To better protect the massive amounts of unclassified but sensitive technical information generated on defense contracts, the Defense Department this week began mandating that prime and subcontractors provide “adequate security” measures to protect this data under new contracts and report any cyber intrusions that result in the loss of such information.
The mandate, which was codified in an amendment on Monday to Pentagon contracting regulations, is a change from past DoD practice that encouraged defense companies to voluntarily report on cyber attacks on their networks. Under the amended Defense Federal Acquisition Regulation Supplement, which stipulates contracting provisions, companies will have 72 hours from discovery to report cyber incidents related to unclassified controlled technical information on their networks or passing through their networks.
.jpg) |
“Defense contractors throughout the department’s supply chain have been targeted by cyber criminals attempting to steal unclassified technical data,” Frank Kendall, undersecretary of Defense for Acquisition, Technology and Logistics, said a statement on Tuesday. “This is an essential step to ensure that his valuable information is protected. We cannot give to our potential adversaries the benefits in time and money they obtain by stealing this type of information.”
Mandating the adoption of security measures and disclosure is “the only way to get it done,” Steven Bucci, a former cyber security consultant with IBM [IBM] who is now with the Heritage Foundation, told Defense Daily yesterday via email. “Bottom line,” he said, “it’s about time.”
The change to the DFARS only applies to new contracts and only those where technical data is generated.
The requirements change is a follow-on action to an Oct. 10 memorandum from Defense Secretary Chuck Hagel that called for, among other things, the department to “take immediate action to improve the protection of unclassified controlled technical information that resides on or passes through defense contractor systems or networks.”
Kendall, in his statement, said the kind of data at stake here includes “defense systems requirements, concepts of operations, technologies, designs, engineering, production and manufacturing capabilities.”
In the amendment to the DFARS, adequate security is defined as “protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information.” The measures are based on standards established by the National Institute of Standards and Technology.
The Defense Department for the past two to three years has maintained voluntary cyber information sharing programs with companies in the defense industrial base to protect sensitive but unclassified information related to DoD programs on company networks. Under the program the department provides its participating defense industry partners with “unclassified cyber threat indicators and related, classified contextual information,” according to a DoD fact sheet on the Defense Industrial Base (DIB) Cyber Security/Information Assurance (CS/IA) program.
The fact sheet says that DIB companies also report on known network intrusions to the government.
A related, but optional, component to the DIB CS/IA program is the DIB Enhanced Cybersecurity Services (DECS), which provides for the government to furnish classified threat data to participating defense companies, enabling them to counter more types of threats. The DECS effort is jointly administered with the Department of Homeland Security.
Hagel’s memo also calls for the military services to identify acquisition and technology programs that need higher levels of protection. A DoD spokeswoman told Defense Daily that this review is still ongoing.