A Department of Defense official unveiled plans Thursday for contractor cybersecurity standards that are scheduled to be implemented by January 2020.
Katie Arrington, special assistant to the assistant secretary of Defense acquisition for cyber, made the announcement along with a plea for the private sector to work with the government to secure its supply chain at a Professional Services Council conference Thursday. The new standards will have a five-level system, and they will combine guidance currently in place from the National Institute of Standards and Technology with new input from the private sector and academia.
The standards, known as Cybersecurity Maturity Model Certification, will be researched and developed in partnership with the Johns Hopkins Applied Physics Lab and Carnegie Mellon University Software Engineering Institute. Once in place, third-party private sector companies will audit contractors to ensure compliance. The program also will include an education and training center for cybersecurity.
The level of cybersecurity required by the standards will be indicated on all contract solicitations once implemented.
Defense officials have spoken of the need to develop new contractor cybersecurity standards for more than a year now. Earlier this year, DOD CIO Dana Deasy described how tier-one prime contractors aren’t the big concern. “It’s down when you get to the tier-three and the tier-four” subcontractors.
“Where the issue breaks down is that as you go down to those various subcontractors, do they understand, [are they] equipped, have the knowledge and the capabilities to defend themselves, and what is it we should be doing more to help them learn how to defend themselves at those tiers?” Deasy said.
Arrington’s announcement was the first look into what to expect when the new standards are implemented. Similarly, in 2017, DOD introduced a regulation that requires all vendors who do business with the department to more safely guard “covered defense information” that is transmitted to or stored in their systems or networks for contracted work.
In addition to speaking about the new rules, Arrington stressed the need for collaboration between public and private sectors to ensure information security.
“It is not a ‘me’ thing, it is a ‘we’ thing,” Arrington said.
The “vast majority” of DOD contractors have ad hoc and inconsistent cybersecurity practices, Arrington said. Cybersecurity breaches and intellectual property theft of DOD data has led to the theft of high-grade weapon systems, such as the F-35.
“We should be infuriated about what has happened to our data,” she said.
Arrington will be embarking on a listening tour across the country to seek input from contractors for the cybersecurity rules. Arrington is a former South Carolina lawmaker and small business owner who contracted with the government — experiences she said will inform her work to help secure military data.
The greatest counterintelligence risk to the U.S. is not theft of government data, but private sector IP, said Joyce Corell, assistant director for supply chain and cyber at the Office of the Director of National Intelligence’s National Counterintelligence and Security Center. Governments, like China’s, and their efforts to steal U.S. IP have taken up the majority of the U.S. counterintelligence apparatus’s work, Corell said in a talk following Arrington’s.
New steps to secure the supply chain are critical to plugging the leaks of data. To do so, Corell pushed for cybersecurity to be baked-in across all parts of the supply chain for government contractors. In the past, Corell has pushed small businesses to increase their cybersecurity to work with the government.
Corell and Arrington both drove the message that cybersecurity is needed at all levels of the supply chain, at all levels of contracting and from the military to civilian agencies.
Supply chain security is “a team sport,” Corell said.