Defense Industrial Base Cybersecurity Strategy Off-Camera On-The-Record Media Roundtable

View Online Defense Industrial Base Cybersecurity Strategy Off-Camera On-The-Record Media Roundtable March 28, 2024 STAFF: All right, good afternoon to all of you in the room and those of you who dialed in via Zoom. This is Commander Tim Gorman. Thank you for attending today's media roundtable for the Defense Industrial Base Cybersecurity Strategy. Seated on the stage here is Deputy CIO for Cybersecurity and Chief Information Security Officer David McKeown and Chief of Defense Industrial Base Cybersecurity Stacy Bostjanick. I will turn it over to them in a minute for some opening remarks. We'll have plenty of time for questions afterward. I just ask that you limit yourself to one follow-up to make sure everyone who wants to ask a question gets a chance. And for the sake of this briefing, please limit your questions to the Defense Industrial Base Cybersecurity Strategy. I also ask for those on Zoom, I'll call on you by name, but for those in the room, if you don't mind just introducing your name and affiliation before you ask a question. And with that, I'll turn it over to Mr. McKeown for some opening remarks. DEPUTY CIO (CYBERSECURITY) DAVID MCKEOWN: All right, good afternoon, everyone. Thanks for joining us here today. Today, we are announcing the release of the Defense Industrial Base Cybersecurity Strategy recently signed by the deputy secretary of defense. The DIB Cybersecurity Strategy is aligned with several high-level policy documents, namely, the 2022 National Defense Strategy and the 2023 DOD Cyber Strategy. Within the 2023 DOD Cyber Strategy, the effort that we have underway here to establish a DIB Cybersecurity Strategy is directly responsive to the requirement to develop a comprehensive approach for the identification, protection, detection, response and recovery of critical DIB elements, thereby ensuring the reliability and the integrity of critical weapon systems and production nodes. The DIB Cybersecurity Strategy will serve as the strategic plan to enhance the cybersecurity and cyber resiliency of the Defense Industrial Base. It features an overarching mission and vision spanning F.Y. '24 through F.Y. '27, and the strategy outlines four major goals and subsequent objectives, which Ms. Bostjanick will highlight in just a moment. The DIB Cybersecurity Strategy aims to strengthen collaboration with the DIB and provides strategic guidance for new initiatives to achieve the vision of a secure Defense Industrial Base. Our adversaries understand the strategic value in targeting the DIB. Private sector DIB contractors are at risk for malicious cyber activities by adversaries and nonstate actors alike. Working in conjunction with the DIB, we can better ensure the safety of critical information and unauthorized disclosures of that information. Implementing the strategy's goals is crucial to promoting cybersecurity best practices and enhancing collaboration between the DOD and the DIB. Over the last several years, the DIB has made great strides in improving cyber reresiliency, security compliance and understanding the threat landscape. Together through the DIB Cybersecurity Strategy, we will further advance our goals and improve DIB cybersecurity. I'll now turn it over to Ms. Bostjanick for her comments. DIB CYBERSECURITY CHIEF STACY BOSTJANICK: We need to get on top of this extremely complex challenge. This is a well-contemplated, multifaceted, agile and nuanced response to the constant and involving challenge, securing the DIB against malicious cyber activity. We are working and will continue to work with a vast array of DIB contractors and U.S. government stakeholders, including the DOD Cyber Crime Center, NSA, Defense Counterintelligence and Security Agency and U.S. CYBERCOM, the CISOs and program managers, and with those above stakeholders, DOD is going to establish a public-private — establishes public-private forums such as the DIB CS Program, implements NIST standards, frameworks and guidance and provides CS training. The strategy illustrates a way forward to a cyber-secure and resilient DIB with shared goals and enhanced collaboration. As Mr. McKeown stated, this DIB CS Strategy is guided by an overarching mission and vision. Our mission is to protect sensitive information, operational capabilities and product integrity by ensuring the generation reliability and preservation of U.S. warfighting capabilities. Our vision is simple: A secure, resilient, technologically-superior DIB. To achieve our mission and realize our vision, the DIB CS Strategy has laid out four goals, each featuring their own objectives: One, strengthen the DOD governance structure for DIB cybersecurity. Securing the DIB requires support and collaboration from a large community of stakeholders. For F.Y. '24 through '27, the department will work with the DIB, DOD stakeholders and interagencies to build a