<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

Audit Management, DFARS, Vendor Risk Management, Corporate Compliance and Oversight, Cybersecurity Frameworks, Cyber Risk Management Frameworks

The Pentagon to Include Contractor Security Into Buying Decisions: How Contractors Can "Deliver Uncompromised"

down-arrow


A four-pronged effort at the Pentagon ignites a new program entitled “Deliver Uncompromised” targeted at various parts used in American military hardware and manufacturing — for instance, microelectronics.

On June 8, the Washington Post reported that the Chinese government hackers had compromised the computers of a Navy contractor, and had completed a mission to steal large amounts of sensitive data, some of which included secret plans to develop a supersonic anti-ship missile to be used on U.S. submarines in less than two years time.

The government hackers from China hacked a Navy contractor to gain intelligence - and were successful. Pentagon officials have reported that including better security measures into the military’s acquisitions process is imminent, and necessary. These new measures will better protect the defense industry from cyber-related threats both in the U.S. and abroad. 

The Deputy Under Secretary of Defense for Intelligence, Kari Bingen, noted that “It is no longer sufficient to only consider cost, schedule and performance when acquiring defense capabilities. We must establish security as a fourth pillar in defense acquisition and also create incentives for industry to embrace security, not as a cost burden, but as a major factor in their competitiveness for U.S. government business.”

Three Steps to DFARS Success_cover

On Thursday, Pentagon officials testified before the House Armed Services Committee. They talked to the issue that they saw as the foundation of the threats at hand, which was in a broader sense and according to the testimonials, China’s efforts to transfer U.S. military tech intelligence - including commercial investments, trade practices and intellectual property theft - in an effort to disarm and displace some of the U.S.'s military competitive edge.

The Under Secretary of Defense for Research and Engineering, Michael Griffin, noted that “the Chinese theft of technology and intellectual property, through the exfiltration of the work of others is not unlike the Chinese construction of islands to encroach upon the geographic domains of international waters and those of other sovereign nations, it circumvents the autonomy of nations in a departure from a rules-based global order. It is adversarial behavior and its perpetrator must be treated as such.” Clearly, these officials are done letting security measures prove inefficient when mature and robust threats arise.

 

A four-pronged effort at the Pentagon ignites a new program entitled “Deliver Uncompromised” targeted at various parts used in American military hardware and manufacturing — for instance, microelectronics.

“We must have confidence that industry is delivering capabilities, technologies and weapon systems that are uncompromised by our adversaries, secure from cradle to grave,” noted the Deputy Under Secretary of Defense for Intelligence.

Rep. Adam Smith, D-Wash. said that “we had a briefing yesterday on a cyber breach, and it was shocking how disorganized, unprepared and, quite frankly, utterly clueless the branch of the military was that [it] had been breached. Even in this day and age, we still have not figured out how to put together a cyber policy to protect our assets. In particular, with our defense contractors, who we work with, who store our data, but don’t have adequate protection. But even within the DoD, we don’t have a clear, cohesive policy to put in place.”

Bingen suggested a “checklist-based” security procedure could be used across the board, regardless of contractor size. The goal being that the program would be “risk-based (like the NIST Cybersecurity Framework) … informed by the threat and the department’s technology protection priorities”.

You likely know of the initiative - Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 which details adherence to NIST SP 800-171(see explanatory guide here) -  This cybersecurity compliance requirement for defense contractors was developed to better protect “controlled unclassified data" of the government, which “in aggregation can be as damaging as a breach of classified information” in the words of Bingen.

The regulation covers technical or personal information for any organization selling to the Department of Defense, and was being considered to be made into a Federal Acquisition Regulation, even long before this summer's events.

If you are contractor selling into the government space, it will be necessary for you to prove not only adequate security, but also prove your ability to Deliver Uncompromised. Looking for a good set of security standards to standardize on? Adopt DFARS NIST SP 800-171 ahead of time to set yourself up for success and business growth. CyberStrong automates the reporting, tracking, and proving required, and makes cybersecurity compliance and best practice adoption easy. Learn more by getting a free demo.

 

You may also like

Why You Need CIS Controls for ...
on June 17, 2022

The Center for Internet Security (CIS) is a non-profit organization that helps public sectors and private sectors improve their cybersecurity. The organization aims to help small, ...

Small Business Cybersecurity ...
on June 15, 2022

To achieve peace of mind in the modern threat landscape, small business owners must have a solid security strategy and budget in place. VIPRE’s SMB Security Trends report state ...

Do Small Businesses and Startups ...
on June 10, 2022

Did you know that about 60% of small businesses shut down within 6 months by falling victim to a data breach or cyber-attack, where the average global breach cost hovers at $3.62 ...

A Pocket Guide to ISO 27001
on June 9, 2022

Let’s begin with the complete title of what’s referred to as ISO 27001. It is officially known as “ISO/IEC 27001." If you're looking to have your company certified, you'll need to ...

Benefits Of An Automated Security ...
on June 6, 2022

Proactive recognition, remediation, and mitigation of security threats are rising challenges for global businesses today. Security risk assessment is an integral part of this ...

Kyndall Elliott
The Top 5 Automated Risk ...
on June 1, 2022

Automated risk assessment tools help you assess information security risks and related metrics in real-time based on the available data internally and externally. Connecting the ...