The Defense Department is giving a sneak peek into what the future of acquisition might look like once its “deliver uncompromised” initiative is a full part of the procurement process.
The deliver uncompromised pilot was released last year and hopes to bear capabilities without critical information or technology being lost, stolen, denied, degraded, given away or sold. The initiative establishes security as a primary metric for acquisition. That puts an more responsibility on industry to beef up cybersecurity and be more cognizant of its supply chain.
William Stephens, Defense Security Service counterintelligence director, said Wednesday that DoD will put the onus on companies to live up to the standards the Pentagon sets when delivering an uncompromised product.
“We don’t expect people to be magic,” Stephens said at the Center for Strategic and International Studies in Washington. “But the prime contractor will act at a certain level of care.”
Stephens said DoD would legally establish what its security expectations are for companies.
Companies that do operate at the required standard would achieve “safe harbor.” That status would not punish companies for losses unless they were grossly negligent.
A 2018 report by MITRE — which is the basis for deliver uncompromised — states, “contractual ‘safe harbor’ provisions could be used to encourage positive security actions by contractors and to remove present barriers to prompt incident reporting and full cooperation with DoD’s assessment and remediation measures.”
Still, companies would most likely have to deal with negligence issues and DoD will need to enter into litigation with them.
Stephens said he imagines an insurance marketplace for industry based on security.
“If that is the case then the company would have lower premiums if they performed well and then higher premiums if they did not,” Stephens said.
This move could substantially grow the cyber insurance market.
“It has been estimated that the cyber insurance premium market has the potential to reach $7.5 billion in a few years. Currently the market is estimated to be in the $2.5 billion range,” the report states.
DoD and MITRE also tried to take into account the fact that security is a high barrier of entry for smaller companies.
“Part of the idea is there would be tax incentives,” Stephens said. “So if a small firm, or any firm, is working on specific stuff for the United States government then their efforts would win them a tax break.”
Another option would be low interest or no interest loans to incentivize firms to live up to DoD standards.
DoD is still developing its standards and how to implement them. One aspect is setting a baseline for cybersecurity.
Earlier this year DoD tightened some of the cybersecurity standards contractors need to meet in order to do business with the Pentagon.
The two policies the Pentagon signed out are based off of a rule DoD tried to implement back in 2013, but realized contractors needed more time to comply. The rule finally took effect at the end of 2017, and companies that want to work with the Pentagon need to make sure they are up to snuff when complying with the National Institute of Standards and Technology Special Publication 800-171.
The policies outline what the Pentagon expects from contractors and what consequences there will be for noncompliance.