The Defense Department on Nov. 18 announced it will now require contractors to adhere to a set of baseline security standards to protect their unclassified networks and to report any security incidents that result in the loss of sensitive technical information.
“Defense contractors throughout the department’s supply chain have been targeted by cyber-criminals attempting to steal unclassified technical data,” said Frank Kendall, undersecretary of defense for acquisition, technology and logistics. “This is an essential step to ensure that this valuable information is protected. We cannot continue to give our potential adversaries the benefits in time and money they obtain by stealing this type of information.”
The changes stem from an amendment to the Defense Federal Acquisition Supplement, which will require defense contractors to incorporate established information security standards developed by the National Institute of Standards and Technology.
According to Kendall, the technical information covered by the new rule includes defense systems requirements, concepts of operations, technologies, designs, engineering, production and manufacturing capabilities.
The NIST security controls represent the “minimum acceptable level of protection” for unclassified technical data, according to the text of the new rule. “If a control is not implemented, the contractor shall submit to the contracting officer a written explanation of how either the required security control identified is not applicable, or how an alternative control or protective measure is used to achieve equivalent protection,” the rule states.
“Protection of technical information is a high priority for the department and is critical to preserving the intellectual property and competitive capabilities of our national industrial base,” Kendall said.