The Department of Defense is running “pathfinder projects” to develop clouds for small contractors and subcontractors who don’t have enough resources themselves to meet the department’s cybersecurity requirements, its acquisition chief said last week.
Ellen Lord, undersecretary for acquisition and sustainment, announced at a Defense Innovation Board meeting a new Pentagon plan to become more accessible to innovative small companies by providing them “government-furnished equipment” to secure their software environment, something they often can’t afford to do on their own.
“We will set up hardened containers in an enclave, in a government cloud or a cloud hosted for us, and we will provide these hardened containers that if industry goes in and uses them, develops their software using our stack, then they will automatically get an authority to operate — really a time-crunch issue for us when we’re trying to deploy a capability quickly,” Lord said. “We have pathfinder projects right now doing that. That’s going to become more and more important for us.”
The Pentagon’s 2020 budget justification for research, development, test, and evaluation details these projects as a new Defense Industrial Base Secure Cloud Managed Services Pilot, meant to “demonstrate and provide scalable and cost-effective cloud and managed cybersecurity services for Defense Industrial Base (DIB) companies to protect DoD controlled unclassified information” and focus “cloud and cybersecurity services towards a subset of small-to-medium sized DIB companies that support prioritized, critical DoD missions and programs.” The department requests $15 million in 2020 to support the pilots. Federal News Network first reported the department’s funding request for the pilot.
Earlier this year, CIO Dana Deasy described this issue and the work the Pentagon is undertaking to certify the cyberdefenses of subcontractors in compliance with National Institute of Standards and Technology standards.
Like Deasy said then, Lord explained during the meeting that “the large companies don’t really need this.”
“Our large primes are very savvy,” she said. “They have the funds to create hardened environments. What I’m concerned with is, especially, the small companies who our innovation comes from, where when we sit down and talk to them about cybersecurity, we sometimes hear, no kidding, ‘My nephew does my cybersecurity.’ That gets us a little bit worried.”
The Pentagon has high standards contractors must meet when handling department data. Lord said “we will either put these small companies out of business” in trying to comply with those regulations, “or we will drive them away from the Department of Defense if we give them very, very onerous regulations to meet.”