A defense official told lawmakers the department’s CMMC program likely wouldn’t have guaranteed successful prevention of the SolarWinds breach.
Close to 40 companies in the defense industrial base reported they were impacted by the Solarwinds supply chain attack, according to a defense official.
Rear Adm. William Chase III, deputy principal cyber adviser to the defense secretary and director of the Protecting Critical Technology Task Force, said during a Tuesday Senate Armed Services cyber subcommittee hearing that 37 companies reported exposures related to the SolarWinds intrusion.
Chase confirmed DOD was not compromised in either the SolarWinds or the Microsoft Hafnium attacks. But he also said the Cybersecurity Maturity Model Certification, DOD’s nascent program for improving the cybersecurity of the defense industrial base, would not necessarily have prevented the intrusions.
However, meeting certain CMMC requirements may have helped companies spot hackers’ movements, Chase said. “Probably the best example is FireEye, very publicly reported they caught the SolarWinds [hackers] from observing lateral movement and privilege escalation within their own environment … a level five CMMC would have probably had sufficient tools to give them a shot at seeing this similar lateral movement.”
And the rulemaking process still has a ways to go, according to another defense official testifying at the hearing. Jesse Salazar, deputy assistant defense secretary for industrial policy, told senators it usually takes about a year to adjudicate comments associated with a rule like CMMC. The Defense Federal Acquisition Regulation Supplement interim rule published last fall received 850 comments, Salazar said.
Deputy Defense Secretary Kathleen Hicks in March initiated an internal assessment of CMMC, according to Salazar, who recently assumed oversight of the CMMC program. That review is being guided by three considerations: cybersecurity cost management for small businesses, a need to clarify and deconflict cyber regulatory policies, and a need to reinforce trust and confidence in the CMMC assessment ecosystem.
“One of the things that we have heard over and over again from industry, is that the barriers are quite high, to ensure that these companies are meeting our requirements,” Salazar said of small businesses. “So we're looking at this very closely and thinking about one, how can we reduce the cost for reaching a level of cyber maturity to meet our requirements and two, what tools and resources can we make available today to make sure that these businesses are more resilient.”