January 20, 2022

News

News Network

Defense Contractor Cybersecurity: Stakeholder Communication and Performance Goals Could Improve Certification Framework

13 min read
<div>What GAO Found For years, malicious cyber actors have targeted defense contractors to access sensitive unclassified data. In response, since 2019, the Department of Defense (DOD) has engaged with a range of stakeholders to develop and refine a set of cybersecurity practices and processes for contractors to use to help assure security of the data. For relevant contracts, this Cybersecurity Maturity Model Certification (CMMC) requires that defense contractors implement these practices and processes on their information systems and networks. Key Steps in CMMC Verification Process DOD began CMMC implementation with an interim rule that took effect in November 2020, but the rollout of the 5-year pilot phase is delayed. For example, DOD planned to pilot the CMMC requirement on up to 15 acquisitions in fiscal year 2021 but has not yet included the requirement in any acquisitions, in part due to delays in certifying assessors. Industry—in particular, small businesses—has expressed a range of concerns about CMMC implementation, such as costs and assessment consistency. DOD engaged with industry in refining early versions of CMMC, but it has not provided sufficient details and timely communication on implementation. Until DOD improves this communication, industry will be challenged to implement protections for DOD's sensitive data. DOD has identified plans to assess aspects of its CMMC pilot, including high-level objectives and data collection activities, but these plans do not fully reflect GAO's leading practices for effective pilot design. For example, DOD has not defined when and how it will analyze its data to measure performance. Further, GAO found that DOD has not developed outcome-oriented measures, such as reduced risk to sensitive information, to gauge the effectiveness of CMMC. Without such measures, the department will be hindered in evaluating the extent to which CMMC is increasing the cybersecurity of the defense industrial base. In November 2021, DOD announced CMMC 2.0, which includes a number of significant changes, including eliminating some certification levels, DOD-specific cybersecurity practices, and assessment requirements. DOD also announced that it intended to suspend the current CMMC pilot and initiate a new rulemaking period to implement the revised framework. Why GAO Did This Study DOD relies on thousands of defense contractors for goods and services ranging from weapon systems to analysis to maintenance. In doing business with DOD, these companies access and use sensitive unclassified data. Accordingly, the department has taken steps intended to improve the cybersecurity of this defense industrial base. A Senate report included a provision for GAO to review DOD's implementation of CMMC. This report addresses (1) what steps DOD took to develop CMMC, (2) the extent to which DOD made progress in implementing CMMC, including communication with industry, and (3) the extent to which DOD has developed plans to assess the effectiveness of CMMC. GAO reviewed DOD documents related to the design and implementation of CMMC and interviewed DOD officials involved in designing and managing it. GAO also interviewed representatives from defense contractors, industry trade groups, and research centers.</div>

What GAO Found

For years, malicious cyber actors have targeted defense contractors to access sensitive unclassified data. In response, since 2019, the Department of Defense (DOD) has engaged with a range of stakeholders to develop and refine a set of cybersecurity practices and processes for contractors to use to help assure security of the data. For relevant contracts, this Cybersecurity Maturity Model Certification (CMMC) requires that defense contractors implement these practices and processes on their information systems and networks.

Key Steps in CMMC Verification Process

DOD began CMMC implementation with an interim rule that took effect in November 2020, but the rollout of the 5-year pilot phase is delayed. For example, DOD planned to pilot the CMMC requirement on up to 15 acquisitions in fiscal year 2021 but has not yet included the requirement in any acquisitions, in part due to delays in certifying assessors. Industry—in particular, small businesses—has expressed a range of concerns about CMMC implementation, such as costs and assessment consistency. DOD engaged with industry in refining early versions of CMMC, but it has not provided sufficient details and timely communication on implementation. Until DOD improves this communication, industry will be challenged to implement protections for DOD’s sensitive data. DOD has identified plans to assess aspects of its CMMC pilot, including high-level objectives and data collection activities, but these plans do not fully reflect GAO’s leading practices for effective pilot design. For example, DOD has not defined when and how it will analyze its data to measure performance. Further, GAO found that DOD has not developed outcome-oriented measures, such as reduced risk to sensitive information, to gauge the effectiveness of CMMC. Without such measures, the department will be hindered in evaluating the extent to which CMMC is increasing the cybersecurity of the defense industrial base. In November 2021, DOD announced CMMC 2.0, which includes a number of significant changes, including eliminating some certification levels, DOD-specific cybersecurity practices, and assessment requirements. DOD also announced that it intended to suspend the current CMMC pilot and initiate a new rulemaking period to implement the revised framework.

Why GAO Did This Study

DOD relies on thousands of defense contractors for goods and services ranging from weapon systems to analysis to maintenance. In doing business with DOD, these companies access and use sensitive unclassified data. Accordingly, the department has taken steps intended to improve the cybersecurity of this defense industrial base.

