On March 2, US President Joe Biden's administration finally unveiled its national cybersecurity strategy. This document provides strategic guidance for protecting the US government and its cyber ecosystem, including its businesses, from cyberattacks by domestic and foreign adversaries. What draws our attention in this national strategy is the paradigm shift to strengthening government support and intervention in cybersecurity compliance, which has traditionally been the responsibility of businesses.
To understand how these policy changes will impact the industry, we need to look at the Cybersecurity Maturity Model Certification scheme established by the US Department of Defense in 2020 to assess cybersecurity in the defense industrial base, which portended this shift of the government’s role in cybersecurity compliance. As the CMMC applies to all companies participating in DOD contracts, it is bound to be of great interest to both the Korean government and defense companies aiming to enter the US defense market.
The Cybersecurity Maturity Model Certification, is the DOD’s program launched to verify that defense contractors properly protect the government’s sensitive unclassified information. Depending on the type and sensitivity of the information, three different levels of cybersecurity standards progressively apply. The CMMC program was first released and implemented in 2020. Then in November 2021, the DOD announced CMMC 2.0, which significantly changed the initial model. Currently, the CMMC 2.0 rulemaking process is underway, and the CMMC requirement is expected to appear in contracts sometime in 2024 or 2025 after rulemaking is completed.
The information CMMC aims to protect is the federal government’s unclassified information not intended for public release. CMMC is a tool to strengthen measures to safeguard intellectual property and sensitive information from hostile actors as they have posed significant national security threats and tremendous economic harms. Information approved for public release and classified information are not subject to CMMC. Classified information is protected under separate classified information handling procedures. Defense contractors may be familiar with the government’s sensitive unclassified information, such as R&D data, drawings, specifications, standards and user manuals.
CMMC assessment is performed according to the NIST SP 800-171, a cybersecurity requirement that defense contractors must comply with when processing, storing or transmitting controlled unclassified information. Many assume that since the CMMC is not yet implemented, the NIST requirements are yet to be implemented. However, NIST compliance was already required in 2017; CMMC places a stronger emphasis on adherence to compliance. Defense contractors need to perform that as a starting point. A DOD CMMC official stated at a CMMC event that possible application of NIST requirements across all federal agencies is currently under review.
Meanwhile, we also hear that Japan adopted NIST SP 800-171 in 2019 and plans to implement an industrial security plan that incorporated the NIST requirements in April this year. According to a senior DOD CMMC official, Israel has fully adopted NIST SP 800-171 and is pursuing plans to develop its own assessors. The United Kingdom has taken a unified approach to cybersecurity compliance with the US and observed each other's assessment methods.
As US allies are moving swiftly, the Korean government must hurry to establish cybersecurity standards based on the NIST requirements and support defense companies that want to enter overseas defense markets by establishing a CMMC ecosystem in order to strategically promote defense exports to the United States. once CMMC or a CMMC-like program is put in place in Korea and mutually recognized by both governments, trust in each other's defense industry will increase and opportunities for industrial cooperation will increase accordingly. In particular, it could help lay the foundation for promoting cooperation in areas of interest to both the governments, such as semiconductors, artificial intelligence, robotics, and space.
The leadership in defense companies should approach cybersecurity from a business perspective, recognizing that CMMC is an area beyond the technical realm of IT personnel and that leadership will be held accountable in the event of breaches. Rather than waiting for the government to provide support, defense companies should voluntarily and proactively invest to strengthen their cybersecurity capabilities to protect their intellectual property and overcome this barrier to entry into overseas defense markets. Most importantly, they should keep in mind that people are the key to cybersecurity and immediately take action to provide training to all employees to implement cyber hygiene practices a part of their daily lives. Cyberattacks are not a matter of “if," but rather “when."
When the government and defense companies take measures to strengthen the cybersecurity capabilities of the Korean defense industrial base together, it will offer an opportunity to contribute to the national economy as well as national security by protecting the defense industry and defense technology from hostile cyberattacks, strengthening industrial cooperation with other countries and enabling exports.
Yu Hwa is CEO of Delta One and a CMMC registered practitioner. Views expressed in this article are her own. -- Ed.