Tag

Standards

Browsing

Most contractors hired by the Department of Defense over the past five years failed to meet required minimum cyber security standards, posing a significant risk to US national security.

Managed services vendor CyberSheth released a report on November 30 showing that 87% of the Pentagon supply chain fails to meet basic cybersecurity minimums. Those security gaps are subjecting major defense contractors and their subcontractors to massive cyberattacks, putting US national security at risk.

Those risks have been well known for some time without efforts to fix them. According to CyberSheth, this independent study of the Defense Industrial Base (DIB) is the first to show that federal contractors are not properly protecting military secrets.

DIB is a complex supply chain consisting of 300,000 primes and subcontractors. The government allows these approved companies to share sensitive files and communicate securely to get their jobs done.

To keep those secrets safe, defense contractors will soon be required to meet Cybersecurity Maturity Model Certification (CMMC) compliance. Meanwhile, the report warns that nation-state hackers are actively and specifically targeting these contractors with sophisticated cyberattack campaigns.

“Awarding contracts to federal contractors without first validating their cybersecurity controls is a complete failure,” Eric Noonan, CEO of CyberSheth, told TechNewsWorld.

Defense contractors have been mandated to meet cyber security compliance requirements for more than five years. Those terms are embedded in more than a million contracts, he said.

alarming details

The Merrill Research Report 2022, commissioned by CyberSheth, revealed that 87% of federal contractors have a sub-70 Supplier Performance Risk System (SPRS) score. The metric shows how well a contractor meets Defense Federal Acquisition Regulation Supplement (DFARS) requirements.

DFARS has been in law since 2017 and requires a score of 110 for full compliance. Critics of the system considered the 70 to be “good enough”. Yet, the overwhelming majority of contractors still come up short.

Eric Noonan said, “The report’s findings show a clear and present threat to our national security.” “We often hear about threats to supply chains that are more susceptible to cyberattacks.”

The DIB is the Pentagon’s supply chain, and we see how poorly prepared contractors are despite being in the crosshairs of risk actors.

“Our military secrets are not secure, and there is an urgent need to improve the cyber security posture for this group, which often does not meet even the most basic cyber security requirements,” Noonan warned.

more report findings

Survey data came from 300 US-based DOD contractors, with accuracy tested at the 95% confidence level. The study is completed in July and August 2022, with CMMC 2.0 on the horizon.

Roughly 80% of DIB users failed to monitor their computer systems around the clock and lacked US-based security monitoring services. Other deficiencies were evident in the following categories that would be required to achieve CMMC compliance:

  • 80% lack a vulnerability management solution
  • 79% lack a comprehensive multi-factor authentication (MFA) system
  • 73% lack an endpoint detection and response (EDR) solution
  • 70% have not deployed Security Information and Event Management (SIEM)

These security controls are legally required of the DIB, and since they are not met, there is a significant risk to the DoD and its ability to conduct armed defense. In addition to widespread non-compliance, 82% of contractors find it “moderately to extremely difficult to understand government regulations on cyber security”.

Confusion prevails among contractors

As per reports, some of the DIB’s defense contractors focused on cyber security have only been halted by roadblocks.

When asked to rate DFARS reporting challenges on a scale of one to 10 (with 10 being extremely challenging), about 60% of all respondents rated “understanding requirements” a seven out of 10 or more. Also regular documentation and reporting were on top of the list of challenges.

The primary barriers listed include challenges in understanding the steps required to achieve compliance, difficulty in implementing sustainable CMMC policies and procedures, and the overall cost involved.

Unfortunately, these results are in line with what CyberSheth expected, Noonan acknowledged. He said the research confirmed that even fundamental cyber security measures such as multi-factor authentication were largely ignored.

Noonan said, “This research, combined with the False Claims Act case against defense giant Aerojet Rocketdyne, shows that defense contractors both large and small are not meeting contractual obligations for cyber security and that the DoD has access to their supplies.” There is systemic risk in the series.”

no big surprise

Noonan believes the Defense Department has known for a long time that the defense industry is not addressing cyber security. News reporting of never-ending nation-state violations by defense contractors, including large-scale incidents like the SolarWinds and False Claims Act cases, prove that point.

