2019 in Retrospect: Federal Security Changes and New Directions

The arrival of 2020 signals many exciting developments in cybersecurity across the public and private sectors. With the beginning of a New Year comes the start of a new budget for public spending, and now that Congress has reconvened after the Holiday season, there are lots of items that will have to be discussed as 2020’s agenda for National Security starts taking shape.

But we would be remiss to talk about next year’s direction without talking about last year’s accomplishments, and – more importantly – last year’s difficulties. From the establishment of a new federal security agency to the modernization of NIST regulations, 2019 brought scrutiny to increased risks across multiple areas of developing technology.

In this article, we will reflect on the most significant events of 2019 that will directly impact government agencies and contractors over the coming year. Our first pick is:

1. Clearance overhaul sought to reduce insider threats

To address the legendary clearance adjudication backlog which peaked at 700,000 cases under the NBIB, clearance adjudication was successfully transferred to the Department of Defense (DoD) in October after nearly a year of preparation. As part of that process, the Defense Counterintelligence and Security Agency (DCSA) was formed to handle background investigations and case reviews.

Not only has the DCSA successfully slashed the clearance backlog in record time, but it has also taken steps to fundamentally change the way background investigations are performed by switching thousands of authorized individuals to the Continuous Evaluation (CE) program. Under CE, personnel can be monitored in real time for concerning activity, with the goal of identifying and eliminating insider threats before they strike.

Insider threats remain one of the most serious risks to National Security, already addressed by the National Industrial Security Program Operating Manual (NISPOM) which requires federal contractors to maintain an insider threat prevention program. CE will go a long way to assist in that ongoing effort.

2. Supply chain crackdowns addressed vulnerable IT

Early this year, concerns about the possibility of foreign espionage facilitated by technology originating from China and other foreign countries reached a climax when President Trump signed Executive Order (EO) 13873. According to the order, U.S. organizations may not use IT products manufactured by companies deemed a “national security threat” by the Commerce Department.

Many saw the new order as a way to directly target Chinese telecom-giant Huawei, after the company was indicted for stealing trade secrets, and its CFO was faced with formal extradition. While that’s likely true, the EO was only one step among many towards increased scrutiny for IT vendors who can threaten national security through vulnerable or poorly manufactured products.

Earlier this year, for instance, the Internet of Things (IoT) Cybersecurity Improvement Act of 2019 was introduced to Congress, and – if passed – it will formally task the National Institute of Standards and Technology (NIST) with developing minimal standards for IoT security throughout the government. But rather than waiting on Congress, NIST has ploughed ahead, drafting security feature recommendations for IoT in NIST IR 8259.

3. DoD oversaw major compliance overhaul to take effect this year

Regulations like NIST 800-171 exist for a reason: while they do not provide eliminate security risk from government contractors, they do provide a minimum basis for smart security controls that can mitigate susceptibility to common threats. Many could not help noticing, however, that vanishingly few organizations are actually compliant with NIST 800-171 even though it has been in effect since 2016.

The DoD’s answer to this problem is the Cybersecurity Maturity Model Certification (CMMC) which was drafted throughout 2019 and released for public comment. Under the CMMC, defense contractors will be required to demonstrate adequate security standards prior to bidding on a contract. For now, at least, the CMMC applies only to organizations working with the DoD, but it’s not impossible that the rest of the federal government will eventually follow suit.

Fortunately, the CMMC is flexible, allowing organizations to receive certification at one of five different levels. According to the Pentagon, CMMC is simply meant to be a first line of defense against risk, and is intended to foster a “culture of cybersecurity” in organizations to prevent them from falling behind.

Adopting a Risk-Based Approach to Security

Technology is changing faster than ever, and the trends we’ve seen within the security industry in 2019 is evidence of that. In spite of their best efforts, bodies like NIST struggle to produce regulations fast enough to keep up with an ever-changing threat landscape, while many organizations show complacency towards legislation as it already exists.

Thanks to the CMMC which goes into effect this year, it will become increasingly difficult for government contractors to ignore cybersecurity in 2020. It will become equally difficult to lean on compliance as the sole indicator that an organization is secure. To prepare, contractors should take a proactive approach to security that addresses the greatest risks to their business and operations.

Checking off boxes is no longer enough: in a world dominated by emerging threats, only a “culture of cybersecurity” will do.

Securicon is poised to support industry partners in preparing for CMMC through Gap Analysis and Assessment of security practices and procedures. Contact us for more information.