To protect F-47 plans from hackers, Boeing should lean on CMMC, zero trust: DoD official

Shown is a graphical artist rendering of the Next Generation Air Dominance (NGAD) Platform. The rendering highlights the Air Force’s sixth generation fighter, the F-47. The NGAD Platform will bring lethal, next-generation technologies to ensure air superiority for the Joint Force in any conflict. (U.S. Air Force graphic)

TECHNET CYBER 2025 — In order to keep the plans for the US Air Force’s highly classified F-47 fighter secure from hackers, prime contractor Boeing will have to rely on the Department of Defense’s cybersecurity measures such as the Cybersecurity Maturity Model Certification (CMMC) and zero trust, Katie Arrington told Breaking Defense. 

Arrington, who is performing the duties of the CIO until the newly named nominee Kristen Davies potentially takes over, pending confirmation, said adherence to those security principles is critical, especially with the lessons fresh in the mind from purported Chinese intrusions that pilfered data on the Lockheed Martin-made fifth-generation F-35 and F-22, as well as Boeing aircraft. China later produced its own fifth-gen fighter, the J-20, which shared some suspicious similarities to the American airframes.

“Anybody know what happened with the F-35?” Arrington asked the audience during a keynote presentation at TechNet Cyber in Baltimore. “What took off about six months after the F-35 that had the exact same candidate clause as the original design of the F-35? The J-20. They [China] didn’t get good on their own. They got good on your tax dollars. They got good on your R&D [research and development.] They got good on the blood of your men and women on the battlefield. Are you willing to let them do that anymore?” 

To stop hackers, Arrington said Boeing must also make sure their subcontractors for the F-47 are utilizing the CMMC — a program that sets new standards for contractors who handle controlled unclassified information — as well as implementing zero trust, a security paradigm in which users are continually assessed to be accessing only the data and network segments they should be accessing.

CMMC’s latest iteration came out last December, and so far no company is third-party or level 3 certified, Arrington said. But she said Boeing took part in the Joint Surveillance Program last year that found the company to be 100 percent compliant with the 110 National Standards of Information and Technology (NIST) controls. 

“CMMC and zero trust, everything we can talk about is a culture of cyber security,” Arrington told Breaking Defense in an exclusive interview. “We have awarded that work for a company that is implementing the 110 controls of the NIST, and it is going to be up to Boeing in their supply chain to ensure that every company that is getting CUI is implementing that NIST standard. It will help them as they go down the process with the CMMC certification as a cost reduction for both Boeing and the government, they won’t have to do that legwork themselves.” 

“The CMMC certification will be proof — trust, verify that those companies have the cyber posture needed to secure the data that is critical to national security, like on programs like the F-47,” she said.

Boeing previously declined to comment to Breaking Defense on their cybersecurity plans for the F-47 project, and a spokesperson did not immediately respond to a request comment regarding Arrington’s statements.

In a separate interview, Stacy Bostjanick, the chief of defense industrial base cybersecurity in the DoD’s office of the chief information officer, told Breaking Defense that companies, especially smaller ones, need to be wary of where they get their third party audits to become level three CMMC certified. 

“I highly recommend that anybody who is looking to become certified reach out to the different cloud service providers and MSPs [managed service providers] out there. You need to shop. You need to know what you’re shopping for and understand the Cyber AB [accreditation body] has a marketplace that they’re gonna put those capabilities out there so companies can discover them,” she said.

Broadly, she cautioned companies to “do your homework, because we have unfortunately been made aware of some snake oil salesman out there, some slimy characters that’ll come in and say, ‘Yeah, give me $100,000 I’ll get you CMMC certified in two days,’ and they’re not telling them the right stuff. Make sure you are buyer beware.”