In his book about the flipside of technological advances, author Marc Goodman writes that the U.S. government, in 2013, “specifically named China as being responsible for a series of hacks against vital American defense and government systems.” Many defense blueprints and technologies for missile systems and military aircraft were reported stolen over the years
“The totality of the thefts and their impact on American national security are breathtaking,” Goodman writes in “Future Crimes: Everything is Connected, Everyone is Vulnerable and What We Can Do About It”
Also, consider this: A 2016 study by the Manufacturers Alliance for Productivity and Innovation (MAPI) and Deloitte found that “nearly 40 percent of surveyed manufacturing companies were affected by cyber incidents in the past 12 months, and 38 percent of those impacted indicated cyber breaches resulted in damages in excess of $1 million.” This article about the study, titled Cyber Risk in Advanced Manufacturing, notes that intellectual property theft tops manufacturers’ concerns.
With a state economy powered by around 6,000 defense manufacturers and 30,000 defense suppliers, California is on a mission to make sure critical information held by U.S. Department of Defense (DoD) contractors is protected from foreign espionage and other cyberattacks. The Governor’s Office of Planning and Research (OPR) this year launched Phase 2 of a statewide effort called CASCADE (California Advanced Supply Chain and Diversification Effort). CASCADE is funded by a federal grant from the U.S. Department of Defense Office of Economic Adjustment.
This phase of the effort, which has brought together dozens of partners across sectors, focuses on short- and long-term approaches to bolster the state’s defense supply chain cybersecurity resilience.
“Those without a robust cybersecurity posture risk losing revenue, future business, or their competitive advantage to third-party players and hostile foreign governments,” the state’s Governor’s Office of Planning and Research (OPR) explains in a CASCADE executive summary.
Defense contractors are well aware of the cybersecurity mandates that have been sweeping across the defense industry over the past several years. In 2015, to better protect controlled unclassified information (CUI) that flows throughout its supply chains, the Department of Defense (DoD) instituted the Defense Federal Acquisition Regulation Supplement, known as DFARS, cybersecurity clause 252.204-7012. DFARS 7012 requires DoD contractors to provide adequate security to safeguard CUI, in part by implementing the 110 security controls identified in Special Publication (SP) 800-171 developed by the National Institute of Standards and Technology (NIST).
Under DFARS, the method prescribed for primes to monitor their subcontractors’ and suppliers’ compliance is self-attestation – asking each company to self-assess and self-report its state of compliance with respect to NIST SP 800-171’s 110 security controls. Each contractor is responsible for having a System Security Plan (SSP) and a Plan of Actions & Milestones (POA&M) that describes how and when non-compliance items will be corrected. The DoD amended the DFARS with these changes in 2016 and gave contractors until Dec. 31, 2017 to fully implement NIST SP 800-171, or risk losing their contracts.
Since the passing of DFARS, defense contractors have been scrambling to understand DFARS and implement NIST SP 800-171 standards within their companies to become compliant with the law. Even though the DoD has incentivized compliance by making it a “competitive advantage” within the contract awards process, many contractors have chosen to put off compliance. The DoD is now stepping up its efforts to move away from self-attestation and start enforcing cybersecurity compliance among defense contractors.
Because of this, in May 2019, DoD’s Office of the Under Secretary of Defense for Acquisition and Sustainment, announced the Cybersecurity Maturity Model Certification program, or CMMC, which will require cybersecurity audits and certifications for all DoD contractors. The CMMC effort builds upon an existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements. Here are some key points:
- CMMC compliance will range from Levels 1 to 5, with Level 1 being full adherence to basic cyber-hygiene standards and Level 5 being in full compliance with all NIST and other advanced security controls.
- The required CMMC level (1-5) for each specific contract will be stated in all RFPs and it will be a “go/no go” decision.
- Security will be an allowable expense. Defense suppliers will be able to include costs into their billable rates.
One of the immediate needs is helping California defense contractors meet these federal cybersecurity standards. In June 2020, industry should begin to see the CMMC requirements as part of DoD’s Requests for Information. So, companies will need to be audited and certified by this spring, at the latest, to meet standards, keep their existing contracts and/or win new contracts.
The loss of those federal defense contracts would be a major impact to the economy, said Eldon Davidson, director for the Center of Customized Training at El Camino College.
“It would have a dramatic effect on the economy of California, if that happens, because California has the most manufacturers with Department of Defense contracts anywhere in the United States,” Davidson said.
Davidson and his counterparts in Contract Education at other California community colleges have received CASCADE funding to develop a curriculum that gives defense manufacturers and their employees information and resources that put them on the path to compliance with the federal cybersecurity standards. Contract Education units at California community colleges help develop local workforces by providing customized employee training for employers to help ensure their businesses can remain competitive.
