The Elara Edge: Expert Insights on Space Security

Episode 5: CMMC 2.0 and The Zero-Trust Strategy: How the DOD is Accelerating Cybersecurity Across the Defense-Industrial Base

The Elara Edge: Expert Insights on Space Security

Episode 5: CMMC 2.0 and The Zero-Trust Strategy: How the DOD is Accelerating Cybersecurity Across the Defense-Industrial Base

Host: Scott King

Subject Matter Experts: Lieutenant General (Ret.) Harry Raduege, Senior Partner at Elara Nova; Brigadier General (Ret.) Chad Raduege, Senior Partner at Elara Nova

00:00 – 01:42

In the waning years of the Cold War, the Department of Defense launched its Advanced Research Projects Agency Network, or ARPANET, one of the earliest iterations of the modern day Internet. In the decades since, cyberspace has become essential to streamlining decision-making up and down the kill chain.

Now, the threat landscape in the cyber domain is more malicious than ever. Nation-states, hacktivist groups, and individual actors are launching incessant cyberattacks against our military services, federal agencies, critical infrastructures and even commercial entities. In response, the DOD is implementing its Zero-Trust Strategy by 2027 to secure its cyber operations.

As part of this process, the DOD rolled out the Cybersecurity Maturity Model Certification 2.0 – or CMMC – providing a requirement framework for its defense-industrial base to follow. 

Welcome to “The Elara Edge: Expert Insights on Space Security.” I’m your host – Scott King. And joining us today to discuss how the DOD is securing its cybersecurity practices across its military services and defense-industrial base is Elara Nova Senior Partners Retired Lieutenant General Harry Raduege and his son – recently Retired Brigadier General Chad Raduege. 

Throughout each of their respective military careers, the Radueges have emerged as leaders in ensuring critical DOD information and operations are protected and secure. 

Sirs, thank you for joining me at the Elara Edge today. Can you begin by describing the modern cyber threat the DOD and its defense industry partners face today?

01:42 – 03:08

Yeah, Scott, thanks for the question. I’m going to take lead on this and then let my dad pile on with his perspective. 

There are three words that come to mind. One is constant. We are under constant attack in our DOD systems, the cyber capabilities that our adversaries are employing against us. We’ve had somewhere between, well, about 12,000 different cybersecurity attacks against our DOD systems since 2015. And that’s probably meeting a threshold of big cyber attacks and not just nuisances. 

The second word is complexity. We are seeing our adversaries employ something that we call ‘Advanced Persistent Threats.’ This is them working over not just days and weeks, but really months and years to gain a foothold into our DOD systems and having the capability that they can activate at a time of their choosing. That complexity is what challenges our cybersecurity professionals on a daily basis.

The third word that I would use is one of determination. Our adversaries are determined. Our DOD systems are very elaborate. But where they’re finding the soft underbelly is really in our contract workforces, in our program offices. And so they’re targeting those particular avenues of approach. So they’re very determined to get in and then sit and wait.

03:08 – 03:48

Yeah. Thanks, Chad. Let me add a little bit there to what my son has mentioned. The threats that we’re seeing in the cybersecurity world have just continued to grow in intensity, sophistication and even approaches. 

Successful breaches are conducted every day against all critical infrastructures, that being government, industry, banking and finance institutions, oil and gas companies, health care, retail, supply chain, etc., etc. Bottom line is no one is exempt from cybersecurity attacks these days. 

03:49 – 04:07

Thank you. And so it appears the DOD is laying out two solutions in response to these threats: the Cybersecurity Maturity Model Certification 2.0 – CMMC – and its Zero-Trust Strategy.

Let’s begin with CMMC 2.0. What is the DOD attempting to do with this framework?

04:08 – 04:56

It’s all about establishing baseline security, really some expectations for companies. Anyone that’s part of our defense industrial base that is providing capabilities to our Department of Defense – this gives them the rules of the game.

This began with CMMC 1.0 back in about the 2020 timeline, and this was trying to identify the intersection between military and commercial capabilities and organizations. And so this was really a methodology of trying to get after protecting our supply chain.

