CMMC 2.0 and The Zero-Trust Strategy: How the DOD is Accelerating Cybersecurity Across the Defense-Industrial Base

As the First “Digital Service,” The Space Force Must Lead the Way in Securing Military Operations for JADC2

During the peak of the Cold War, the Department of Defense (DOD) launched its Advanced Research Projects Agency Network (ARPANET), pioneering one of the earliest iterations of the modern day Internet. Since then, as the relevance of cyberspace has permeated throughout DOD operations and nearly every aspect of society, so has the threat landscape in the domain. Today, malicious nation-states, hacktivist groups and individual actors launch cyberattacks against military services, federal agencies, critical infrastructures and even commercial entities. In response, the DOD released its Cybersecurity Maturity Model Certification 2.0 framework to streamline its cybersecurity measures and practices into a single, cohesive Zero-Trust Strategy.

“CMMC 2.0 is an evolution of our cybersecurity mindset,” said Brigadier General (Ret.) Chad Raduege, Senior Partner at Elara Nova: The Space Consultancy. “This process began with CMMC 1.0 back in 2020, which sought to identify the intersection between military and commercial capabilities in organizations. Now, it’s about establishing baseline security expectations for companies in our defense-industrial base.”

CMMC 2.0 provides a guideline of certification requirements that ensure safe and reliable cybersecurity practices from defense industry partners. The framework includes three levels of cybersecurity that abide by processes and practices established by the National Institute of Standards and Technology. 

“CMMC 2.0 streamlines the requirements from CMMC 1.0, which had five levels down to three levels of cybersecurity,” Lieutenant General (Ret.) Harry Raduege, Senior Partner at Elara Nova and father of Brig Gen (Ret.) Chad Raduege. “This standardizes cybersecurity requirements and practices across the Department of Defense. This is a huge step forward, beginning with self-evaluation and knowing what the requirements are, so even a small and medium business can be a contractor for a Department of Defense business opportunity.”

CMMC 2.0 A Pathway to Zero-Trust

The release of CMMC 2.0 comes as the DOD seeks to adopt a “Zero-Trust Strategy,” across all of its respective military services by 2027.

“In their Zero-Trust Strategy, the DOD acknowledged that each of the services are different in their approaches to operating, maintaining and funding zero-trust strategies,” Brig Gen (Ret.) Chad Raduege, who previously served as the Director of Command, Control, Communications and Computers/Cyber Directorate for the United States European Command. “Now, the DOD is holding each of the military services accountable for turning in a review of where they are in the process in anticipation of a Congressional discussion in January of 2024.”

The zero-trust approach, however, goes beyond the DOD to include other federal agencies and defense industry partners that are also targeted by cyberattacks. 

In summary, zero-trust can be described with an axiom that harkens back to the Cold War.

“The zero-trust strategy can be boiled down to ‘Never trust and always verify,’” said Lt Gen (Ret.) Harry Raduege, former Deputy Commander for Global Network Operations and Defense at U.S. Strategic Command Joint Forces Headquarters – Information Operations for the U.S. Air Force. “The DOD requires an enhanced cybersecurity framework that’s built on these zero-trust principles, which includes developing a zero-trust mindset among every employee. So education and training in cybersecurity are the keys to success.”

Brig Gen (Ret.) Chad Raduege echoes his father’s perspective as it relates to implementing zero-trust across an organization, whether they be a military service or a defense industry contractor.

“We need to remember that both CMMC 2.0, as well as zero-trust cybersecurity, is not a product. It’s a culture that requires a commitment to build it through education, training, funding and investment. That’s where zero-trust and CMMC 2.0 really come to life.”

Zero-Trust and JADC2 Operations

Zero-trust is poised to be a critical pillar for future DOD operations, particularly as the Pentagon develops and adopts its Joint All-Domain Command and Control (JADC2) imperative. According to Lt Gen (Ret.) Harry Raduege, cyber threats targeting the military and its industry partners range from denial-of-service attacks, cyber theft, ransomware, spear phishing and misinformation campaigns.

“The bottom line is no one is exempt from cybersecurity attacks,” said Lt Gen (Ret.) Harry Raduege, the former Commander of Joint Task Force – Global Network Operations. “Successful breaches are conducted every day against all critical infrastructures: government, industry, banking and finance institutions, oil and gas companies, health care, retail supply chain, etc. The threats have continued to grow in intensity and sophistication compared to the early attacks that we experienced.”

