The Department of Energy has initiated an effort to foster collaboration between the government's national security experts and the energy industry's operational technology managers.

DOE said Wednesday its OT Defender Fellowship tasks Idaho National Laboratory to help critical infrastructure security practitioners gain an increased understanding of cybersecurity.

The Cyberspace Solarium Commission, a law-mandated group tasked to advise on the country's cybersecurity strategy, supports the OT Defender Fellowship.

“Securing our energy infrastructure is not an abstract policy idea, it is an immediate need to protect our nation from the real threat of malign actors,” said Sen. Angus King, CSC co-chair.

The Foundation for Defense of Democracies’ Center for Cyber and Technology Innovation will serve as INL's partner for the effort.

“Operational technology security managers keep the core physical systems of our energy infrastructure running smoothly in the face of natural disasters, physical sabotage and nation-state cyberattacks,” said Dan Brouillette, secretary of energy.

“I have long supported efforts like the OT Defender Fellowship to provide opportunities for closer interaction between critical infrastructure providers and U.S. government cyber operators," said Tom Fanning, CSC commissioner.

Christopher Krebs, director of the Cybersecurity and Infrastructure Security Agency and a 2020 Wash100 Award winner, said the lack of foreign cyber interference in U.S. election systems this year could be attributed to more than three years of collaboration, NBC News reported Wednesday.

"I think what you're seeing more than anything is 3½ years of collaboration," Krebs said.

He noted about CISA’s joint initiative with the Election Assistance Commission and the U.S. intelligence community to protect the presidential elections from foreign adversaries.

"The 50 states are working together, sharing information," Krebs said. "From where we came in 2016 to where we are, we have a much better game plan."

Krebs warned that hackers will continue for weeks to influence and compromise the election’s integrity. 

"We are by no means through this," Krebs said. "There's still a lot of time left on the clock. There are a number of things that could happen tonight, tomorrow, the ensuing weeks."

Gen. Paul Nakasone, fellow Wash100 Award recipient who leads both the National Security Agency and the military's U.S. Cyber Command, said "I'm confident the actions we've taken against adversaries over the past several weeks and months have ensured they're not going to interfere in our elections."

Katie Arrington, chief information security officer at the office of assistant secretary of defense for acquisition and a 2020 Wash100 Award winner, said the requirements and other elements of the Cybersecurity Maturity Model Certification program could still change as the Department of Defense (DoD) assesses the public comments submitted through the end of November, Nextgov reported Wednesday.

An interim CMMC final rule will take effect Dec. 1 and Arrington said a final rule could be released by February.

“The level three in the CMMC is the 110 controls in the NIST,” Arrington said. “Right now it has 20 additional controls added to it. We’re open to public comment period. So if any of you have any thoughts on those additional 20 controls, please, before November 30, you have to go in and register and submit those.”  

Although she expects about 0.06 percent of contractors will need to comply with the requirements at the very top of the five-tier CMMC program, Arrington said she thinks those would be “the biggest conversation pieces that we'll be having over the next six months.”

“We have to be judicious with our budgets,” she added.

Arrington will serve as the keynote speaker at the Potomac Officers Club’s Fall 2020 CMMC Forum on Nov. 17th. To register for the  Fall CMMC Forum on November 17th, as well as view upcoming events, visit Potomac Officers Club’s Event Page.

During the forum, you will hear from additional federal and industry leaders who will discuss the requirements and priorities of implementing the certification, including scoping of CMMC assessments, supply chain impacts and C3PAOs. 

Dr. Joseph Evans, principal director for 5G within the office of the undersecretary for research and engineering at the Department of Defense (DoD), said that U.S. military looking to use 5G networks on battlefields abroad may consider adopting commercial 5G, and select components that could be integrated into military tactical networks overseas, Breaking Defense reported Wednesday.

“As we get closer to the tactical edge, and either in parts of the world where the infrastructure is … not necessarily trustworthy… or actually in a contested tactical environment against a peer adversary, that’s where we think that there’s some challenges,” Evans said Wednesday at an ACT-IAC conference. “That’s where we have to start looking at … what bits and pieces of 5G we can use.”

“There’s mixes and matches of some of the underlying technologies that we think will be useful in the tactical environment,” he added.

The Pentagon made $600 million in awards in early October to support 5G testing and experimentation projects with 15 companies at five U.S. military installations and Evans provided updates on those projects.

DoD announced in June seven more military bases to host 5G experimentation and has issued calls for white papers for three of those sites. Evans said stakeholders have until Nov. 15 to submit white papers, but the department anticipates extending the deadline into December after companies asked for an extension.

The National Institute of Standards and Technology is looking for pubic input on a draft update to the agency’s personnel verification guidelines for federal employees and contractors.

NIST said in a Federal Register document that it is requesting feedback on its draft Federal Information Processing Standard 201-3 for the personal identity verification of contractors in physical and logical access applications.

The guidance covers expanded specifications of Personal Identity Verification (PIV) credentials, procedures for remote identity proofing and other modifications to authentication mechanisms in line with agency requirements.

According to NIST, FIPS 201-3 will only cover the verification of individual identities in compliance with federal agencies and departments’ respective applications.

The standard will not cover temporary credentials and access control decisions, the document states.

NIST plans to hold a public workshop on the draft standard and will accept feedback within 90 days of its publication.

Army Research Laboratory has used game theory to understand how cybersecurity operators can deceive cyber actors and in turn, prevent attacks.

“Game theory allows us to analyze the behavior of intelligent adversaries, predict adversaries course of action and find the best response to protect our network,” said Dr. Charles Kamhoua, senior electronics engineer in the lab’s Network Security Branch. 

The U.S. Army said Tuesday it used security games to graphically depict or model the different approaches taken by cyber actors, then analyze multiple strategies to deceive the attacker.

“An attack graph also helps find all possible combination of vulnerabilities an attacker can use from any entry point to any target," said  Kamhoua added.

ARL researchers virtually presented their work on this topic at the 2020 Conference on Decision and Game Theory for Security that took place late October.

Worcester Polytechnic Institute helped ARL assess the use of decoys in scenarios when attackers have limited information on the targeted network.

The Defense Advanced Research Projects Agency provided partial funding for the effort.