We've worked with hundreds of Aerospace and Defense contractors over the last several years in an effort to help them improve their security and compliance posture in the face of increasing government regulatory requirements, such as DFARS 252-204.7012 / NIST 800-171 and now the Cybersecurity Maturity Model Certification (CMMC). And, with the DFARS Interim Rule taking effect on November 30, 2020, CMMC certification will now be required at the time of contract award or option year award if included in the acquisition/solicitation, and the certification must be acquired in the previous three years. Therefore, DFARS 7021 will be included as guiding requirements for use in solicitations and contracts until September 30, 2025.
Aerospace and Defense organizations must defend against continual attempts to compromise their systems and gain access to the CUI / CDI / ITAR content that they maintain, and many rely on cloud technologies to host and protect this content. As part of that experience, I have researched and documented many different platforms to help customers get the most from their implementations and achieve their goals with the most comprehensive and cost-effective technology possible. These platforms range from traditional on-premises architectures to the various cloud platforms like Office 365, Google G Suite, Microsoft Azure and Amazon Web Services.
This is one of several blogs which will breakdown common platforms and what they offer in terms of security and compliance features. Feel free to check out previous blogs on building security and compliance solutions using Microsoft Office 365, Office 365 Government Community Cloud and Azure Gov.
Understand Where You Are and Where You Need to Go
Typically, one of the first discussions I have with customers is about their current system or platform, and what the process entails to become DFARS 252.204-7012 / NIST 800-171 and CMMC compliant on that respective platform. A thorough evaluation often reveals surprising vulnerabilities, which typically leads to a change in platform and/or infrastructure.
The conversation typically leads to a discussion centered around contractual requirements and operational goals (ISO, collaboration across departments, securely sharing information with varying workforces).
Below is a quick look at Google G Suite and how it tackles both of these conversations. Bottomline, Google’s G Suite is an affordable option for many businesses and offers many user-friendly benefits, but there are significant challenges for the Aerospace and Defense community. Let’s explore how it performs against the technical requirements of federal regulations such as CMMC, DFARS, NIST 800-171, ITAR and the FAR.
Google G Suite Software – Inexpensive and Cool but is it Secure?
Google built the G Suite Software as a Service (SaaS) products to be a series of consumer oriented and standalone components. The result was several user-friendly services that individuals loved and kickstarted the first wave of cloud adoption. The popularity of the consumer products led Google to develop a business focused platform which competes with the Office 365 and Microsoft 365 suite. Unfortunately, the consumer roots of the products do show through when the requirements of handling Government CUI/ITAR data are levied against it.
In the platform's favor, it is relatively inexpensive - especially at the entry level. Many small businesses bought into the least expensive version of G Suite and never moved because the day to day functionality that they needed was provided by the basic version of the platform. With the G Suite basic you receive email, voice and Video Conferencing, Web Based Office Productivity tools and 30GB of personal cloud storage. What you don’t get is any kind of significant security controls.
Additionally, I have had numerous executives tell me that they want to stay on Google because it is a “different” or “cool” platform and provides them a differentiator from other Aerospace and Defense companies, giving them a culture bonus when competing for new hires. Younger employees and recent college graduates also tend to transition to the platform with additional ease during on-boarding because of past exposure to the products.
There's no question that G Suite is the lowest priced option, but it has difficulty being technically acceptable. Let’s evaluate how G Suite meets security and compliance technical controls for your business with DFARS, NIST, ITAR and emerging CMMC requirements.
Google Security and Compliance for DFARS Requirements
Government contracts have commonly required compliance with Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. To summarize, DFARS 7012 specifically strives to protect 23 categories of CUI data by ensuring compliance with cloud computing standards (FedRAMP Moderate), security controls (NIST 800-171) and cyber incident reporting for CUI data associated with government contracts.
Specifically, DFARS paragraphs C-G define the cyber incident reporting requirements, and Google G Suite Services cannot meet these requirements in their entirety. One of the biggest holes is the inability to properly report incidents to the government with detailed information including a forensic image of the breached system. This means that Google customers with Defense and Aerospace contracts with the “7012 Clause” are in risky situation if they maintain CUI data using G Suite as they will not be able to respond to government requests for data in case of an incident.
Google Security and Compliance for CMMC and NIST 800-171 Requirements
Not to be dramatic, but this is the biggest gap of all.
Protecting Unclassified Information in Nonfederal Information Systems and Organizations, NIST SP 800-171 is the referenced regulation within DFARS and CMMC that further defines data compliance requirements. NIST 800-171 is responsible for identifying appropriate information security controls, including minimum requirements for non-federal information systems holding CUI data. With CMMC requirements now federally mandated by the DFARS Interim Rule, the protection of CUI has been amplified.With CMMC, DoD contractors that process, store, or transmit CUI must achieve CMMC Level 3 or higher (dependent on the sensitivity of the information associated with the program or technology being developed).
Google had an assessment completed by a Third Party Assessing Organization (3PAO) to determine their level of compliance and the assessor found the following 5 deviations from NIST 800-171.