“Many of [the defense manufacturers] don’t have the wherewithal to train their employees because they are small-medium suppliers,” explained Jose Anaya, dean of Community Advancement at El Camino College. “They are not as sophisticated as a Boeing or Northrup Grumman, who have robust IT departments.”
Developing a Cybersecurity Curriculum
Contract Education programs at the state’s community colleges already provide some cybersecurity training for businesses, Anaya said, but the new curriculum under development will delve deeper with more information, resources and tools.
El Camino College received the CASCADE grant on behalf of the California Community Colleges Contract Education Collaborative and is taking the lead in writing the curriculum with the help of California’s National Institute of Standards and Technology (NIST) Manufacturing Extension Partner (MEP), CMTC. Eileen Sanchez, chief, Defense Industry Cybersecurity Resilience and Innovation and CASCADE program director with the Governor’s Office of Planning and Research, explained the curriculum will undergo a critical review process with feedback from the DoD’s Defense Acquisition University and the California State Guard Cyber Operations Team.
A lead partner in CASCADE is the California Employment Training Panel (ETP), which provides funding to employers to assist in upgrading the skills of their workers through training that leads to good paying, long-term jobs. In support of this federal grant, under a CASCADE project titled “Cybersecurity Skills Upgrading,” ETP will reimburse employee training costs for aerospace and defense manufacturers training full-time workers in the cybersecurity curricula developed by El Camino College, as well as other job-skills training topics traditionally sought by manufacturers.
ETP also will engage current contractors within the community college and workforce development systems to align cybersecurity training funded by ETP with the CASCADE grant.
The curriculum will be divided into three courses:
- The first course, Level 1, will be for all employees and will focus on “cyber hygiene,” providing a general awareness about ransomware, malware, spam and phishing, as well as security policies and the social engineering that goes into a cyberattack, such as being manipulated to click on attachments or links in an email.
- The second course, Level 2, will be for managers, who will build on training from the first course. The course will cover the history of the CMMC, along with other key frameworks and guides. Participants also will be asked to create a plan for gaining CMMC compliance. The training will include references, tools and preferred vendors the businesses can use to execute their plan, whether they choose to make security changes in-house or contract out for the job.
- The third-level course will be for IT staff, providing information about what is needed for a robust and well-rounded information security program as well as information about additional training IT staff can attain to be able to implement the security changes in-house and how to cultivate a professional employee training program to handle future changes.
‘First Responders’ to Scale the Curriculum
Once finalized, the curriculum will launch as a pilot at El Camino College, with delivery to defense manufacturers and their employees, before rolling out to other colleges.
The California Community Colleges Contract Education Collaborative plays a key role here. The collaborative, launched in 2014, is made up of Contract Education professionals from each of the community colleges that have such a unit and is gaining notice for its unique ability to respond to industry needs quickly and at scale.
They bring with them existing relationships with CEOs and operating chiefs in the manufacturing industry. In some cases, colleges may already be providing training for a defense manufacturer and can incorporate the cybersecurity curriculum, or certain elements from it, into that training. In other cases, simply having fostered an on-going relationship with a manufacturer over the years, even if not currently providing training for them, makes it much easier to introduce the curriculum to them.
“One of the biggest issues we have as we try to instill some cyber awareness is scalability,” said Sanchez, the state’s chief of Defense Industry Cybersecurity Resilience and Innovation. “Although DFARS compliance has been required since December 2017, small-to-medium-sized defense suppliers have consistently avoided necessary steps to commence paths to compliance. So why not help move the needle through the statewide community college collaborative and through the grassroots power they have in their communities? After all, they are often the ones on the first line of defense, in touch with the communities they are in and regionally dispersed around the state in a variety of counties with close proximity to many of our military installations. Enabling our community colleges to provide cybersecurity training to their respective regions in California is a great way for us to scale cyber efforts.”
Sanchez explained another issue the state has is California’s educational institutions currently are not supplying enough qualified candidates to fill the thousands of cybersecurity job openings that exist. Over 35,000 cybersecurity-related annual job openings exist in California, while the state only has some 61 cybersecurity-focused (or partially focused) educational programs. That means the state is producing 3,214 candidates annually.
The two factors combine to create a roughly 33,388 annual undersupply of cybersecurity workers in California. The undersupply creates significant shortages for industry to develop cybersecurity, particularly so for small- and medium-sized enterprises that lack the resources of a large company.
Sanchez added that she believes the work the collaborative is doing is the first such statewide community college effort nationwide, and several other states will look to California as a model.
Getting Help with Cybersecurity Training
If you are a college that wants to get involved in cybersecurity training or a defense contractor who needs help meeting DoD cybersecurity standards, please contact Jose Anaya, dean of Community Advancement, at [email protected] for more information.