Cybersecurity is all about Puzzles
Everyone understands that US military secrets should not be shared with our enemies. Items that are classified typically have markings such as Confidential, Secret, Top secret, etc. There are other titles given to classified documents depending on the organization, but the common understanding is that if any of our classified information is shared with a person or entity that is not authorized to have it, or have a need to know it, it could have grave consequences to our national security.
However, things that are not classified at all, can also damage our national security significantly.
Imagine that you were a founder of a company that designed a widget. You then hired a manufacturer to make this widget and you hired a distributor to sell it for you. Now, imagine if that this widget was a critical component in a fuel distribution system which was being sold to commercial ships in the oil and gas industry and your company was thriving. The widget worked so well that it got the attention of a marine design company who was contracted by the US Navy to provide detailed design documents which were going to be used to build the fuel system on the next guided missile frigate. The owner agreed to build a military specification compliant version of the widget. The Navy planned to build 15 frigates, so the owner was pleased.
A year later, at a trade show someone told the owner that someone else was selling a device that looked a lot like his widget. How could that happen? Well, perhaps the owner uploaded the drawing to the company website or sent the drawings to the manufacturer by fax. Clearly, the founder was not protecting the company’s intellectual property and if that widget was going to be an important part of the fuel system on a US Navy ship, it could be considered Controlled Unclassified Information (CUI). Because it was unclassified, the owner felt that it was OK to handle it without much thought. After all it was first used in a commercial ship.
A modern US Navy warship is a highly complex collection of equipment and systems all designed to work together so that the crew and the ship can perform the assigned missions. While some designs are classified depending on the vessel and the system, a great deal of those complex systems and equipment are completely unclassified and in fact are more like puzzles with potentially thousands of components. The fuel system on a frigate is no exception. You must have fuel tanks, pumps, control systems, miles of piping, a ton of valves, detailed safety features, and a highly trained crew to operate it.
Now let us change the view to a hypothetical hostile country called Broesal who is trying to create a Navy that can compete with our Navy. Our Navy was founded on 13 October 1775, so we have hundreds of years more of experience in shipbuilding than Broesal has. How could Broesal even begin to understand what systems are on a warship and how to create them? So, what do they do?
They google everything and then they start to put the pieces of the puzzle together. There is so much information, drawings, and proprietary information on the web that even though it may take years, they can learn almost everything that they need to give them a significant boost. Many real countries have already done this before. As a nation, we have not done a good job of protecting our CUI. To correct this, the DOD is requiring that all DOD vendors that handle and/or store CUI, must have a 3rd party audit to ensure cyber security compliance. This program is called the Cybersecurity Maturity Model Certification (CMMC).
ESI Acquisition Corp doing business as JA Moody and Moody Marine Service Inc are ahead of the curve. In early 2020 we hired a consultant who is guiding us through the intense preparation to successfully pass a third party CMMC audit. As of this writing, we have all 110 controls documented with a highly detailed Plan of Action with Milestones (POAM) that we are meticulously managing. We expect to pass our third party audit this year.
There are a lot of puzzles out there and over time competitors and even enemies of our country will want to get their hands on the controlled ones. JA Moody and Moody Marine Service are doing our best to make sure that our controlled information remains perfectly secure. For additional information about JA Moody & our cyber security measures, please contact us.
Further details on CMMC requirements can be found at CMMC_Model_Main_20200203.pdf (osd.mil)