A Senate report included a provision for GAO to review DOD’s implementation of CMMC. This report addresses (1) what steps DOD took to develop CMMC, (2) the extent to which DOD made progress in implementing CMMC, including communication with industry, and (3) the extent to which DOD has developed plans to assess the effectiveness of CMMC.

GAO reviewed DOD documents related to the design and implementation of CMMC and interviewed DOD officials involved in designing and managing it. GAO also interviewed representatives from defense contractors, industry trade groups, and research centers.

More from:

News Network

  • Secretary Antony J. Blinken With Wolf Blitzer of CNN’s The Situation Room
    In Crime Control and Security News
    Antony J. Blinken, [Read More…]
  • Court Intervention Teams Target Substance Abuse
    In U.S Courts
    Two specialized programs in the Northern District of California are harnessing local resources to help high-risk individuals rebuild their lives.
    [Read More…]
  • Secretary Antony J. Blinken With Chuck Todd of NBC’s Meet the Press
    In Crime Control and Security News
    Antony J. Blinken, [Read More…]
  • Apply for Preclearance Expansion
    In Travel
    Preclearance [Read More…]
  • Drug trafficker from Canada sent to prison
    In Justice News
    A 51-year-old woman has [Read More…]
  • Public Schedule – July 15, 2021
    In Crime Control and Security News
    Office of the [Read More…]
  • Secretary Antony J. Blinken and Norwegian Foreign Minister Ine Marie Eriksen Soreide Before Their Meeting
    In Crime Control and Security News
    Antony J. Blinken, [Read More…]
  • Colorado Man Sentenced for Sexual Exploitation of Children in Guatemala
    In Crime News
    A Colorado man was sentenced today to 60 years in prison for production, transportation, and possession of child pornography.
    [Read More…]
  • Secretary Antony J. Blinken with Bruneian Foreign Minister II Dato Erywan Yusof Before Their Meeting
    In Crime Control and Security News
    Antony J. Blinken, [Read More…]
  • Fair Lending: CFPB Needs to Assess the Impact of Recent Changes to Its Fair Lending Activities
    In U.S GAO News
    What GAO Found In January 2018, the Consumer Financial Protection Bureau (CFPB) announced a reorganization of its fair lending activities that moved its Office of Fair Lending and Equal Opportunity (Fair Lending Office) from the Supervision, Enforcement, and Fair Lending Division to the Office of the Director and reallocated certain of its responsibilities (see figure). As CFPB planned and implemented the reorganization, it did not substantially incorporate key practices for agency reform efforts GAO identified in prior work—such as using employee input for planning or monitoring implementation progress and outcomes. GAO identified challenges related to the reorganization (including loss of fair lending expertise and specialized data analysts) that may have contributed to a decline in enforcement activity in 2018. However, CFPB has not assessed how well the reorganization met its goals or how it affected fair lending supervision and enforcement efforts. Collecting and analyzing information on reorganization outcomes would help CFPB determine the impact of the changes and identify actions needed to address any related challenges or unintended consequences. Key Changes in Fair Lending Responsibilities under CFPB's 2018 Reorganization As of February 2019, CFPB stopped reporting on performance goals and measures specific to fair lending supervision and enforcement—such as the number of completed examinations and the percentage of enforcement cases successfully resolved. Without these goals and measures, CFPB is limited in its ability to assess and communicate progress on its fair lending supervision and enforcement efforts, key components of CFPB's mission. CFPB has used additional Home Mortgage Disclosure Act data that some lenders have had to report since 2018 to support supervisory and enforcement activities and fair lending analyses. CFPB incorporated these new loan-level data into efforts to identify and prioritize fair lending risks and support fair lending examinations. For example, the new data points improve CFPB's ability to compare how different institutions price loans, which helps its staff identify potentially discriminatory lending practices. Why GAO Did This Study Under the Dodd-Frank Wall Street Reform and Consumer Protection Act, CFPB is responsible for two federal fair lending laws that protect consumers from discrimination: the Equal Credit Opportunity Act and the Home Mortgage Disclosure Act. In January 2019, CFPB completed a reorganization of its fair lending activities. GAO was asked to review issues related to CFPB's oversight and enforcement of fair lending laws. This report examines how CFPB has (1) managed the reorganization of its fair lending activities, (2) monitored and reported on its fair lending performance, and (3) used Home Mortgage Disclosure Act data to support its fair lending activities. GAO reviewed CFPB documents related to its fair lending activities (such as strategic and performance reports, policies and procedures) and to the reorganization of its Fair Lending Office. GAO evaluated implementation of this reorganization against relevant key practices identified in GAO-18-427. GAO also interviewed CFPB staff.
    [Read More…]
  • Additional defendants charged with trafficking young girls for sex
    In Justice News
    Three more people have [Read More…]
  • Secretary Antony J. Blinken And German Foreign Minister Annalena Baerbock At a Joint Press Availability
