Status of CMMC, TIC 3.0, Supply Chain Security Trends in 2021

Top cyber officials are calling on federal agencies to pay particular attention this year to TIC 3.0, the new Cybersecurity Maturity Model Certification (CMMC) standards and supply chain security to significantly reduce cyber risk.

“SolarWinds is not the last event by a long shot, and it wasn’t the first event,” said Katie Arrington, Defense Department CISO for Acquisition & Sustainment, during an AFFIRM event last week week. “If you’re an innovative company and you’re not doing the basics in CMMC level 1, you’re not going to be around in five years because your IP, which makes you unique, will be stolen. You should be doing them anyway.”

Even non-defense government contractors need to implement at least base-level CMMC standards simply because there’s so much overlap between defense and non-defense contracting.

“When we look at the industrial base we see a lot of crossover,” said GSA Deputy Assistant Commissioner for Acquisition Keith Nakasone. “The community on the DOD side is also doing work on the civilian side. If there are ways we can adopt best practices, it gives us that whole-of-government look.”

Arrington said DOD drafted a memo to establish reciprocity between the FedRAMP moderate impact level and CMMC level 3 to help cut back any superfluous cyber standards. Contractors should work hard to meet CMMC requirements, she said, but also recognize that CMMC is only the first step.

“CMMC is a start,” she said. “Next year this time, we’re going to be talking about what we need to tweak, supply chain risk management in reality … You thought CMMC was hard, and now we’re going to start with zero trust. How do we build architecture and stability to get to zero trust? CMMC illuminated your supply chain, so you can see everybody in a golden cage. Now let’s really start talking about the risk associated with that.”

Branko Bokan, a cyber lead at CISA, agreed zero trust will become a focus as federal agencies adopt TIC 3.0.

“The perimeter has shifted from one single network to end points or end users,” he said during a FedInsider webinar on 2021 security trends. “The new TIC 3.0 policy allows for this flexibility and allows for this new strategy. The highlight is the shift in the focus from protecting one big network to protecting endpoint devices — that is really the gist and the spirit of TIC 3.0. It gives federal agencies flexibility to continue protecting their traditional network and also allow them to accommodate emerging technologies.”

Steve Wallace, a technical director and systems innovation scientist at the Defense Information Systems Agency (DISA), said two years ago DOD implemented a similar strategy to TIC 3.0, which turned out to be incredibly successful.

“We’ve seen increased performance for the end users and better performance to their browsers because we’re removing the devices in line that address threats in line, the traffic isn’t subject to those same times of inspections anymore,” he said during the webinar.

Wallace and Bokan highlighted that the zero trust approach to security is complementary to TIC 3.0 and supply chain security in 2021.

“Zero trust is not a product, nor a service, not something you can go out and buy in a box. It’s a concept, it’s an end-to-end approach to enterprise security, in which your trust is never explicitly granted, it must be continuously evaluated,” Bokan said. “Shrinking that implicit trust zone to a single user or device — that’s really critical for organizations to understand. Some of the things we see that have been obstacles for federal agencies is, it is critical to have a solid understanding of organizational business data to deploy zero trust architecture. Moving to cloud environments — visibility is going to be challenged for some time.”

As federal agencies continue migrating to the cloud, NIST Fellow Ron Ross said they need to keep TIC 3.0 and supply chain security top of mind.

“Cloud is a great new technology to change business models and offer innovation and capability,” he said. “You’ve got a bunch of servers, hardware, software, firmware, to give businesses and organizations mission capability. It gets back to the basic question: what kind of assurance and transparency do we have in these cloud architectures?”