Contractors not up to date on cybersecurity standards will only get a pass from the Defense Department for a little longer, leadership says.
DoD will begin auditing companies’ cybersecurity procedures that want to win contracts and it plans to start within the next 18 months, according to Ellen Lord, DoD undersecretary for acquisition and sustainment.
There will also be new cybersecurity standards for which companies will have to abide by if they want to work with the military.
“We have set out an objective of coming up with new cybersecurity standards this year,” Lord said at an Atlantic Council event on March 25 in Washington. “We’ll have metrics by which to measure them. We’ll have third parties that can actually audit against them such as International Organization for Standardization standards we have for quality. We need to them understand: How do we put cybersecurity into the new networks we are building? How do we make sure that there aren’t back doors there? How do we make sure that data at rest stays secure?”
The new cybersecurity standards will build off of the already existing National Institute of Standards and Technology Special Publication 800-171 standards required by the Pentagon.
Lord’s comments come as DoD is trying to figure out how it will address the creation of new and faster networks like 5G — a cellular network expected to be much faster than the current LTE network used by cell phones today.
“This is going to change how we capitalize our wireless networks and, frankly, with 5G we’re not going to see a difference really between our wired and wireless networks,” Lord said. “We as government have to come together, make sure we have the correct standards, make sure we work with allies and partners to ensure that protocols that reflect intellectual property that we understand and that we are driving reflect.”
Earlier this year, DoD released a handful of new guidance and memos giving teeth to rules that require companies to shape up their cybersecurity practices or risk losing business.
The guidance is based on a rule DoD tried to implement back in 2013, but realized contractors needed more time to comply. The rule, which finally took effect at the end of 2017, says companies must meet NIST before doing business with DoD.
One recent memo further explains that the government will need systems security plans from subcontractors and how controlled defense information should be shared with subcontractors.
A second memo addresses auditing contractors’ purchasing systems so the Defense Contract Management Agency can provide oversight and assess compliance.
“DoD wants to get everyone to a certain cybersecurity level,” Susan Cassidy, a partner specializing in defense and procurement at Covington and Burling LLP told Federal News Network. “Now they are tightening up and they are going to make it a performance and award differentiater.”
The third party audits will give DoD an idea of which companies are best to work with when it comes to cybersecurity and will give the Pentagon some actual enforcement power to make sure companies are meeting the standards.
In the past few years, DoD and the government as a whole fell victim to cyber breaches, which compromised personal information and government documents.
DoD is getting more savvy to the cyber threats, but is still scrambling to close the holes in its system vulnerable to hackers.
Cassidy said while DoD needs the protection, it’s a heavy lift for some companies.
“This does impose additional requirements on small businesses that may be very difficult for certain small companies to meet,” she said. “DoD has been pretty clear, especially in the recent past, that their concern is about their data. The risk of a breach is probably greater than a concern that a small business may not be able to participate.”