Lessons from the Field: Rallying Cyber-Readiness with USTRANSCOM and DOD’s CMMC 2.0

Takeaways

• NDTA’s Cybersecurity Best Practices Committee continues to intensify its efforts based on the guidance of past US Transportation Command (USTRANSCOM) Commanders and current USTRANSCOM Commander Gen Jacqueline D. Van Ovost, USAF.
• The Cybersecurity Committee’s priorities incorporate the Department of Defense’s (DOD) newly announced Cybersecurity Maturity Model Certification (CMMC) 2.0, which simplifies the measurement of five progress levels down to three levels and defines a lower-cost process for engaging small businesses like DIB-Co.
• The Department of Commerce’s National Institute of Standards and Technology (NIST) provides the common sense, consistent basis for CMMC 2.0: the existing 110 controls of the NIST 800-171 specifications for Controlled Unclassified Information (CUI). 

NTDA’s Cybersecurity Best Practices Committee used its most recent session to align with Commander’s Intent from General Jackie Van Ovost. Gen Van Ovost gave an urgent challenge to the group: “We need to speed up our effective collaboration and solutions to meet the accelerating threats.” 

The updated priorities will be further defined and executed throughout the year to help the committee meet Gen Van Ovost’s challenge successfully within the limits of NDTA’s charter. The priorities were validated with help from USTRANSCOM/J6 Deputy Director for Cyberspace Operations Brig Gen Michelle Hayworth, USAF; USTRANSCOM Chief Information Security Officer Patrick Grimsley; and Defense Logistics Agency (DLA) Enterprise Services Project Manager Travis Reid. As the Cybersecurity Committee progresses, outcomes of the work will be shared with the other NDTA Committees, as well as with USTRANSCOM, DLA, and DOD leadership.

During the session, Cybersecurity Committee member & NIST-based assessment leader, Chiderah Okoye, facilitated expert guest participants who added to the discussion. These specialists provided input during and after the session on how defense transportation and supply chains will fit into effective NIST-supported, whole-of-nation mobilization across the 16 critical infrastructures:

• CEO of a Local Chamber & Ed Hub focused on supply chain effectiveness, Jeannie Hebert, who leads the Blackstone Valley Chamber of Commerce supporting the President of DIB-Co and other small-businesses.
• Deputy Director of Defense Industrial Base Collaborative Information Sharing Environment (DCISE) DOD Cyber Crime Center (DC3) Terry Kalka (standing in for Director Krystal Covey).
• Former Vice Chair of the Joint Chiefs and USTRANSCOM Commander Gen Paul Selva, USAF (Ret.).
• Former USTRANSCOM Commander Gen Walter Kross, USAF (Ret.).
• Former Military Sealift Commander and Los Angeles Unified Public Schools Superintendent VADM David Brewer, III, USN (Ret.).
• Harvard Business School Professor & former Carnegie Mellon Business School Dean Robert Kaplan who co-developed the Balanced Scorecard.
• Former DOD CIO & National Defense University Professor CAPT Linton Wells, II, USN (Ret.).
• Tougaloo College Career Services Director, Dr. Melissa McCoy, applied learning & teaching leader at Tougaloo College, a pacesetter for national service on cybersecurity upskilling of small businesses.
• Longtime Wall Street & university leader, Ed Hajim, who started his career as a Navy officer in what would become the Military Sealift Command.
• MIT Dean of Open Learning, Sanjay Sarma, a national and global leader on supply chain and the rollout of the free Open edX online learning platform who has worked for over 20 years with the DOD on DIB effectiveness. 

The Cybersecurity Committee also explored ways to leverage educational partnerships with local, regional, and national higher education resources. The goal would be to align service learning by higher ed students at no financial cost to USTRANSCOM and DLA partners, especially those smaller partners with limited resources. The Cybersecurity Committee looks for input from across the defense transportation sector on how to best mobilize the nation’s applied learning resources.

As one of the participants from a multi-billion dollar transportation partner said in the debrief after the close of the Cybersecurity Best Practices Committee meeting: 

“University partnerships would be a huge help for our smaller suppliers who lack the resources for someone to facilitate them through the NIST frameworks. These higher ed students won’t have an understanding of each business, but they could be trained to hold the small business leader’s hand as a practical step toward completion of NIST-based assessments. The students could be trained to: 

• introduce the concepts, 
• do a basic assessment, and 
• point the small business in the right direction to make improvements.”

For example, MIT and Harvard contributed $80 million along with leading colleges and universities across the US to create Open edX as a standard to improve the access, quality, and cost of nationwide upskilling with extensive coverage on cybersecurity & supply chain. Participating colleges range from local colleges to large research universities (e.g., Georgia Tech, Caltech, University of Chicago, Rochester Institute of Technology, University of Texas System, Arizona State, University of Maryland System, UC Berkeley, UC San Diego, University of Washington, Indiana University, Notre Dame, Penn, Cornell, Columbia, Brown, Princeton, Dartmouth, Rice, NYU, Stanford, and University of Michigan). Today, edX reaches 40 million learners worldwide and has received an additional $800 million from private investment to strengthen the open source efforts. Despite those accomplishments, Open edX has yet to be fully engaged in cyber-readiness upskilling with NIST and the DOD’s Joint Deployment and Distribution Enterprise, let alone the 300,000 DIB members or firms making up the 16 critical infrastructures that support the DIB.

Since the Committee was originally organized after 9/11, no year’s priorities have been more urgent. The Cybersecurity Best Practices Committee commits to Gen Van Ovost’s charge and to a public-private sector partnership that is more cyber-ready and less cyber-reactive.

Originally published in the December 2021 DTJ issue

By Ted Rybeck, Chair, Benchmarking Partners, & Chair, NDTA Cybersecurity Best Practices Committee

Updated Priorities of the National Defense Transportation Association’s
Cybersecurity Best Practices Committee

(not in prioritized order)

• Exchange best practices among USTRANSCOM, DLA, DIB members, and software providers. 
• Share updates/analysis of the actions and implications of the Presidential Executive Order (May 12, 2021) and communications on DIB-related critical infrastructure from the Executive Branch across departments. (Leverage known/quantifiable industry expertise and findings in that process.)  
• Increase participation in the no-cost cyber exchange of the DIB Cybersecurity Program provided by the DOD CIO. (Contact 100% of the eligible NDTA members to encourage their participation. Learn from the reasons why there is/is not an interest in joining as a way to understand DIBnet’s value proposition.)
• Strengthen and measure cybersecurity readiness of the USTRANSCOM & DLA suppliers/partners through adoption of the 110+ controls in the NIST 800-171 documentation and the streamlined 3 levels of the CMMC 2.0: Level 1 = Foundational; Level 2 = Advanced; Level 3 = Expert.
• Identify opportunities to assess USTRANSCOM & DLA partner readiness for continuity of operations during a cyber incident. (Maximum Tolerable Downtime varies by situation and role.)
• Improve industry-wide understanding on emerging contractual & regulatory requirements to support cyber-readiness for USTRANSCOM & DLA partners.