A PubKGroup Product
PubKCyber is the go-to source for the most critical regulatory, policy, and oversight developments related to federal cybersecurity. Our coverage includes federal cyber regulations and policy, local and state activity, international law and agreements, federal regulatory body activity, congressional and agency oversight, and industry standards, as well as legal actions and court decisions related to cybersecurity, privacy, and fallout from security breaches.
Ability to subscribe and post job announcements and advertisements online
A daily email summarizing the day’s top cyber developments relevant to contractors
PubK Event Board
A weekly community calendar emailed to your inbox
Coming in 2017:
A bimonthly update collecting critical developments, with added insight and context, and links to important resources
The Department of Homeland Security has ordered federal civilian agencies to more swiftly plug the vulnerabilities found on their networks, citing evidence that hackers are getting quicker at exploiting them. In a Binding Operational Directive, DHS’s Cybersecurity and Infrastructure Security…
The Defense Department has been ramping up efforts to quash supply chain vulnerabilities with enhanced cybersecurity guidance that gives the organization greater access to contractors’ security protocols and controls, even before awarding a contract.
A set of guidance documents released in November gave contractors a new urgency when considering security and partnering with the DoD. One requires self-attestation to comply with DFARS and the NIST Cybersecurity Framework, as well as on-site assessments and “enhanced cybersecurity measures in addition to the security requirements in NIST SP 800-171 to safeguard information stored on the contractor’s internal unclassified information system” before an award is made.
DOD expects contractors to already have a system security plan, along with plans of action and milestones, in place and outlines the consequences to the government if the security standards are not met.
Senate Armed Services Subcommittee on Cybersecurity Holds Hearing to Discuss the Responsibilities of the Defense Industrial Base
On March 26, 2019, the Senate Armed Services’ Subcommittee on Cybersecurity held a hearing to receive testimony assessing how the Department of Defense’s (“DOD”) cybersecurity policies and regulations have affected the Defense Industrial Base (“DIB”).
To gain a better understanding of the DIB’s cybersecurity concerns, the Subcommittee invited William LaPlante, Senior Vice President and General Manager of MITRE’s National Security Sector; John Luddy, Vice President For National Security Policy at the Aerospace Industries Association; Christopher Peters, Chief Executive Officer of the Lucrum Group; and Michael MacKay, the Chief Technology Officer of Progeny Systems Corporation.
In their opening remarks, the Chairman of the Subcommittee, Senator Mike Rounds (R-SD), and Ranking Member, Senator Joe Manchin (D-WV), acknowledged industry concerns about the DOD’s lack of clarity and disparate implementation of cybersecurity regulations, such as guidance relating to DFARS 252.204-7012 (“DFARS Cyber Rule” or “Rule”) and National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171.
Senator Rounds stated that he “expects [DOD] to come up with measured policies to make improvements in [cybersecurity]” and he “hope[s] DOD takes seriously the concerns of the DIB.” He further noted that DOD “cannot simply apply increasingly stringent cybersecurity requirements on its contractors” and that “doing so without subsidy or assistance is unlikely to particularly improve cybersecurity [for] the DIB” and would likely drive the most innovative small businesses out of the supply chain. Senator Rounds called for putting a program in place to ensure the best possible protections for contractors regardless of size and referred to the “Achilles heel” of this issue as the desire to use a large number of small contractors while still needing to protect sensitive government information. Later in the hearing, Senator Manchin expressed great concern over the cyber incidents experienced by DOD contractors and urged the witnesses to “tell [the Subcommittee] what you need . . . [the Subcommittee] is here to fix it and you’re here to tell us what’s broken.”
Summarized below are key points discussed during the hearing:
- Clear, Scalable, and Consistent Cybersecurity Policy: Witnesses representing the DIB agreed that the future of the defense industry is dependent on robust cybersecurity and, to that end, expressed the need for DOD to clarify critical aspects of existing policy. For instance, the identification and definition of Controlled Unclassified Information and its subset, Covered Defense Information (“CDI”) was highlighted as an area of concern. DIB witnesses testified that the current definition of CDI in the DFARS Cyber Rule has become very broad. They suggested that DOD collaborate with the DIB to identify critical information so contractors are not protecting mundane data, but focusing on securing truly sensitive information. John Luddy noted that “with limited resources, if [contractors] try to protect everything that is currently considered CDI, we may under-protect the really important things.”
