At a glance.

  • US cybersecurity bill focuses on training.
  • US pledges $200 billion in cybersecurity aid for emerging countries.
  • US State Department prioritizes threat hunting.
  • House Committee requests clarity on cyber defense roles.
  • What the CMMC will mean for contractors. 

US cybersecurity bill focuses on training.

The US House of Representatives passed the “Industrial Control Systems Cybersecurity Training Act,” a cybersecurity bill introduced in May aimed at strengthening US cybersecurity protections after a government-issued warning back in April about Russia-linked malware targeting industrial processes. SecurityWeek reports that the legislation would amend the Homeland Security Act of 2002 to allow the Cybersecurity and Infrastructure Security Agency (CISA) to create a free training program both for government agencies and the private sector; it would focus on cyber defense strategies for industrial control systems. Representative Eric Swalwell (Democrat, California 15th District), who introduced the bill, explained, “With the increased threat of Russian cyberattacks, we must be cognizant of cyberwarfare from state-sponsored actors. This bill would help train our information technology professionals in the federal government, national laboratories, and private sector to better defend against damaging foreign attacks.”

US pledges $200 billion in cybersecurity aid for emerging countries. 

In advance of the start of the G7 Summit the White House announced the Partnership for Global Infrastructure and Investment, a $600 billion effort to “align G7 and other like-minded partners to coordinate our respective approaches, investment criteria, expertise and resources on infrastructure to advance a common vision and better meet the needs of low- and middle-income countries and regions.” For its part, the US State Department has agreed to oversee $200 billion in aid, Nextgov reports. Cybersecurity is one of the summit’s four main areas of focus, and is especially important for the developing countries with whom the G7 partners are attempting to connect. Ruth Berry, acting deputy assistant secretary for international information and communications policy at the State Department, stated, “I think creating more inclusive and democratic processes that bring in emerging countries who will have incredible innovation over the coming decades and be the users and deployers of so much of this emerging technology is also really important.” 

US State Department prioritizes threat hunting.

The US State Department Bureau of Intelligence and Research (INR) this week released a cybersecurity strategy focused on what the bureau’s chief calls “technical debt.” CyberScoop explains that the strategy aims to cultivate a more proactive approach to vulnerability detection and remediation. One area of focus will be migration to the cloud, part of an effort to leverage new technologies and “establish modern IT infrastructure, software, hardware, and systems.” The document also highlights the need to use “real-time threat based security functions,” and to make INR staff more accountable for managing cyber risk by hiring employees with stronger cybersecurity skills and working more closely with the Department of Homeland Security. Assistant Secretary of State for Intelligence and Research Brett Holmgren explains, “This is a comprehensive approach to shifting from a reactive cybersecurity posture to a proactive one where we’re constantly hunting for potential threats in our environment rather than just waiting for alerts to fire and then we’re investigating.” 

House Committee requests clarity on cyber defense roles.

In a report issued alongside the US House Appropriations Committee’s spending bill for the Department of Defense (DoD) on Friday, members gave the Secretary of Defense ninety days after the passage of the bill to provide a report clarifying the cybersecurity responsibilities of the Pentagon’s agencies. The report states that it “remains unclear … which offices and positions at the Department of Defense are responsible for cyber, cybersecurity, and cyberspace policy and activities,” and goes on to describe a convoluted web of cyber-related positions under the DoD’s various offices and agencies. The required report should include an organizational chart explaining the reporting structure of each office with responsibility over cyber activities. SC Magazine notes that the Committee also tasked the DoD with working with education institutions to recruit cyber talent. “The Committee believes that the Department of Defense should collaborate with colleges and universities to recruit cyber-focused students during their junior or senior years, with the intent that upon graduation the student will have a completed security clearance,” the committee wrote.

What the CMMC will mean for contractors. 

Although version 2.0 of the DoD’s Cybersecurity Maturity Model Certification (CMMC) won’t be finalized for another year, Federal News Network discusses how the CMMC is already impacting the way contractors approach data collection and protection. Dr. Kelly Fletcher, the DoD’s principal deputy chief information officer, says the current policy, which relies on self-attestation, allows contractors too much freedom to exaggerate their compliance efforts, creating unfair competition when it comes to winning contracts. “If you’re complying now with what is in your contract, you’re competing against folks that aren’t, and I think CMMC is trying to get after that,” Fletcher said. Indeed, the Defense Contract Management Agency’s (DCMA) found that only about 25% of companies were compliant with the requirements set out in the National Institute of Standards and Technology’s Special Publication 800-171. “CMMC is going to let us address some of that stuff that does lead to stronger prevention of ransomware attacks because it’s going to require companies to become far more fully compliant,” DCMA’s technical directorate’s software division director John Ellis stated at a recent conference. DCMA is launching a CMMC early adopter program later this summer, allowing defense companies to work with certified third-party assessment organizations to get up to speed before the CMMC 2.0 is finalized.