governance framework for maintaining a secure subcontractor CS environment. Two, enhance the cybersecurity posture of the DIB. The department will evaluate DIB compliance with DOD CS requirements, improve threat sharing, identify DIB CS vulnerabilities and improve recovery from malicious cyber activity. We will also have no-cost services available through the voluntary DIB CS Program and DC3D — DICE programs. Three, preserve the resiliency of critical DIB capabilities in a cyber-contested environment. SCRM maturation and policy coordination is crucial to mitigate risk in multi-tier supply chain and provide clear and consistent guidelines for industry. Four, improve cybersecurity collaboration with the DIB. NSA CCC will maintain bidirectional cooperatives across multiple core technology sectors and empower the DIB in its fight against cyber threats. The department also seeks to engage with the DIB SCC to expand cyber incident information sharing and bolster collaboration in identifying key issues of mutual interest. The DIB CS Program facilitates information sharing, hosts community events, working groups and technical exchanges and offers no-cost technical services. Program expansion is effective 11 April through the 32 CFR 236 final rule. And with that, we'll take any questions. STAFF: Okay. We'll stay in the room. Lauren, do you want to take the first question? Q: Yeah. Lauren Williams, Defense One. Thank you so much for doing this. I want to first ask about the Cybersecurity Maturity Model Certification program, and I know that's a big — MS. BOSTJANICK: No, no. (Laughter.) Q: — that you guys have been working on. How does that exactly nest into this overall industrial strategy? MS. BOSTJANICK: It will be a component of our strategy to ensure that we are resilient in — it — compliant with the standards that we set. Q: And my follow-up — my follow-on for that is how will — sub-contractors, particularly software vendors, how will they be affected or where do they kind of fit into this overall strategy and their overall security? MR. MCKEOWN: Well, we're taking into account small, medium, large companies. We want to affect change with all of them. Certainly, they'll be able to avail themselves of — of the free services that we have to offer. We want to strengthen them just like anyone else as part of the DIB. They would also, if they're handling CUI, be subject to, you know, all of the regulations that we're putting in place regarding implementation of NIST 800-171 and 172 and levels 2 and 3 of CMMC if that's applicable. But again, we would welcome engagement from them. We want to support them however we can, regardless of the size of the company. STAFF: All right, so next question, we'll go to Zoom. Jared Serbu, Federal News Network? Q: Good morning. Thanks for doing this. Wanted to ask about the expansion of the eligibility criteria in the DIB CS program. Seems like that has the potential to create quite a bit of new workload for DC3 and others, depending on how many folks take you up on that. Has there been any kind of analysis of that, how much of an extra lift that's going to be? And I guess more importantly, is that funded? MR. MCKEOWN: Well, we hope that it becomes a problem. Right now, this is a voluntary program and we have probably up around 1,500 voluntary participants to date. We hope that it becomes a problem where we have more and more engagement with people out there that are interested in availing themselves of the services. A lot of the services, like intelligence-sharing and things of that nature, those aren't hard to scale up. We can easily send out an email to a — you know, another — however many you want to add to that distribution list. There's also a lot of free products to — just to read and understand, there's tools that they can run on their own that don't involve DC3 directly getting involved there. Some of the free subscription services too where we're doing external scanning of the vendors, we may, at some point, hit a threshold where we might have to increase the volume of licenses that we have there, but right now, we don't have that. And we definitely will look at that as we go into our implementation plan phase here. We're taking this strategy, we're working internally within the stakeholders here in the department and externally with DIB partners to pick tools that are easily adoptable, scalable, cost-effective, so that we can get the most bang for the buck as we go forward with our purchasing dollar in trying to help fund these solutions that we're putting out there. So currently, not a problem. I agree that, in the future, maybe we might have some issues there, but right now, we have enough capacity. And we're beating the drum, trying to get people to come into the program. So please help us have a problem here. STAFF: — next, we'll go to Sara Friedman, Inside Cybersecurity. Q: Thanks for doing this. I wanted to follow up on the CMMC program. Do