    In Crime Control and Security News
    Antony J. Blinken, [Read More…]
  • Nigeria National Day
    In Crime Control and Security News
    Antony J. Blinken, [Read More…]
  • As COVID-19 Cases Fall, Juries Get Back to Work
    In U.S Courts
    As coronavirus (COVID-19) case totals continue to decline in the United States, federal courts are rapidly expanding the number of jury trials and other in-person proceedings.
    [Read More…]
  • Angola Travel Advisory
    In Travel
    Reconsider travel to [Read More…]
  • Secretary Blinken’s Meeting with the C5+1
    In Crime Control and Security News
    Office of the [Read More…]
  • Justice Department and Federal Trade Commission Seek to Strengthen Enforcement Against Illegal Mergers
    In Crime News
    Today, the Justice Department’s Antitrust Division and Federal Trade Commission (FTC) launched a joint public inquiry aimed at strengthening enforcement against illegal mergers. Recent evidence indicates that many industries across the economy are becoming more concentrated and less competitive – imperiling choice and economic gains for consumers, workers, entrepreneurs and small businesses. These problems are likely to persist or worsen due to an ongoing merger surge that has more than doubled merger filings from 2020 to 2021. To address mounting concerns, the agencies are soliciting public input on ways to modernize federal merger guidelines to better detect and prevent illegal, anticompetitive deals in today’s modern markets.
    [Read More…]
  • Oil and Gas Leasing: BLM Should Update Its Guidance and Review Its Fees
    In U.S GAO News
    What GAO Found The Department of the Interior's Bureau of Land Management (BLM), which leases federal lands for oil and gas development, has changed some of its leasing policies. For example, starting in fiscal year 2015, BLM was authorized to use online auctions, instead of in-person auctions, to award leases. In 2016, BLM launched an online system for submitting and processing nominations of lands for leasing. However, all of the agency's guidance documents for oil and gas leasing that GAO reviewed were out of date and did not fully reflect these changes, though agency policy requires guidance be updated promptly. Unless BLM reviews and revises its process for updating its guidance, the agency's outdated guidance may continue to lead to inefficiencies for industry and BLM state office staff that spend extra time interpreting outdated BLM guidance. Parties, such as oil and gas companies, leased a small portion of lands nominated for onshore oil and gas leasing from 2009 through 2019, when about 87 million acres were nominated and about 14 million acres were leased (see figure). Acreage Nominated, Offered for Lease, and Leased for Federal Onshore Oil and Gas Development, 2009 through 2019 BLM has not fully reviewed its application fees for oil and gas leases since 2005 despite changes to leasing that could affect program costs, such as the move from in-person to online auctions. BLM has conducted biennial reviews of its existing fees, but these reviews do not assess all of the costs the fees were intended to recover. Until BLM revises its approach to examine all relevant costs and adjusts fees accordingly, the agency may collect too much or too little in fees. In addition, BLM does not charge a fee to nominate lands for leasing and has not re-examined whether to charge such a fee since 2014. Without doing so, BLM risks continuing to expend resources to process nominations that do not result in leases. In addition, the agency may not strike the appropriate balance between encouraging nominations and controlling costs. Why GAO Did This Study BLM leases federal lands for oil and gas development through a process largely established with the Federal Onshore Oil and Gas Leasing Reform Act of 1987. Through this process, the public can suggest which federal lands should be made available for leasing by nominating them. BLM state offices review nominations, including to assess potential environmental impacts. BLM then offers leases at competitive auctions. While no fee is required to submit nominations, BLM charges an application fee for any leases that parties acquire. GAO was asked to review oil and gas leasing on federal lands. This report examines: (1) changes to BLM's policies for oil and gas leasing since 1987, (2) outcomes for lands nominated for oil and gas leasing, and (3) the extent to which BLM reviews its oil and gas leasing fees in response to changing conditions. GAO analyzed BLM policies and guidance as well as data on nominations, leasing, costs, and fees collected. GAO also interviewed BLM headquarters and state office officials as well as representatives of two stakeholder groups.
    [Read More…]
  • Alabama Tax Preparer Pleads Guilty to Filing False Tax Returns
    In Crime News
    A Birmingham, Alabama, tax return preparer pleaded guilty to aiding and assisting in the preparation of a false tax return, announced Principal Deputy Assistant Attorney General Richard E. Zuckerman of the Justice Department’s Tax Division and U.S. Attorney for the Northern District of Alabama Prim F. Escalona.
    [Read More…]
  • Michigan Man Sentenced to Prison for Attacking Black Teenager
    In Crime News
    The Justice Department announced that a Michigan man was sentenced today for willfully causing bodily injury to a Black teenager because of the teenager’s race.
    [Read More…]

Crime

Network News © 2005 Area.Control.Network™ All rights reserved.