The Defense Department on Thursday released its first ever strategy to strengthen the cybersecurity of the defense industrial base (DIB) by better coordinating efforts across the enterprise, making it easier for companies big and small to work with the department.
The Defense Industrial Base Cybersecurity Strategy 2024, which was mandated by Congress in the fiscal year 2020 National Defense Authorization Act, outlines a vision, mission, and four goals to secure and make more resilient the information environment of the DIB through FY ’27. At a high level, the strategy highlights the roles and responsibilities of various DoD offices and agencies related to working with the DIB on cybersecurity.
DoD is drafting an implementation plan for the strategy that is expected to be completed in nine to 12 months, a department spokesman told Defense Daily. That plan will further clarify roles and responsibilities across the department, giving industry clearer insight into where to go for help.
The strategy also mentions DoD visibility challenges into the lower tiers of the supplier base and the need for a “governance framework for maintaining a secure subcontractor security environment.”
Congress mandated the strategy because “We were very disjointed in the different stakeholders of the department that delivered services,” David McKeown, DoD deputy chief information officer for cybersecurity and chief information security officer, told reporters. “A lot of DIB partners were complaining that we didn’t have a single point of entry. The goal here with this strategy is to highlight a way forward where we’ll have a more centralized approach, a more cogent approach where everybody in the department knows what their role is. And we’ll have a way for DIB partners to enter into the system and draw off services and work with the DoD rather than having to have 15 different connections to different stakeholders.”
The implementation plan “hopefully” will have starting point for vendors to reach into DoD to “help hold the vendors’ hand” to obtain resources, McKeown said.
Stacy Bostjanick, chief of DIB cybersecurity at DoD, said the CIO’s website will post the different program members and the capabilities the department has available to its DIB partners.
In addition to congressional direction, the strategy is a response to ongoing cyber intrusions into defense companies and the need to maintain technology advantage and preserve warfighting capabilities.
The DoD officials were asked about a previous comment made by Air Force Lt. Gen. Robert Skinner, director of the Defense Information Systems Agency, that the DIB is the “soft underbelly” that cyber-attackers go after. McKeown replied that this is still the case.
“We’re still seeing intrusions taking place,” he said. “We track that pretty heavily,” adding that new incidents show up weekly and that the department is “engaging with the companies” and wants to investigate these with its industry partners.
McKeown said he does not have metrics on intrusion trends and has performed “damage assessments” on response to larger events “just to understand the impacts to the programs, but now we’re trying to get this process a little bit more rigorous and learn from it.” This will provide lessons for better service and to understand whether industry has the right measures in place, he said.
For example, when defense procurement regulations began to require vendors to self-attest that they are protecting unclassified covered information based security controls established by the National Institute of Standards and Technology, the department found “they really weren’t,” he said. “So that’s another piece of it that we want to keep metrics on.”
The four goals in the strategy are strengthening the DoD’s governance around DIB cybersecurity, boosting the cyber posture of industry, keeping critical industry capabilities resilient in cyber-contested environments, and improving collaboration with the DIB.