you have any plans in this strategy and moving forward in terms of helping small businesses be able to comply? And do you see an opportunity for the DFAR 7012 update to address some concerns for the DIB regarding the 800-171 compliance and this assessment process? MR. MCKEOWN: I'll go ahead and start and then I'll turn it over to Stacy. So we do think that there's room for improvement on the wording in 7012. Some of it's not crystal clear. One of the things that we want to work on here at an off site that we're having in April with the DIB community — we're calling it a DIB Summit — is to get help in codifying what was meant by FedRAMP moderate equivalent. We've got some COAs — you know I published some guidance on this. I think it was overly restrictive. And so we're going to work with the community in that session, look at some different COAs for how we can reduce the burden on them to leverage cloud services, and still not impact security in a negative way. So we're looking for partnerships there as well. I think we're full up on the April 8th and 9th summit. But we look forward to engaging with the community and hearing what their pain points are. As far as small businesses go, there are some things that we're working on with the Office of Small Business to develop a purpose-built cloud that some of the small businesses can just shoehorn themselves into and work out of there, and then if the data is protected in this cloud environment — and we should see some movement on that here pretty soon, and try to get those pilots underway this year. And I think we're going to target between 50 and 75 small businesses that can be part of that pilot and just prove out whether or not we can leverage the cloud to ensure that the data is secure in this cloud environment for these small businesses. And then we'll have to look at how do we scale that up and offer that to more and more small businesses over time, or how do we get a price point which they can afford and just start leveraging it themselves. So initially, it's going to be a lot of free chicken there, but at some point, the — you know, it may just be a service offering that they'll have to consume themselves. But it sure will beat having to build out all of the cybersecurity inside their own networks and boundaries if they can work out of these environments. And Stacy, do you have any other comments there? MS. BOSTJANICK: Well, the DIB CS program does have several capabilities to assist companies in figuring out where they are in their compliance journey with the 800-171. We have a CRA process where they can collaborate with the small business, walk them through their networks, help them understand where their vulnerabilities and gaps are. And so we highly encourage those that handle CUI today to be able to sign up for the program. And like Mr. McKeown said, we're looking forward to having a problem with too many people in the program. STAFF: All right. Next, Josh Luckenbaugh, National Defense. Q: Hi, thank you all for doing this today. I wanted to ask about something you mentioned near the end of the strategy about the centralized list of DIB cybersecurity policies, regulations, and resources. Can you talk through a little bit of what that would look like and possibly a timeline for when you hope that'll be live and available? MR. MCKEOWN: I'll talk about it first and then, again, over to Stacy. So the reason why we're here today is there was a NDAA Section 1648, which directed us to come up with an overarching strategy. We were very disjointed in the different stakeholders in the department that delivered services. A lot of DIB partners were complaining that we didn't have a single point of entry. The goaling here with this strategy is to highlight a way forward where we'll have a more centralized approach, a more cogent approach where everybody in the Department knows what their role is. And we'll have a way for DIB partners to enter the system and draw-off services and work with the DOD rather than having to have 15 different connections to different stakeholders. So that's part of our goal. And as we work on the implementation plan we will flesh that out and hopefully, you know, provide an initial entry point that will then help hold the vendors hand to get to the other resources needed versus individually they've got to go touch base with each one of those on their own. MS. BOSTJANICK: And part of this program and this strategy is to have posted on the DODCIO website the different capabilities that are available to the partnership and the — the members of the program and to provide you those policies and direction information for easy access. STAFF: All right. Next, we have Colin Demarest, C4ISRNet. Q: Hey, all. Appreciate your time. Lieutenant General Robert Skinner last year described the defense industrial base as a soft underbelly that hackers can and do target. Do you think that still rings true and how would you