CMMC AC.2.009 / NIST 3.1.8 – Limit Unsuccessful Logon Attempts
CMMC AC.2.005 / NIST 3.1.9 – Provide privacy and security notices consistent with applicable CUI rules
CMMC IA.2.078 / NIST 3.5.7 – Enforce a minimum password complexity and change of characters with new passwords are created
CMMC IA.2.079 / NIST 3.5.8 – Prohibit password reuse for a specified number of generations
CMMC MP.3.122 / NIST 3.8.4 – Mark media with necessary CUI marking and distribution limitations
Not only do these gaps make it more difficult for contractors to achieve technical compliance on the platform, it also leaves several potential situations that could lead to the compromise of CUI data. The fifth item is also one of your leading protectors against inadvertent release, as demonstrated in the graphic. With proper marking/labeling and rights management, data is distributed where it needs to go and handled appropriately when it is received.
Future Google Releases for Improved Security and Compliance
While it is possible that Google addressed these holes with a compensating control, the appropriate compensating control is not addressed in the 3PAO report. Additionally, numerous other controls that Google is leveraging within their platform are dedicated to only a subset of the services within the platform. For example, Data Loss Prevention (DLP) is only available in Gmail and Drive. There is no DLP in Google Docs or any of the other solutions on the platform. I am not going to go through all of the services highlighting the deficiencies, but this is just an example of potential CMMC Level 3 and NIST 800-171 issues that you may run into.
DLP Coverage in G Suite
From customers I have talked to and other reports I am getting through the industry is that Google is attempting to work around the issues above by doing third party encryption on top of all data using an encryption gateway or other technology. This approach provides serious difficulties in management of data for customers holding CUI and Export Administration Regulations (EAR) content, and is not supported for ITAR data (explicitly). We get into the topic of ITAR next. Also, companies begin to quickly lose the cost savings of G-Suite by purchasing bolt-on security products.
One additional issue with this approach is that all access to the data for services such as Data Loss Prevention, Anti-Virus, Anti-Malware, Search, eDiscovery, etc, is lost (how they work in Microsoft O365). With an external encryption gateway, the SaaS services cannot access the data to perform any of these security and management functions.
Google Security and Compliance for ITAR Requirements
Finally, and the most serious issue for Aerospace and Defense companies, is the lack of ITAR support within GSuite. Google recommends against using their platform for any ITAR or EAR content. This is covered in their FAQ located here: https://support.google.com/googlecloud/answer/6056694?hl=en
In Google’s own words: “The International Traffic in Arms Regulations (ITAR) is a set of U.S. government regulations that control the export and import of defense-related articles and services on the United States Munitions List (USML). Google does not support use of our services with ITAR-controlled data.”
To understand why Google would recommend against putting ITAR content into their platform, you must understand a bit more about how their environment is built and staffed. First, Google doesn’t guarantee that information within their services will stay within the United States. They have data centers all over the world and depending on the services you are using, your data may be in any or all of these data centers at any point in time. The G Suite data centers are in Taiwan, Singapore, Ireland, Netherlands, Finland and Belgium. Secondly, given that they cannot guarantee data residency, they also cannot guarantee that all of the administrators and technicians for their services are US Persons and have been through the appropriate background checks required for access to CUI/ITAR data. They routinely hire non-US Persons for administering their platform and this is a significant problem for companies that have a requirement to maintain export-controlled information within their cloud service.
In contrast, Microsoft provides the complete opposite and meets the aforementioned requirements, but there is a cost associated with the added capabilities.
Thoughts and Risks to Consider (Jump to #4)
Google G Suite is a fine SaaS product and has found a strong following in education and numerous other commercial verticals. Based on the limitations I have highlighted above, it is best that Aerospace and Defense companies with a need to meet DFARS 252.204-7012, NIST 800-171, CUI, or ITAR/EAR compliance steer clear of deploying their internal IT Systems on G Suite until Google can meet the following concerns:
- Data residency requirements
- Guarantee US Persons for administration (which will not happen quickly)
- Pledge to meet all DFARS requirements
- Achieve full NIST 800-171 compliance for their cloud platform.
You can, nevertheless, meet CMMC Level 1 and possibly Level 2 while remaining on G-Suite.
Here are a few key items that make it quite risky for an Aerospace and Defense company to go Google.
- Risk of losing contracts. The Missile Defense Agency underwent an audit in the recent past that produced several findings and remediation that trended towards more strict enforcement of DFARS/NIST 800-171. DCMA has stepped up auditing measures, along with CMMC auditing ramping up at the end of 2020.
- Risk of losing subcontracts. Not only is the Government heating up its enforcement of cyber security requirements, large prime contractors are now including black and white language about compliance with DFARS/NIST 800-171 and their CMMC Level expectations for teaming.
- Risk of losing contract competitions (RFPs). Contract authorities are beginning to change grading criteria to favor those contractors with air-tight technical controls and secure data management systems.
- Risk of being hacked, attacked, or worse. Just read this headline and article. It speaks for itself. "China hacked a Navy contractor and secured a trove of highly sensitive data on submarine warfare" Want to hedge bets on how much work that contractor receives from the Navy henceforth? Or any agency for that matter?
Contractors must now treat data protection as a strategic and operational requirement to maintain or win business. Other platforms (ex. Amazon Web Services, AWS) pose similar risks. Passivity is not appropriate or prudent on this front. We must evaluate the technical controls to determine if the current IT platform is sufficient or if a new platform provides the right strategic benefit.