Multi-Level Model Program Helps Build Cyber Posture for Washington State's Military and Defense Sector

Company Profile

As the second-largest public employer in Washington employing more than 127,000 active duty, reserve, guard, and civilian personnel, home to over 540,000 veterans including 71,000 retirees and 88,674 military families; Washington's military and defense community supports over $13 billion in annual procurement supported by nearly 2,000 businesses across the state, representing almost 3% of the state's GDP.

Situation

In early 2020, Impact Washington commenced a cybersecurity grant project funded by the Department of Defense Office of Local Defense Community Cooperation (DoD OLDCC) through the Washington State Department of Commerce Office of Economic Development and Competitiveness with the broad intent of strengthening Washington State cybersecurity posture in the defense supply chain.

The objective of this program was to provide outreach and education to all known companies in the Washington DoD Supply Chain. The program is divided into two elements. Cybersevurity resiliency involved influencing the ability of those in the DoD supply chain to prepare for, respond to, and recover from cyber-attacks. Cyber independence elements involved mass scale outreach and education on cybersecurity risks to all members of the DoD supply chain to offer training on best practices, risk mitigation options, and ensuing DoD cybersecurity compliance requirements.

Solution

The primary focus of cyber resiliency was to assist members of the Washington State defense supply chain in assessing their current cybersecurity maturity level. More specifically, to assist in advancing them toward compliance with DoD cybersecurity requirements (more recently including CMMC) and prepare them to maintain a resilient cybersecurity posture.  There was considerable discussion about how best

to provide direct assistance to the DoD supply chain members.  In the end, we decided that the best option was to provide support through private companies with expertise and experience in DoD cybersecurity standards.  Some of the factors contributing to this determination included:

• It was believed that target companies would need to receive initial support and have an ongoing relationship with an expert cybersecurity resource, so we wanted to facilitate that relationship.
• As there are currently not many cybersecurity practitioners serving the SMB (Small and Medium-sized Business) market, we wanted to spread engagements across several contractors to minimize the influence of a potentially ineffective contractor.
• We wanted to evaluate client receptivity and effectiveness on a variety of support approaches by various contractors.
• Identify the most effective programs to establish replicable support models for other members of the DoD supply chain.

The initial program envisioned that cyber interdependence training would be conducted utilizing five in-person training sessions across Washington state.  As the program was initiated just before the beginning of March 2020, when the COVID-19 restrictions started to go into effect, in-person training was not possible. A series of three virtual webinars were planned and delivered in March, April.  The program team utilized a  list of the Washington State defense supply chain members for outreach and promotion of programs. Learns from the webinars allowed the team to realize that events conveying extensive cybersecurity compliance data are likely not the most effective 

means of providing training for a complex topic such as CMMC.  There was a consensus among stakeholders that better training would be role-based, self-paced, and self-guided. Specifically, efforts would be led by cybersecurity training firms with experience with GRC (Governance, Risk & Compliance) and cybersecurity training via LMS (Learning Management System) platform.  In addition, an LMS platform represents a cost-effective means of training large numbers of learners. It can diminish the perishability of material with the ability to update content as requirements evolve.

Results

• 36 select members of the Washington State defense supply chain were provided direct support.
• Average Supplier Performance Risk System (SPRS) cybersecurity score increase was 50
• All participating companies drafted their Company's System Security Plan (SSP), with %18 completing it.
• All participating companies drafted their Plan of Action and Milestone Status (POAM)) with %18 completing it.
• 258 individuals register for self-paced, online CMMC Compliance Readiness Courses. 83% of individuals are members of the Washington DoD Supply Chain
• 104 individuals completed the CMMC Senior Management Course, CMMC Practitioner Course, or both. 80% of individuals are a members of the Washington DoD Supply Chain
• A better understanding of roadblocks and barriers for companies to continue their cybersecurity journey.

VIEW ADDITIONAL RESULTS AND DOWNLOAD FULL REPORT HERE