say this strategy addresses that potential weakness? MR. MCKEOWN: I would say it's still true. We're still seeing intrusions taking place. We track that pretty heavily. As a part of our mandatory reporting requirements we collect those. We see the new ones that pop up on a weekly basis. We're working to address what can we do better. We want to investigate each one of those incidents that we see with the DIB partner. We want to share that information with the rest of the DIB community. We want to have that be part of the feedback on 8171 and 172. So we're working diligently on how to operationalize that. JFHQ-DODIN is reporting on this weekly on any new intrusions and the facts surrounding the intrusion with their partners. So we really as a whole, the whole cybersecurity community, along with A&S and other stakeholders are really trying to get after this and the actual events matter to us and we're really paying attention to those so we can learn lessons from them and apply them. MS. BOSTJANICK: Yes, you're exactly correct. STAFF: Kris Anderson, AWPS. Q: Hi. Thank you for taking my question. Thank you for this event. I'm wondering if there is a hierarchy of vulnerabilities that you have identified and wish to pursue? And where does just straight out education, public education, trying to build a wider competency in cybersecurity issues for the general public. Does that play a role in this also? And then what about building — the emphasis on building cybersecurity infrastructure hardware, software and then implementation and evolution of those products to try to keep pace with the — with the threat. Is that — where are the priorities in there? Thank you. MR. MCKEOWN: Yeah, I would say that, as you look at 800-171 and 172, 171 is geared towards just basic protections of the data so that we don't lose the confidentiality there. There are only 110 controls listed there out of hundreds that are in 800-53. The subset that was selected to be placed in 171 was because they were geared towards the protection of the data. So that's where the focus has been. Education on the user side is super important because you can have the most secure network in the world but if your users aren't trained to not click on a phishing email or to go to malicious websites, then all bets are off, all the protections you put in place will probably be null and void. So I think that is a very important piece of it. Basic hygiene, patching, and securely configuring your environments is also another thing that we need to stress. As you move up into what we're calling our Level 3, which is where our most important data is residing, that ups the game where we're focused on combating against advanced persistent threats, where it's not just the run of the mill somebody's scanning your network and finding a vulnerability and popping in and stealing a little bit of data. These are the people that are really sophisticated at attacking networks and establishing a foothold, exfiling data, and getting what they want. So we're going to be focused on that very strongly with our Level 3 companies because they are building the things that are super necessary for warfighting. And -in terms of solutions from a cybersecurity perspective, as we continue to work on our own zero trust strategy, we are partnering with numerous vendors out there on all seven pillars of zero trust. And we can certainly share what we're finding with our DIB partners there, but more than that, we are working with them to certify — I mean, it's not an actual certification but we do red team testing, we make sure that the solutions that they have built actually achieve the cybersecurity effects that we're looking for. So that we'll be having a pointer too though as we go forward. We've engaged with our big cloud service providers. So the four that we have on JWCC, we've put the challenge down to them to build an environment that meets most or all of our zero trust requirements. So we're evolving something there that I think will be consumable in the future by not only us but our federal partners, industry, and even foreign partners throughout the world, by challenging them to build more secure environments. STAFF: Sydney Freedberg in — Breaking Defense. Q: Hi. Thanks very much for taking the question. Question — you know, if I'm, you know, a smaller company, you know, I'm not a — a Level 3, I'm making, you know, a pump that goes on a nuclear submarine or, you know, a piece of software that, you know, goes on robots, something that's crucial for the supply chain but maybe not super sensitive and maybe I'm not, I know, a super savvy, big company with lots of resources, how do I navigate these requirements? How do I, you know, find these resources you're talking about, especially since you said there's — there isn't really, you know, a single point of contact yet? And why should I, as a small company, be so worried to make that effort? MR. MCKEOWN: Well, I