Now, with emerging technologies such as artificial intelligence and quantum computing gaining prominence, the threat landscape is continuing to evolve at an exponential rate. While these technologies can facilitate stronger cybersecurity defenses, they can also foment more malicious attacks that are harder to detect and defend against. That’s why, born as the first “digital service,” with strategic implications and responsibilities across all military domains, the Space Force must lead the way in establishing strong and secure cybersecurity practices.

“This is an opportunity for our Space Force, with their identity as a distinct digital service, to really impact DOD as a whole,” said Brig Gen (Ret.) Chad Raduege, citing the Space Force’s size, unity of action and its relationships with industry partners as strategic advantages. “There is a collaborative relationship between the USSF, which has requirements, and the industry partners that are delivering upon those requirements, which can be harnessed to be a huge advantage moving forward.”

Often perceived as the “digital backbone” of the JADC2, the Space Force will have a prevalent role in enabling communication and collaboration across all five operational domains: land, sea, air, space and cyberspace.

“For a JADC2 system that will take advantage of what each military service brings to the fight, each military service must build out a capability that will interact and interface with the others,” said Lt Gen (Ret.) Harry Raduege, who as the Director of Defense Information Systems Agency facilitated joint all-domain interoperability across the military services. “This is a huge task. But each one of those operational domains depend on and are serviced by space systems, so a cybersecurity program like CMMC 2.0 is required.”

Cybersecurity Collaboration Across the Defense-Industrial Base

As the Space Force strengthens its relationship with commercial partners across a variety of space-based missions, industry partners can expect the service to leverage commercial strengths for cybersecurity, as well. 

Yet, Brig Gen (Ret.) Chad Raduege cites that while CMMC 2.0 is a great starting point for the DOD to leverage the capabilities of commercial industry for a zero-trust approach, he cautions that employing commercial practices toward national security applications should be done responsibly and with extensive collaboration with industry partners.

“The importance is in establishing a relationship, as some cybersecurity practices may be effective in commercial business. But as you start applying those risk calculus conversations to the national security level for implementation across our Department of Defense, that’s where it is – at times – an apples to oranges comparison. But that doesn’t mean that we cannot learn an enormous amount from industry in their agility, practices and implementation.”

Lt Gen (Ret.) Harry Raduege agrees.

“When it comes to the Space Force and learning from the commercial sector, it’s really the idea of a relationship where you can have the conversations about what works and what doesn’t. But we’re not going to scrap everything that we have done to maintain national security and implement a new cybersecurity process without any further questions. That requires dialogue.”

The urgency for military and industry collaboration in cybersecurity grows more and more each day. According to the U.S. Government Accountability Office, there have been at least 12,000 registered cyber attacks against DOD systems since 2015.

“All of our military forces today, U.S. Space Force included, are stressed,” Brig Gen (Ret.) Chad Raduege said. “Our DOD systems are under constant attack from the cyberattacks our adversaries are employing against us. To respond to these threats, it’s essential that the Space Force and all of our military forces continue to leverage commercial cybersecurity measures, practices and innovation.”

That’s where Elara Nova, as a space consultancy with cybersecurity experts such as the Radueges, can leverage their decades of experience to secure our space systems.

“We’re really talking not just about space and cyberspace, we’re talking about every other operational domain that those domains support,” said Lt Gen (Ret.) Harry Raduege. “Space systems include everything from the ground units and facilities that are going to maintain connectivity with space assets. We must keep satellite information software updated and current to respond to the newest cyber attacks. But we must also secure the supply chain that builds space assets, the launch capabilities that get those assets to orbit and the systems already in orbit. Cybersecurity needs to be embedded in every bit of that.”

Now working together as partners on the Elara Nova team, the Raduege’s are continuing their support for strengthening robust military and industry partnerships in cybersecurity. 

“The Elara Nova team can facilitate those stronger relationships moving forward,” Brig Gen (Ret.) Chad Raduege said. “Elara Nova’s expertise will translate into identifying best practices across a number of different domains, capabilities, organizations and units so clients can leverage all of the best practices for the benefit of our nation. The power of Elara Nova is in relationships and being an integrator among our military, our commercial capabilities and academia to accomplish real-world missions.”

Elara Nova is a global consultancy and professional services firm focused on helping businesses and government agencies maximize the strategic advantages of the space domain. Learn more at https://elaranova.com/.