“I also believe that the DoD has run out of patience after giving contractors years to fix the problem. Only now is the DoD going to make cyber security a pillar of contract acquisition,” Noonan said.

He noted that the planned new DoD doctrine would be “no cyber security, no contract”.

Noonan acknowledged that there is merit to some of the conflicts raised by contractors about difficulties in understanding and meeting cyber requirements.

“It is a fair point as some of the messaging from the government has been inconsistent. In fact, however, the requirements have not changed since 2017,” he offered.

what will happen next

Perhaps the DoD will adopt a stricter policy with contractors. If contractors complied with the legislation required in 2017, the entire supply chain would be in a much better shape today. Despite some communication challenges, the DoD has been incredibly consistent on what is required of defense contractor cybersecurity, Noonan said.

The current research now sits on top of a mountain of evidence that proves federal contractors have a lot of work to do in improving cyber security. It is clear that without enforcement from the federal government the work will not get done.

“Trust without verification failed, and now DoD is moving to enforce verification,” he said.

DoD response still pending

TechNewsWorld submitted written questions to the DoD about the supply chain criticism in the CyberSheath report. A spokesperson for the Cyber/IT/DOD CIO for the Department of Defense responded, adding that it would take a few days to investigate the issues. We’ll update this story with any response we get.

Cyber ​​security professionals want the computer industry to emphasize vendor consolidation and open standards.

This major change in the security networks of IT professionals is long overdue, according to new research from the Information Systems Security Association (ISSA) International and the independent industry analyst firm Enterprise Strategy Group (ESG), a division of TechTarget.

Seller consolidation and the push toward open standards is driven by buyers themselves, who are challenged by increasing complexity, cost, and the promotion of best-of-breed technology “equipment sprawl”.

Nearly half (46%) organizations consolidate or plan to consolidate the number of vendors they do business with. Concerned by the growing complexities of security operations, 77% of InfoSec professionals would like to see greater industry collaboration and support for open standards that promote interoperability.

Thousands of cyber security technology vendors compete against each other in multiple security product categories. Organizations want to optimize all the security technologies in their stack at once.

According to the research report, vendors supporting open standards for technology integration will be best positioned to meet this shift in the industry.

“Given that nearly three-quarters (73%) of cybersecurity professionals feel that vendors are engaging in promotions on substance, vendors who demonstrate a genuine commitment to supporting open standards are more likely to engage industry-wide. would be in the best position to avoid consolidation,” he said. Candy Alexander, Board President, ISSA International.

He said CISO vendors have become so burdened with noise and security “equipment dispersion” that for many, the wave of vendor consolidation is like a breath of fresh air.

Shift to security platform

ESG studied 280 cyber security professionals, most of whom are ISSA members. The results, released last month, focused on security processes and technologies, and show that 83% of security professionals believe the technology interoperability of the future depends on setting industry standards.

The report’s details demonstrate a cybersecurity landscape that looks favorably toward a security product suite (or platform) as it moves away from a defense-intensive strategy based on deploying best-of-breed cybersecurity products. This approach is based on historical precedent that has consistently increased organizational complexity and contributed to substantial operations.

“The report shows that massive changes are taking place within the industry in what many believe is a long time to come,” said John Oltsik, Senior Principal Analyst and ESG Fellow.

“The fact that 36% of organizations may be willing to purchase most security technologies from a single vendor speaks volumes for a change in buying behavior as CISOs are openly considering security platforms in lieu of best-of-breed point of view devices. are,” he said.

Why Jump from Best-of-Breed

The number of competing security suites has skyrocketed with many organizations managing 25 or more independent security tools. It follows that security professionals are now stressing the need to juggle so many independent security products to do their job.

Managing an assortment of security products from different vendors has increased training requirements, makes it difficult to get an overall picture of safety, and requires manual intervention to fill in the gaps between products. As a result, 21% of organizations are consolidating the number of cybersecurity vendors they do business with, and another 25% are considering consolidating.