We fully expect that the CMMC 2.0 criteria will give those companies, those members of the defense industrial base an idea of what are the rules of the game? What are the expectations in providing baseline security for our systems?

04:57 – 05:25

Yeah, let me just mention one quick thing: This 2.0 really does streamline the requirements from 1.0, which had five levels down to three levels of cybersecurity. And it also aligns the requirements at each of these three levels with well-known and widely accepted National Institute of Science and Technology – or NIST – cybersecurity standards.

05:26 – 05:33

How does CMMC 2.0 factor into the DOD’s approach to establishing its Zero-Trust Strategy by 2027?

05:34 – 06:43

The zero-trust really can be boiled down to ‘Never trust and always verify.’ So DOD requires an enhanced cybersecurity framework that’s built on these zero-trust principles, including the very important aspect of developing a zero-trust mindset among every employee. And so education and training in the cybersecurity area is really key to the success of any organization going forward.

We’re actually having some standardized level one CMMC self-assessments which adds an entry level self-assessment that you can do for gaining higher levels of CMMC performance and certification. 

And this is particularly important I think for the small and medium businesses out there that don’t have the internal resources to either buy the cybersecurity expertise through personnel, or training or even consultants.

06:43 – 08:04

I think that’s a great point – that idea of mindset and education and training. Really, I think, Scott, what we need to remember with really both CMMC 2.0 as well as zero-trust – cybersecurity is a culture and it’s not a product. 

It requires a commitment of building the culture through education and training, through funding, through investment. Cybersecurity is that culture and not just the product.

Just last fall, the Department of Defense released their ‘Zero-Trust Strategy.’ And in that strategy, it acknowledged that each of the services are different in the way that they operate, maintain and fund zero-trust strategies in the way that they’re building their cybersecurity culture.

And so they’re holding each of the services accountable for turning in a review of where you are. What does your zero trust strategy now look like? And DOD plans to review those over the next several months.

But still, what DOD is recognizing and acknowledging is that their timeline is 2027. And so we’ve been on an eight year journey to get zero-trust in not a unified fashion, but by service, implemented into the DOD – that’s optimistic. We’ll remain hopeful that that comes to fruition. But that’s where I think we are right now.  

08:05 – 08:22

Space and cyberspace are inherently interconnected as warfighting domains. This is reflected in the Space Force’s founding as the military’s first fully “digital service.” So what role can the Space Force serve as a cybersecurity leader for the DOD and its defense-industrial base?

08:23 – 09:41

There are three things that come to mind when I think about the role that the Space Force is playing and could play moving forward. One is their size, because of their size, because of the way that they have streamlined their processes. I believe they have the agility to quickly and rapidly field capabilities and shape processes, tools, tactics, techniques and procedures.

The second one is they have unity of action. There is a unique thread that is being pulled through our Space Force right now from young Guardian to senior leader, where there is unity of effort in the way that they’re thinking about their role in the future, their role as a digital service. 

The third thing that comes to mind when I think about the Space Force and their digital service capabilities – their relationships between the U.S. Space Force and industry. There is this collaboration, these relationships that take place between those that have the requirements and those that are delivering upon the requirements. And so if we could figure out some way to harness that relationship, tie together the military and our commercial providers, I believe there’s huge power moving forward.

09:42 – 10:09

I believe that digital services that are provided by the space and cyberspace domains and specifically U.S. Space Force and U.S. Cyber Command. These serve all the other operational domains: land, air, sea and themselves. So these digital services are critical to proper and efficient Department of Defense operations going forward.

10:10 – 10:48

I would just chime in and offer a perspective, as I went through a two year experience in the European theater and got to witness firsthand the initial stages of Russia’s drive into Ukraine.

The Russian attack into Ukraine was started by taking down ViaSat. They attempted to blind the Ukrainian people, Ukrainian command and control military forces and they attacked the ground stations. So that’s a real-world example of the way that kinetic and non-kinetic threats come together by, not only the space front but also on the cybersecurity front.

