit and Control Association (ISACA).
When it comes to cybersecurity in the supply chain, trust is becoming synonymous with transparency, and transparency is becoming synonymous with auditability.
The problem with building trust in voluntary measures was recently evidenced by the rollout of the U.S. Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) program. Initially, the DoD added clauses to its industry contracts requiring its vendors to voluntarily comply with a set of cybersecurity standards (NIST 800-171) designed to protect against the loss or compromise of Controlled Unclassified Information (CUI) shared within the DoD contracting community.
Voluntary compliance is otherwise known as self-attestation. With self-attestation, vendors are assumed to be, and liable for, compliance when they accept their government contracts. Subsequent audits of the self-attestation practice revealed not only a lack of cybersecurity compliance on the part of the vendors, but a lack of basic understanding of the cybersecurity requirements, how to demonstrate compliance with the requirements and how to manage the requirement’s assessment objective evidence or change management for those evidentiary elements.
These audit findings were egregious enough in some instances that False Claims Act lawsuits were brought against the offending vendors by the Department of Justice on behalf of the DoD. The DoD found the self-attestation program untrustworthy and is now preparing to audit its supply chain vendors for compliance with CMMC. The certified audit will be good for three years, during which the certified vendor will be eligible to perform services, provide equipment and/or build components for the DoD.
Like the DoD’s supply chain cybersecurity requirements, it’s reasonable to envision the necessity and development of a trusted cybersecurity supply chain across our nation’s other critical infrastructure sectors. The information, practices and vulnerabilities shared among the critical infrastructure partner/provider ecosystem may not be nuclear-weapons-level sensitive, but it’s compromise can still result in grievous harm to our national interests and/or our nation’s economy.
Look no further than the physical and financial damage suffered during recent attacks on Colonial Pipeline (energy sector), Maersk (transportation sector) or Common Spirit (healthcare). The DoD’s cybersecurity supply chain risk management (SCRM) story provides us with an instructive window into the level of cybersecurity supply chain trust that will be required wherever future federal funds, not just DoD funds, are being expended.
The DoD’s SCRM journey is instructive for any business investment (recall the CPG goals), that envision long-term operational assurance. Operational assurance, business resilience and supply chain reliability will require trusted hardware components, trusted software and firmware libraries for those hardware devices, data transmission and cloud operations, and trusted people (developers, testers, implementers, users and auditors) to operate and maintain vigilance over those ecosystem platforms like electronic security systems.
When it comes to cybersecurity in the supply chain, trust is becoming synonymous with transparency, and transparency is becoming synonymous with auditability. “Trust but verify” is a long-lived security mantra that is beginning to make the technology journey from the garage to the white room a process we will soon audit with assurance at every level or reject.
The electronic security industry ecosystem of consultants, integrators, manufacturers and distributors serves our DoD and critical infrastructure sectors at every level. What business doesn’t have an alarm system at least? As an industry, we have a plethora of legacy systems with known cybersecurity vulnerabilities installed across the spectrum of critical infrastructure networks. Some have been isolated, firewalled, air-gapped or otherwise removed from exposure to the corporate or operational infrastructure, but many have not. Where vulnerability mitigations have been put in place, how are they monitored? If we wish to maintain our trusted partner status with DoD and our critical infrastructure client base, it is incumbent upon us to investigate, assess, test and mitigate those legacy vulnerabilities to the best of our ability.
Our clients are open to mitigation or upgrade discussions and would rather fund those efforts than right-of-boom cybersecurity incident clean-up costs. Go see them.
We have new cybersecurity tools increasingly available to our teams. Security device port and data flow monitoring equipment continue to offer additional mitigation for some of our legacy system vulnerabilities. Improved hardware trusted-platform-modules (TPMs) offer boot-up reliability. We have encryption for data when we turn it on. We have Open Supervised Device Protocol to finally free us from Weigand protocol vulnerabilities.
Educated electronic security industry partners will demonstrate value for their critical infrastructure clients by aligning their security offerings with DHS voluntary measure objectives, based on sector-specific vulnerability prioritization.
Our industry has a duty to our nation to continue to improve, and we’re demonstrating that we can. Auditable transparency provides a pathway for enduring trust. Let’s leverage the models our customers are building to maintain an enduring partnership with them.