Cybersecurity remains a critical concern for U.S. Transportation Command, the organization’s leader said Feb. 25.
While the broader commercial defense logistics enterprise has improved its cyber hygiene, much work remains.
“The way I would characterize the cyber vulnerabilities is it’s probably the most consequential to the mobility enterprise,” Gen. Stephen Lyons, commander of Transportation Command, told the Senate Armed Services Committee Feb. 25. “We’ve included contract language in all of our contracts. We check compliance, we have a self-reporting mechanism. We believe that their level of cyber hygiene is increased significantly from this level of effort.”
Given the heavy reliance on hundreds of commercial companies to move people and resources across the globe, cyber has long been a major concern for Transportation Command leaders.
“Ignoring cyber is not an option for us,” said Gen. Darren McDew, U.S. Transportation Command’s commander, at DoDIIS 2017 August 14 in St. Louis.
However, when asked if the organization can conduct inspections on suppliers without notice, Lyons said he doesn’t have that authority. Department of Defense leaders have become increasingly concerned that adversaries are targeting the defense industrial base for critical information. Lyons noted that these companies cannot withstand attacks from so-called advanced persistent threats. As a result, Transportation Command has built resiliency into its contracts.
At the same time, the Pentagon has released a new model for measuring the cybersecurity of contractors as a means of leveling the playing field for big and small companies bidding on contracts. The Cybersecurity Maturity Model Certification (CMMC) is a tiered cybersecurity framework that grades companies on a scale of one to five based on the level of classification and security that necessary for the work they are performing.
The Pentagon has finalized the long anticipated cybersecurity standards contractors will have to follow before winning contracts from the Department of Defense, a new process called the Cybersecurity Maturity Model Certification (CMMC) 1.0.