- Unified DOD Approach: All of the witnesses emphasized the need for DOD to take a unified approach to cybersecurity that helps to minimize the burden on industry. The industry witnesses were clear that, together with large prime contractors, DOD can help support the middle and lower-tier suppliers to be cyber secure, but clear guidance and programs must first be in place. Currently, DOD has taken an “ad hoc, service-by-service” approach as it works towards developing actionable regulations that has resulted in segmented and overlapping contractor infrastructure, and increased costs. The DIB witnesses commended recent memoranda issued by Ellen Lord, the Under Secretary of Defense for Acquisition and Sustainment, that clarified requirements for contracts overseen by the Defense Contract Management Agency, but they also noted that the memoranda “raised issues that need to be collaboratively assessed.” The witnesses made plain the need for more opportunities to contribute to future standards and guidance by DOD.
- Measuring and Certifying Cybersecurity Compliance: The DIB witnesses highlighted the numerous NIST SP 800-171 controls and the need to develop an approach using “real, objective metrics” that helps industry measure their cybersecurity performance against those controls. Defense contractors have been frustrated with the lack of clear metrics for compliance, which has resulted in the perception of DOD’s uneven enforcement of standards. The witnesses urged DOD to adopt a standard interpretation of NIST SP 800-171 as a useful baseline and starting point. They would prefer that DOD “set the bar high and set it once to hold all [companies] accountable, not only to spare companies from the cost, but also the need to adjudicate between different and potentially conflicting direction.”
- Information Sharing: The witnesses also drew attention to the need for greater information sharing. One idea raised by the DIB witnesses included the formation of a centralized DOD threat sharing initiative that distributes relevant and timely data to the DIB to bolster cybersecurity efforts. The representatives acknowledged the tension between information sharing that is aimed at identifying and addressing threats and information that is competitive or business sensitive. But, there was a consensus that progress on information sharing has been made within the DIB and that further improvements would be welcome.
Throughout the hearing, members of the Subcommittee and representatives from the DIB seemed to agree that greater collaboration with DOD on contractor cybersecurity issues and supply chain issues would be necessary to address systemic concerns. While there was a broad focus on DFARS requirements and NIST SP 800-171, a number of related issues were raised with the goal of helping businesses prioritize investments and meet DOD’s cybersecurity standards. As the cybersecurity efforts by DOD and the DIB continue, there was consensus during the hearing for a considered approach to partitioning cybersecurity responsibility among DOD, prime contractors, and their subcontractors so that no single entity shoulders the entire burden.
Undersecretary of Defense for Acquisition and Logistics Ellen Lord says the Department of Defense is collaborating with the National Institute of Standards and Technology to develop new cybersecurity standards that contractors must implement before they could win federal contracts. Lord expects the new metrics to be finalized later this year and put into practice within the next 18 months. DoD would use those standards as a discriminating factor when making contract awards. Lord also expects to work the experts from the Johns Hopkins University Applied Physics Laboratory on the project.
The Navy has released its Cybersecurity Readiness Review, drafted at the Secretary’s request, in response to recent losses of classified and unclassified data. The Review calls attention to the contracting community’s key role in safeguarding critical government data – and the perceived shortcomings of the current acquisition system in achieving that end. Despite mandatory contract requirements such as DFARS 252.204-7012, the Review notes that the Defense Industrial Base (DIB) has experienced “a flood of breaches” and “continues to hemorrhage critical data.” In response, the Review recommends:
- Holding individuals personally accountable for achieving mandated standards.
- Ensuring the supply chain is “delivered uncompromised” for mission readiness.
- Creating cybersecurity “go/no-go” criteria for capabilities.
- Expanding information sharing with DIB partners to better identify risks and priorities.
- Working with industry trade groups to assist subcontractors in improving cyber defenses.