The Pentagon to Include Contractor Security Into Buying Decisions - How Contractors Can "Deliver Uncompromised"

A four-pronged effort at the Pentagon ignites a new program entitled “Deliver Uncompromised” targeted at various parts used in American military hardware and manufacturing — for instance, microelectronics.

On June 8, the Washington Post reported that the Chinese government hackers had compromised the computers of a Navy contractor, and had completed a mission to steal large amounts of sensitive data, some of which included secret plans to develop a supersonic anti-ship missile to be used on U.S. submarines in less than two years time.

The government hackers from China hacked a Navy contractor to gain intelligence - and were successful. Pentagon officials have reported that including better security measures into the military’s acquisitions process is imminent, and necessary. These new measures will better protect the defense industry from cyber-related threats both in the U.S. and abroad. 

The Deputy Under Secretary of Defense for Intelligence, Kari Bingen, noted that “It is no longer sufficient to only consider cost, schedule and performance when acquiring defense capabilities. We must establish security as a fourth pillar in defense acquisition and also create incentives for industry to embrace security, not as a cost burden, but as a major factor in their competitiveness for U.S. government business.”

Three Steps to DFARS Success.jpg

Three Steps to Cyber Success for Government Contractors - Free Download

On Thursday, Pentagon officials testified before the House Armed Services Committee. They talked to the issue that they saw as the foundation of the threats at hand, which was in a broader sense and according to the testimonials, China’s efforts to transfer U.S. military tech intelligence - including commercial investments, trade practices and intellectual property theft - in an effort to disarm and displace some of the U.S.'s military competitive edge.

The Under Secretary of Defense for Research and Engineering, Michael Griffin, noted that “the Chinese theft of technology and intellectual property, through the exfiltration of the work of others is not unlike the Chinese construction of islands to encroach upon the geographic domains of international waters and those of other sovereign nations, it circumvents the autonomy of nations in a departure from a rules-based global order. It is adversarial behavior and its perpetrator must be treated as such.” Clearly, these officials are done letting security measures prove inefficient when mature and robust threats arise.

 

A four-pronged effort at the Pentagon ignites a new program entitled “Deliver Uncompromised” targeted at various parts used in American military hardware and manufacturing — for instance, microelectronics.

“We must have confidence that industry is delivering capabilities, technologies and weapon systems that are uncompromised by our adversaries, secure from cradle to grave,” noted the Deputy Under Secretary of Defense for Intelligence.

Rep. Adam Smith, D-Wash. said that “we had a briefing yesterday on a cyber breach, and it was shocking how disorganized, unprepared and, quite frankly, utterly clueless the branch of the military was that [it] had been breached. Even in this day and age, we still have not figured out how to put together a cyber policy to protect our assets. In particular, with our defense contractors, who we work with, who store our data, but don’t have adequate protection. But even within the DoD, we don’t have a clear, cohesive policy to put in place.”

Bingen suggested a “checklist-based” security procedure could be used across the board, regardless of contractor size. The goal being that the program would be “risk-based (like the NIST Cybersecurity Framework) … informed by the threat and the department’s technology protection priorities”.

You likely know of the initiative - Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 which details adherence to NIST SP 800-171(see explanatory guide here) -  This cybersecurity compliance requirement for defense contractors was developed to better protect “controlled unclassified data" of the government, which “in aggregation can be as damaging as a breach of classified information” in the words of Bingen.

The regulation covers technical or personal information for any organization selling to the Department of Defense, and was being considered to be made into a Federal Acquisition Regulation, even long before this summer's events.

If you are contractor selling into the government space, it will be necessary for you to prove not only adequate security, but also prove your ability to Deliver Uncompromised. Looking for a good set of security standards to standardize on? Adopt DFARS NIST SP 800-171 ahead of time to set yourself up for success and business growth. CyberStrong automates the reporting, tracking, and proving required, and makes cybersecurity compliance and best practice adoption easy. Learn more by getting a free demo.

 

Alison Furneaux