Pentagon planning new steps to shore up smaller suppliers’ cybersecurity
Among the options the Pentagon is considering: Conducting its own assessments of whether subcontractors are meeting new requirements to comply with NIST.
Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
The Defense Department said it’s considering new steps intended to help its lower-tier suppliers tighten the cybersecurity of their IT systems, and may begin a new regime of spot checks to ensure they’re meeting security regulations that now apply to defense vendors and many of their subcontractors.
The options under consideration came from a new Pentagon task force that’s re-examining the department’s contractual relationships with suppliers. Those may need to change in order to better respond to data breach or ex-filtration incidents, said Dana Deasey, the DoD chief information officer.
“Defending our networks extends all the way out to our contractor networks. You could argue they’re just an extension of what we do — we pass classified data, they do things on behalf of us,” he told the Senate Armed Services Committee on Tuesday. “We have to treat our subcontracting base the same way that we think about defending our own networks … as you go down to those various subcontractors, do they understand, are they equipped, do they have the knowledge and the capability to defend themselves? And what is it that we should be doing more to help them learn how to defend themselves at those tiers?”
At the end of 2017, the department implemented a new contracting rule that requires its vendors to meet the security controls in the National Institute of Standards and Technology’s Special Publication 800-171. The new rules, designed to protect controlled, unclassified information, also apply to subcontractors if they’re handling “covered defense information” as part of the work.
But as of now, the rule only requires contractors to self-certify that they’re in compliance; the department itself does not weigh in on whether or not they’ve met the standards or interpreted them correctly.
That may begin to change, Deasy said.
“We are now looking at a new process that would go through and then evaluate that self-assessment and put a confidence score against that,” he said, adding that the development of the possible new procedures is being led by the office of the undersecretary for acquisition and sustainment (A&S).
“What they’re now looking at is how do we go out and have a closed-loop system where we can validate what it is that they self-assessed against,” Deasy said. “Now, of course, this is a massively large supply base. So there are discussions right now on what is the right approach on doing that, given that trying to get to every single member of that supply base might be overly challenging. So how do you sample, and how do you do this in a way where you can start to get confidence as you move down those tiers?”
A new way to assess suppliers
Beyond the notion of choosing a sample of companies the department might examine in order to develop those “confidence scores,” Deasy said DoD is also considering the idea of designating third-party firms to handle the assessments.
“What has happened in private industry — and what we are now looking at for the DoD — is actually a process of identifying, possibly even certifying companies that can play the role, follow the NIST standards, and actually go in and look at a second, third-tier supplier,” he said. “We are just in the early discussions of how we might do that. A&S is the lead, but I’ve been advising them on how this has been done elsewhere.”
Yet another option: the department also aspires to eventually use its still-nascent artificial intelligence capabilities to help spot cyber weaknesses within its industrial base.
“There is definitely going to be value in looking at how do you take the entire supply base, [measure it against] the NIST standards, the hygiene problems we see, and can you apply AI to this problem to start to identify where you maybe, most likely are going to experience problems? We’re literally just in discussions and I do not want to suggest that we have an active program underway, but I would suggest that this is a good case where we can apply machine learning to looking at this problem,” Deasy said.
There is also Congressional interest in figuring out ways to put lower-tier defense suppliers on a stronger cyber footing.
As part of the 2019 National Defense Authorization Act, lawmakers ordered the department to take steps to improve awareness of cyber threats among the critical universities and small-and-medium-sized businesses in its supply chain.
Specifically, the NDAA told the Pentagon to help those organizations conduct self-assessments of their networks’ security posture, give them technology and threat information to help them defend themselves against attack, and certify some members of DoD’s own acquisition workforce to help small businesses plan their cyber defenses.
Deasy said the department is still in the early stages of implementing those steps.
“We definitely need to help figure out how we’re going to handle small businesses,” he said. “If you look at what it takes today to do good cyber hygiene, to stay ahead of the adversary, we know much of the second and third or fourth tier supply base simply doesn’t have the wherewithal to do that. We have some thoughts underway about how we can bring them into either a cloud or an extension of our network, and we can fortify them with services that we provide. We’re in the very early days of that, but we’re in active conversations about how to do that.”
Each week, Defense Reporter Jared Serbu speaks with the managers of the federal government's largest department. Subscribe on PodcastOne or Apple Podcasts.