“In general, buying, implementing, configuring and operating too many different tools has become very difficult, let alone ongoing support relationships with vendors. Consolidation management/operations makes sense,” says Oltsik told TechNewsWorld.

This ongoing complication is prompting 53% of cybersecurity professionals to purchase security technology platforms instead of best-of-breed products. The study showed that 84% of respondents believe a product’s integration capabilities are important, and 86% consider it important or important that integration with other products create best-of-breed products.

According to 60% of IT teams, strict integration between already separate security controls is a primary requirement rather than a best buy. Improved threat detection efficiency such as accurate high-fidelity alerts and improved cyber-threat detection were on the wish list for 51%.

generalized government mandate

Cybersecurity products cover the basics, noted Oltsik. This includes antivirus software, firewalls, some sort of identity management system, and a range of products for endpoint encryption.

“In many cases, these technologies are mandated by government and industry regulations,” he said. “The biggest influencer in cybersecurity protections is the US federal government which can and does mandate certain standards.

For example, the Security Content Automation Protocol (SCAP) is a synthesis of interoperable specifications derived from community considerations. The In-Process Cyber ​​Security Maturity Model Certification (CMMC) standard mandates certain security certifications for DoD vendors.

“We have also seen standards from industry, such as the activity of the Organization for the Advancement of Structured Information Standards (OASIS) and other OASIS standards. This week, we introduced the Open Cyber ​​Security Framework (OCSF), a standard data schema for security data. Saw the beginning. There are also many identity management standards,” he said.

Finding a shared security base

After reviewing this data, ESG and ISSA recommend that organizations encourage their security vendors to adopt open industry standards, possibly in collaboration with the Industry Information Sharing and Analysis Center (ISAC). In addition, there are some established security standards available from MITER, OASIS and Open Cyber ​​Security Alliance (OCA).

Many vendors speak in favor of open standards, but most do not actively participate or contribute to them. However, this lukewarm behavior can change quickly.

For this to happen, cybersecurity professionals – especially large organizations big enough to send signals to the market – establish best practices for vendor qualification.

In addition, they need to emphasize process requirements that include adoption and development of open standards for technology integration as part of a broader process for all security technology procurement, according to the report.

expected result

Cyber ​​security standards and vendor integration will strengthen the cyber security landscape against the continuing increase in cyber threats by easing product development and integration. Oltsik explained that this will allow industry and security teams to focus more on innovation and security fundamentals and less on building connectors for interoperability.

He sees an opportunity within the industry to support these efforts.

“It seems that some industry leaders are collaborating. I point to OCSF where 18 vendors agreed to support it,” he said.

This group includes a number of leaders – AWS, CrowdStrike, IBM, Okta and Splunk, for starters. He said another potential driver would be the support of large security technology customers.

Oltsik concluded, “If Goldman Sachs, GM, Walmart and the US federal government said they would only buy from vendors that support OCSF, it would really hit the industry.”


The full ESG-ISSA report titled “Technology Perspectives from Cyber ​​Security Professionals” is available here. No form filling is required.

For most of us the metaverse is mostly hype about the promise of a new internet that we can explore virtually. As it is currently implemented, the world of the Metaverse network is reminiscent of the pre-Internet. It is represented by a group of very different and unique efforts than the post-Netscape Internet that seems more like a walled garden approach than today’s Netscape Internet.

Implementations range from useful – like those using Nvidia’s Omniverse – to promises of “something” from Meta (formerly known as Facebook) that, at least now, mostly disappoint. It is believed that disappointment is more likely to be caused by higher expectations than any sluggishness by the meta. This is often a problem with new technologies where expectations are dashed and then people become overwhelmed with the results.

Now, with the announcement of the Metaverse Standards Forum last week, it looks like the industry is headed for a bigger problem with the Metaverse, which is the lack of interoperability and Internet-like standards that could allow for a much more seamless future. . metaverse

Let’s talk about how important this movement is this week. Then we’ll close with our product of the week, a mobile solar solution that could help avoid the ecological and power outage problems that states like California and Texas are expected to experience as climate change damages their electric grids. makes it less reliable.

current metaverse

Currently, the metaverse isn’t as much of a thing as it is a lot of things.