think at this day and age, especially in the United States of America, everybody should believe the power of the hacker. It's been proven out numerous times. So hopefully, we don't have to prove to them what the hackers can do. I mean, we could look to probably a thousand different examples. You know, some of the most recent ones are by Colonial Pipeline and they're very impactful, so you definitely want to defend. We also point people to look at the — you know, the Chinese copy of the F-35, the Russian copy of the Space Shuttle, right? All the data — the adversary's looking for it, and it really shortcuts their engineering and production time when they can just steal it from us and not have to sit down and do real engineering on their own. So hopefully, everybody understands that this is a real threat. Now, as to whether that piece — that component that a small business is developing, whether it is crucial, that's where the government needs to help out in identifying during the buildout of the contract the component breakdown of, what is the most important parts? Some of them might be top-secret parts, secret, unclass CUI, but we need to do a good job of identifying how everyone should be handling the technology and the engineering data surrounding those individual components. And then once that is contractually flowed down to the lowest level, you should know what sort of rigor you need to put into protecting your piece of the puzzle. Then, we do have a placemat already out there that shows how to get our services. That's still available in a sort of disjointed way, like, you can reach out to each one of those organizations individually and ask for help. But as we go through the strategy and implementation plan, we want to make that more streamlined where somebody can come into a single point and more of a concierge-type of fashion be walked along, understanding what it is they need to protect, how they need to protect it and getting them the resource help that they need to do that. STAFF: Joe, do you have a question? Q: It's been answered already. STAFF: Lauren, do you have another one? Q: Yes, I wanted to follow up on the cyber intrusions trend. It — what trend are you seeing? Are there more cyber intrusions into the DIBs? They — like, the same, going down? And then also, how many, like, new threats are you seeing — is that going up? Is that staying the same? Is that going down? MR. MCKEOWN: I don't know that I have a metric that — that says up, down or level. I'll just tell you that we have departmentally started paying a lot more attention to it and engaging with the companies. Before, we clearly did damage assessments whenever there was a large intrusion just to understand the impacts to the programs, but now, we're trying to get this process a little bit more rigorous and learn from it. And are we doing the right things to help protect the DIB? Do they have the right things in place? And by the same token, sort of validate, were they doing the right things to begin with? Like, when 7012 first came out, self-attestation, people said that they were doing the 800-171, and then we set up the DIBCAC and started checking homework, and they really weren't. So that's another piece of it that we want to keep metrics on. So I agree with you, tracking the trends. But the trends can vary, you know, based on one product having a vulnerability that the bad guys find out about. It would be a feeding frenzy sometimes just because if you do not get to that thing and patch it quickly enough, they could hit multiple companies, right? Because they're constantly scanning for vulnerabilities and looking for a way in. So we've got to be diligent in getting information out about, hey, there's this new thing, and if it's a really important, catastrophic vulnerability, you've got to patch it. You've got to get it done quickly. That's part of the equation, because if you ignore it and think it's going to go away and think the adversary's not going to see it, they're going to see it, and they will get to it and they will get in your network. So part of it is that diligence, having that OPSTEMPO to constantly be looking at the zero days and patching them, and looking at intel and responding corporately to make sure that you're not going to be susceptible to that threat that's out there. STAFF: All right, I think we got to everyone who has a question. We thank you for your time. In a few minutes, we'll put a press release announcing the strategy on defense.gov, and we'll have a link to the strategy itself. And then later this evening, we'll have the full transcript of this briefing up on defense.gov, as well. Thank you both. MR. MCKEOWN: Thank you.

ABOUT   NEWS   HELP CENTER   PRESS PRODUCTS

Unsubscribe | Contact Us

This email was sent to sajanram.shrestha@blogger.com using GovDelivery Communications Cloud on behalf of: U.S. Department of Defense 1400 Defense Pentagon Washington, DC 20301-1400