The Defense Department is considering new measures to help its lower-tier suppliers tighten the cybersecurity of their IT systems, and may begin a new regime of spot checks to ensure they’re meeting security regulations that now apply to defense vendors and many of their subcontractors.
The options under consideration came from a new Pentagon task force that’s re-examining the department’s contractual relationships with suppliers. Those may need to change in order to better respond to data breach or ex-filtration incidents, according to Defense CIO Dana Deasey.
The department has required its vendors to certify that they and relevant subcontractors comply with NIST SP 800-171 for handling Controlled Unclassified Information. It does not evaluate that, however, which Deasy said may begin to change. A variety of approaches are being considered, including random sampling, third-party assessments, and artificial intelligence to identify weaknesses.