Pentagon moves to get tough on contractor cybersecurity, data protection requirements

Article from Inside Defense, by Justin Doubleday

January 30, 2019 at 3:37 PM

The Pentagon is directing its acquisition workforce to better assess and enforce contractors’ compliance with cybersecurity requirements, as officials are particularly concerned about adversaries stealing sensitive data from companies further down the supply chain.

Defense Department Chief Information Officer Dana Deasy said cybersecurity in the defense industrial base is among his top priorities. He told the Senate Armed Services cybersecurity subcommittee yesterday that Under Secretary of Defense for Acquisition and Sustainment Ellen Lord is leading an effort to move beyond contractors merely self certifying that they are meeting cyber requirements.

“We are now looking at a new process that A&S is leading, and that is how do we then build a confident score against their certification?” Deasy said. “Where they go through and they evaluate that self-assessment, they put a confident score against that, and what they’re now looking at is, how do we go out and have a closed loop system where we can go out and validate what it is they self-assessed against?”

But the Pentagon’s massive supply base presents a challenge in conducting such audits, the CIO added.

“There’s discussions right now on what is the right approach on doing that, given that trying to get to every single member of that supply base might be overly challenging,” Deasy said.

He said Lord’s office is considering certifying third-party companies to audit contractor compliance with the requirements, with a focus on companies at lower tiers of the supply chain.

“We are just in the early discussions of how we might do this,” Deasy said.

In a series of guidance memos issued over the past three months, DOD leaders have provided specific guidance for how acquisition personnel should apply a key contract clause requiring contractors to protect sensitive defense information and report cyber incidents. The clause requires contractors to comply with security measures outlined in the National Institute of Standards and Technology special publication 800-171.

The contract clause was instituted at the end of 2017, but until recently, the Pentagon had only required contractors to self-certify by documenting a system security plan for the networks that will store the sensitive data. But several DOD organizations have independently started enforcing the standards, and in August, Lord indicated DOD was prepared to be more strict about the requirements.

A 6 NOV 2018 DOD Memo published by the Pentagon’s defense pricing and contracting office provides acquisition personnel with guidance for “assessing compliance and enhancing protections” required by the contract clause.

“It is critical that efforts to identify, track, and safeguard DOD controlled unclassified information are addressed, and assessed, as part of the procurement process,” Kim Herrington, acting principal director of defense pricing and contracting, wrote in the memo.

The requirements also flow down to all subcontractors and suppliers who need to handle the sensitive data. Herrington’s memo emphasizes how acquisition personnel can take actions to request the prime contractor’s plan “to track the flow down of covered defense information,” as well as its plan to assess the compliance of first tier suppliers.

Deasy told the Senate panel yesterday that “where the issue breaks down” is among lower level suppliers who often don’t have the resources and knowledge to comply with the requirements.

“We definitely need to help figure out how we’re going to handle small businesses,” he said. “If you look at what it takes today to do good cyber hygiene to stay ahead of the adversaries, we know many of the second and third and fourth tier supply base simply doesn’t have the wherewithal to do that.”

Deasy said the department is discussing whether it could create a secure cloud or network enclave that smaller vendors could access, rather than pushing sensitive data directly to them.

“We are in the very early days of that, but you should know we’re in active conversations about how to do that,” he added.

For now, however, much of the responsibility to flow down cybersecurity requirements through the supply chain rests on prime contractors.

A 17 Dec 2018 DOD Memo from the Pentagon’s acquisition office to DOD services and agencies provided program offices with sample statement of work language they can use to better implement the cybersecurity requirements. The language addresses access to a contractor’s system security plan, as well as how DOD officials can track how a contractor flows down covered defense information and assesses the compliance of suppliers.

Meanwhile, Pentagon acquisition chief Ellen Lord, in a 21 Jan 2019 DOD Memo, notified personnel that she has directed the Defense Contract Management Agency to leverage its reviews of a contractor’s purchasing system to ensure compliance with the NIST requirements. Specifically, the memo states DCMA will ensure contractors are complying with requirements to properly mark and distribute sensitive defense information to tier one suppliers, as well as assessing the compliance of those subcontractors.

Robert Metzger, a partner at the law firm Rogers Joseph and O’Donnell and an author of the MITRE Corps. “Deliver Uncompromised” supply chain security report, said it makes sense the Pentagon would put pressure on prime contractors to ensure their suppliers are meeting cybersecurity requirements. DOD has contractual, legal and financial leverage over those companies, Metzger explained, as opposed to lower tiers of the supply base where the department has less sway.

“There will be substantial resistance from the larger companies, not because they disagree with the objective — I’m sure they agree with it — but because it is so hard to get done,” Metzger told Inside Defense. “The larger companies understandably will be reluctant to assume responsibilities for various tiers of their supply chain where they too have limited access and leverage.”

But he said the risk those lower tier suppliers pose will motivate the Pentagon to continue to ensure larger defense contractors are limiting the sensitive information they send down their supply chains and assuring their subcontractors are taking adequate security measures.

As Deasy alluded to during the Senate hearing, the Pentagon and prime contractors are likely to explore ways they can protect information, such as providing access to it through a secure cloud environment, without forcing smaller companies to meet the expensive and complex security demands themselves.

“We need to look for ways to invest in both human resources and technical resources, to specially protect the most important information, to specially secure the communication channels with the companies who require that information, and to deny to any adversary any utility from information expropriated should a breach occur,” Metzger said.

The Pentagon’s recently established “Protecting Critical Technology” task force is also examining ways to defend against intrusions throughout the supply chain, according to Deasy.

Asked whether artificial intelligence programs could help DOD develop a broader understanding of its supply chain security issues, he said the Pentagon is exploring the possibility.

“We are literally just in discussions,” Deasy said. “I don’t want to imply that there is a program underway, but I would suggest this is a case where we could apply machine learning to look at this problem.”