The most advanced version of the Metaverse today is Nvidia’s Omniverse. The equipment is used to design buildings, train autonomous robots (including autonomous cars), and form the foundation for Prithvi-2, which is designed to better simulate and predict the weather – both To provide early information of major weather events and to design potential measures for global climate change.

While many people think the metaverse will grow to replace the Internet, I doubt it will or will happen. The Internet organizes information relatively efficiently. Moving from a test interface to a VR interface can slow down the data access process without any offsetting benefits.

The Metaverse is best for simulation, emulation, and especially for tasks where the use of virtual environments and machine speed can solve critical problems more quickly and accurately than existing alternatives. For those tasks, it is already proving itself valuable. While it will likely develop into something more like the holodeck in “Star Trek” or the virtual world depicted in the movie “The Matrix,” it hasn’t yet.

what do you need now

What we can do now is to create photorealistic images that can be explored virtually. But we can’t make realistic digital twins of humans to populate the metaverse. We can’t yet build the device of the human body so you can experience the metaverse as if it were real, and our primary interface, VR glasses, are big, bulky and create the 3D glasses that the market previously rejected. , on the contrary look much better .

These problems are not cheap or easy to fix. If they were to be solved uniquely for each of the Metaverse instances, then the evolution of the Metaverse and our experience in it would be years behind, not decades.

What is needed is the level of collaboration and collaboration that has now built the internet to focus on building the metaverse, and that is exactly what happened last week.

Acclaimed Founding Member

The formation of the Metaverse Standards Forum directly addresses this interoperability and standards problem.

Meta and Nvidia are both on this platform, including who’s who of the tech companies — except for Apple, a firm that generally wants to go it alone. Heavy hitters like Microsoft, Adobe, Alibaba, Huawei, Qualcomm and Sony are participating, along with Epic Games (Metaverse promises a future where you can play in the digital twin of your home, school or office).

Existing standards groups including the Spatial Web Foundation, the Web3D Consortium and the World Wide Web Consortium have also joined.

Hosted by the Khronos Group, membership to MSF is free and open to any organization, so look for companies from multiple industries to be listed. The forum meeting is expected to begin next month.

This effort should significantly increase the pace of progress for the Metaverse and make it more useful for more things; Nvidia is using it successfully for today and is reaching a future where we can use it for everything from entertainment and gaming to creating our own digital twins and the potential for digital immortality.

Wrapping Up: The Metaverse Grows Up

I hope that the formation of the Metaverse Standards Forum will accelerate the development of the Metaverse and move it towards a common concept that can interoperate between providers.

While I don’t believe it will ever replace the Internet, I do think it could evolve into an experience that, over time, we can largely live and play with for most of our lives, Can potentially enrich those lives significantly.

I envision virtual vacations, more engaging remote meetings, and video games that are more realistic than ever, all due to better collaboration and an effort to set standards that will benefit the mixed reality market as a whole.

The Metaverse is coming and, thanks to the Metaverse Standards Forum, it will arrive faster and it could have been better.

Technical Product of the Week

Sesame Solar Nanogrid

Those of us who live in states where electricity has become unreliable due to global warming and poorly planned electrical grids expect some serious problems in extreme weather.

Companies and institutions have generator backups, but gas and diesel shortages are on the rise. So, not only are these generators likely to be unreliable when used for extended periods, they are anything but green and will exacerbate the climate change problem they are supposed to mitigate.

Sesame Solar has an institutional solution to this problem, a large solar-generating trailer that also carries a hydrogen fuel cell to generate electricity at night or on cloudy days.

The trailer can also process and filter local water, which can relieve residents from weather or crisis-related water shortages.

It appears that Sesame Solar does a better job of mitigating power outages without producing greenhouse gases that will exacerbate the problem. As a result, the Sesame Solar Nanogrid is my product of the week.

The opinions expressed in this article are those of the author and do not necessarily reflect the views of ECT News Network.