The Pentagon still has deep concerns about thefts of sensitive Defense data from contractor systems. But it’s concluded that simply using contract terms to order firms to improve their security isn’t going to do the job.
So the department is testing ways to extend its own cybersecurity expertise and infrastructure to small and medium-sized businesses who don’t have the wherewithal to adequately secure their systems against nation-state attackers. Specifically, it plans to build a secure cloud to house the Defense data companies need to perform their contracts, instead of requiring them to store it themselves.
DoD’s research and development budget for 2020 includes $15 million for a small project the department terms the Defense Industrial Base (DIB) Secure Cloud Managed Services Pilot. In the early going, the Pentagon plans to make the cloud service available to “a subset” of small and medium companies that “support prioritized, critical DoD missions and programs.”
In contract terms, the department would treat the secure cloud as Government Furnished Equipment (GFE), said Ellen Lord, the undersecretary for acquisition and sustainment.
“The large companies don’t really need this. Our large primes are very savvy, they have the funds to create a hardened environment,” she told a meeting of the Defense Innovation Board last week. “What I’m concerned about is the small companies where our innovation comes from. We sit down and talk to them about cybersecurity, and sometimes we hear — no kidding, ‘My nephew does my cybersecurity.’ That gets us a little bit worried. And we know that we will either put these small companies out of business, or we will drive them away from the Department of Defense if we give them very, very onerous regulations to meet.”
Following a protracted rulemaking process, at the end of 2017, the department started inserting clauses into most of its contracts that require firms to implement the security controls in NIST Special Publication 800-171. The rules require prime contractors to impose the same demands on each of their subcontractors if they’re expected to come in contact with sensitive-but-unclassified “covered defense information.”
The department has not formally announced any plans to relax those rules, but has hinted in several forums that they likely need some tweaking.
The initial regulations did not include any mechanism for companies to verify that they were meeting DoD’s security expectations. And the department did not, at the time, announce any specific plans to verify whether they were doing so other than in routine contract audits.
In Congressional testimony earlier this year, Dana Deasy, DoD’s chief information officer, said the department believes it needs to begin verifying whether companies were complying with the standards, and that it may begin to implement spot checks to see if they were.
But Kim Herrington, the acting principal director for Defense pricing and contracting, said the department would like to eventually get to a point where it certifies third-party cybersecurity examiners to help verify whether contractor systems are adequately protected.
“The truth is that no government organization — the Defense Contract Management Agency or any other — is going to be able to go to 800,000 contractors and go audit their systems,” he said at the annual McAleese Defense Programs conference in Washington. “We’re not going to do this in a vacuum. We want a partnership where we agree on what are the necessary requirements and capabilities. Then, we could figure out where risk exists and focus on those areas with more audit activity than when it’s a lower risk.”
In its budget justification for the Secure Cloud Managed Services Pilot, DoD told Congress the “vast majority” of the Defense Industrial Base is made up small and medium companies “that lack sufficient cybersecurity capabilities to protect controlled unclassified information from a determined adversary.”
Since the details of any individual data theft are classified, Defense officials have offered little-to-no specifics about the nature or volume of the information that is being stolen from contractor systems.
But a report the Navy commissioned last year, the results of which were publicly released earlier this month, characterized the loss as a “hemorrhaging” of sensitive data from those systems.
The authors said companies were highly-motivated to protect data, but could not be reasonably expected to defend themselves from nation state-sponsored attacks without more help from the government, including more information sharing.
The Cybersecurity Readiness Review also concluded that whatever intrusions the government has detected are just a small slice of the data thefts that have actually occurred.
“The DoD and DON have only a limited understanding of the actual totality of losses that are occurring [in the DIB],” the review panel found. “Only a very small subset of incidents are ‘known’ and of those known, an even a smaller set are fully investigated. This has led to lengthy timelines and processes for discovering, reporting, and assessing information losses. That knowledge is often hyper classified and difficult to share, sometimes leading to an alarming lack of understanding and appreciation of the threat. Finally, in an age where it is impossible to protect everything, identifying what information must be absolutely protected is vital and not being adequately accomplished.”