DoD seeks single point of entry, new governance to boost vendors’ cyber defenses

DoD wants its vendors to be more cyber secure, including by expanding the pool of vendors who can take part in the no-cost cyber services it already offers.

The Defense Department wants its contractors to be more cyber secure, and it already has a lot of tools to help them. But as of now, they’re are a bit scattershot, and sometimes confusing. That’s one of the things DoD wants to fix via a new Defense Industrial Base Cyber Strategy.

As one element of a four-part, multi-year plan to improve the DIB’s cyber posture, published Thursday, the department intends to both make the free cyber protection services it already offers easier to access, and to expand the number of companies who can take advantage of them.

“We were very disjointed between the different stakeholders in the department that delivered services, and a lot of DIB partners were complaining that we didn’t have a single point of entry,” David McKeown, DoD’s chief information security officer, told reporters Thursday. “The goal here with this strategy is to highlight a way forward where we’ll have a more centralized and more cogent approach, where everybody in the department knows what their role is, rather than having to have 15 different connections to different stakeholders.”

The strategy calls for McKeown’s office to, for starters, create a comprehensive list of the “cybersecurity-as-a-service” (CSaaS) offerings DoD already offers. An appendix to Thursday’s strategy offers a partial summary.

“And as we work on the implementation plan, we will flesh that out and hopefully provide an initial entry point that will then help hold the vendors’ hands to get to the other resources needed, versus requiring them to go touch base with each one of those on their own,” he said.

Expanding DIB participation

Meanwhile, the department also plans to re-launch its existing DIBNet portal later this year — with new features including an API that will let companies programmatically access the cyber threat alerts and warnings they currently get from DoD.

But as of now, there aren’t many firms participating in the department’s voluntary programs to share information about cyber threats: only 1,500. By comparison, there are 70,000 to 75,000 companies currently estimated to handle controlled unclassified information (CUI).

So in a regulatory update scheduled to take effect on Apr. 11, DoD plans to expand the eligibility criteria for its DIB cybersecurity program to make all of those companies eligible to participate.

It’s not yet clear how many companies will be brought into the fold under the expanded program, and how much of an additional workload it will create for the National Security Agency, the DoD Cyber Crime Center (DC3), and other DoD components who deliver its CSaaS offerings.

As of now, that’s not a concern, given the limited number of companies who have voluntarily joined the DIB cybersecurity program, McKeown said.

“We hope that it becomes a problem when we have more engagement with people out there that are interested in availing themselves of intelligence sharing and things of that nature. But those aren’t hard to scale up,” he said. “There’s also a lot of free products to just read and understand, there’s tools that they can run on their own that don t involve DC3 directly getting involved. Some of the subscription services — where we’re doing free external scanning of the vendors — we may, at some point, hit a threshold where we might have to increase the volume of licenses we have. Right now, we have enough capacity, and we’re beating the drum trying to get people to come into the program.”

In many other respects, the strategy, which is intended to cover DoD’s plans to secure the DIB through 2027, is largely a recitation of the activities the department already has in place to raise the bar on contractor cybersecurity.

Relationship with CMMC uncertain

It makes only passing references to DoD’s impending Cybersecurity Maturity Model Certification (CMMC) program — likely the largest change ever in how contractors will have to change their processes to meet DoD’s standards.

During Thursday’s press briefing, officials largely sidestepped questions on how CMMC and the new strategy would interact, in light of the fact that CMMC is still in the midst of a formal notice-and-comment process ahead of a final rule expected to be published later this year.

But the strategy does promise more work to clarify the existing language in the Defense contracting clause commonly called “DFARS 7012,” the provision that tells vendors they’re responsible for safeguarding DoD data in their control and reporting cyber incidents when they happen. And DoD has scheduled a two-day summit in April to discuss with vendors how they can safely use cloud services without creating undue regulatory burdens.

And although the strategy provides little detail on how it plans to achieve it, the document promises that DoD will work to develop forums that let the government and industry have those discussions in a more ongoing way.

“Securing the DIB requires support and collaboration from a large community of stakeholders. The department will work with the DIB DoD stakeholders and interagency [forums] to build a governance framework for maintaining a secure subcontractor cybersecurity environment,” said Stacy Bostjanick, DoD’s chief for industrial base cybersecurity.


Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Amelia Brust/Federal News NetworkCybersecurity Maturity Model Certification

    Proposed CMMC rule contains no surprises, but raises some initial questions

    Read more

    Contractors make the case for flexibility in a forthcoming Defense Department cybersecurity program

    Read more