10:49 – 11:06

Why is it important for the Space Force to collaborate with its industry partners, through a framework like CMMC 2.0, to not only ensure appropriate cybersecurity protections are in place across the defense-industrial base, but also to adapt commercial cybersecurity solutions for the national security mission?

11:06 – 12:09

Yeah, me start with, if we don’t have this, then we can lose control, forfeit assets and experience manipulation by others, and that is across the space, government, the industry partners in particular. You must establish a comprehensive cybersecurity risk management plan. The CMMC 2.0 is a really great start of government and industry and academia, frankly, working together. 

It’s essential that the Space Force and all of our military forces continue to leverage what they see and can gain from commercial cybersecurity measures and practices and innovation. We have the best commercial capabilities available and the capabilities that we have available to us are targets for other nations to gain access to and to leverage themselves.

12:10 – 13:50

We must remember that we’re all part of one big team and our adversaries are looking for the weakest link and so there’s what drives our commitment. The impacts of what space provides not only what my dad referenced before of the impact to every one of the other services and all of the domains – when you start talking about precision, navigation and timing, these are the things that drive all of our military capabilities and robustness.

Scott, I think this is the importance of establishing a relationship. All too often we sometimes in DOD point to the commercial industry in Silicon Valley and say, ‘They’re so much faster and they’re doing it so much better, let’s just adopt everything that they’re doing.’

In their line of business, that may work for them. In reality, as you start raising those risk calculus conversations to the national security level and implementation across our Department of Defense, that’s where I think that it is – at times – a little bit of an apples and oranges comparison. That doesn’t mean that we cannot learn an enormous amount from Silicon Valley in their agility, in their practices, the way that they harness speed to implementation. Those are all great things. 

So what I would offer for the Space Force and learning from the commercial entity is the idea of a relationship, have the conversations, see what works and what doesn’t. But I think it’s a bridge too far to just say we’re going to scrap everything that we have done to maintain national security and implement a process without any further questions. It requires a dialogue.

13:51 – 14:06

Considering the depth and breadth of each of your experiences in cybersecurity and the service of our nation – how can Elara Nova facilitate the adoption of Zero-Trust principles for both the DOD and its industry partners?

14:07 – 14:47

The Elara Nova team has partners with years and years of unequaled experience across the space and cyberspace areas of operation. Chad and myself, we have years of experience working in space operations, network operations, cybersecurity, command and control, communications. Chad, having just short of 30 years. Myself, having over 35 years of military experience. So that’s 65 years experience total between just the two of us.

14:48 – 16:08

I would offer that there are two things that kind of come to mind as I look at the team of experts that Elara Nova has brought together and what we can offer by way of facilitating those stronger relationships and principles and partnerships moving forward. 

One of those is just taking advantage of all of that expertise that my dad referenced. That expertise will translate into identifying best practices across a number of different areas and domains and capabilities and organizations and units. And so you have the opportunity of leveraging all of those best practices that we’ve seen over years of our time together for the benefit of our nation. 

The second is really, I think, the power of Elara Nova and that’s in relationships and really the capability of being an integrator between our military, our commercial capabilities and academia as a whole. That ability to have established relationships over many, many years in uniform, out of uniform, at conferences, on real-world missions, the ability to leverage that relationship and be the integrator and facilitator of great talks is really the power of Elara Nova.

16:08 – 17:00

If you’re interested in learning more about the DOD’s approach to establishing and implementing a Zero-Trust Strategy across its services and defense-industrial base – visit our Insights page at www.elaranova.com.  

This has been an episode of The Elara Edge: Expert Insights on Space Security. As a global consultancy and professional services firm focused on helping businesses and government agencies maximize the strategic advantages of the space domain, Elara Nova is your source for expertise and guidance in space security.

If you liked what you heard today, please subscribe to our channel and leave us a rating. This episode was edited and produced by Regia Multimedia Services. Music for this podcast was created by Patrick Watkins of PW Audio. I’m your host, Scott King, and join us next time at the Elara Edge.