The Pentagon’s task force to protect critical technology projects from China and Russia’s attempts at intellectual property theft is working on new standards to assess supply chain security and data loss measures, the group’s lead officials said Wednesday. 

Maj. Gen. Thomas Murphy, director of the Protecting Critical Technology Task Force, told attendees at an Association of the United States Army event his group is focused on methods to improve protection of information stored on industry’s unclassified networks, DoD research being done at universities and ensuring strategic competitors aren’t buying U.S. technologies through foreign investments.

Official portrait – Maj Gen Thomas Murphy taken in the Air Force portrait studio, May 4, 2018, Pentagon. (U.S. Air Force photo by Wayne A. Clark)

“We are in a competition. China and others are stealing our stuff and it’s causing the erosion of the lethality of the joint force,” Murphy said. “We’ve unwittingly become the research and development base for adversaries’ capabilities and for our strategic competitors. They are stealing our critical technology at an alarming rate, putting our modernization efforts and investments at risk.”

The task force was stood up in last October and Murphy said before the group concludes its work, 18 months from now, he’s focused on institutionalizing new methods for determining critical technology priorities and implementing a new cyber security maturity model.

“My job is to get the department moving more quickly, remove roadblocks, advocate for resources and find those best-of-breed solutions to change culture,” Murphy said.

The new Cybersecurity Maturity Model Certification (CMMC) would use a third party to score vendors and their supply chain to ensure the appropriate cyber hygiene level is in place based on the sensitivity of individual programs. 

“CMMC will have five levels and in order to bid on a contract you will need to have a CMMC score commensurate with that particular contract,” Murphy said. 

DoD first posted details of the new Cybersecurity Maturity Model Certification (CMMC) in October and officials are currently soliciting feedback from industry on the new rule.

“The bottom line is we cannot continue to afford to spend billions of dollars on programs that might be compromised or vulnerable by the time that they’re actually fielded,” Murphy said. “China, in particular, is employing a comprehensive national strategy to acquire our critical technologies through both licit and illicit methods. They’re unrelenting in hacking our businesses, both big and small. It’s no coincidence that their stuff looks remarkably like ours. Look at their airlifter and their newest fighter, looks just like a C-17 and a F-35.”