After years of trying to improve the cybersecurity language in its contracts, the U.S. Transportation Command is hopeful the Pentagon’s new Cybersecurity Maturity Model Certification (CMMC) will finally help mitigate risks from its supply chain.
“When confronted with an advanced persistent threat actor, I don’t think any of our commercial providers are in a position to protect themselves,” Gen. Stephen Lyons, commander of the U.S. Transportation Command, told the Senate Armed Services Committee on Tuesday.
Better known as TRANSCOM, the command coordinates global logistics for the military and heavily relies on global communications and private contracts to deliver fuel resupplies and other critical deliveries.
Lyons acknowledged the even though the command has seen “progress” in strengthening cybersecurity language in contracts, it has no way of verifying the contract requirements are being followed as cybersecurity measures are still self-assessed by contractors.
“CMMC will do significant good in that area,” Lyons said.
The model will require that contractors that want to do business with the Department of Defense meet a certain threshold of cybersecurity certifications. The model, consisting of five levels of security standards, will be phased into requests for information starting this summer. The vast majority of contractors that work with unclassified information will need to meet only level one of the framework — the least secure and least costly level on the scale. From there, the more sensitive the information contractors handle, the higher the level of certification they will need to receive under CMMC, up to level five. All levels will be certified by independent assessors who will conduct in-person checks. Contractors will have to foot the bill for those assessments.
The new CMMC model will give the command a proxy in the independent assessors to check that contractors are living up to the new cybersecurity standards. Lyons said if it were up to TRANSCOM to inspect its industrial base partners, it could have unintended “second- and third-order effects.”
Protecting data and exploring space, autonomy
Lyons also focused Tuesday on the Transportation Command’s reliance on data — the security of who sees that data and how it is stored is also something that the command is trying to improve, he said.
“We are reviewing data sharing requirements to limit our exposure to adversaries, and we’re strengthening cybersecurity language in our information technology and software development contracts,” Lyons said.
To better collect and use its data, the command is also working to migrate more data to the cloud. Lyons claimed his command has migrated 14 programs to commercial cloud environments, but it is unclear how many remain in legacy data centers.
“Cloud computing, balanced cybersecurity, information sharing, innovation at echelon and warfighting outcomes serve as our guiding principles as we modernize our digital portfolio,” Lyons said.
On top of this, Lyons said squaring away the command’s cybersecurity is especially critical as it aims to expand its fleet of autonomous vehicles and assist the new Space Force in its logistics.
“There is enormous potential to expand in the air domain and eventually into the space domain,” Lyons said. But that potential could be dampened by loose cybersecurity and acquisition processes, he said.
Artificial Intelligence and autonomous vehicles have the potential to be especially helpful for TRANSCOM, Lyons said.
But senators wanted to see faster adoption of new technologies.
“We need to be much more nimble on delivering emerging technology,” Sen. Joni Ernst, R-Iowa, said.