The Defense Department has an understandable preoccupation with the cybersecurity practices of its vendors, especially since a preponderance of the successful cyber thefts of Defense information involve private IT systems, not government ones.
But small business advocates inside the department are concerned about a new set of requirements DoD imposed on a huge number of IT contractors beginning in October.
The office of Defense Procurement and Acquisition Policy (DPAP) issued a class deviation — an emergency workaround to the usual process of writing acquisition rules — ordering all of DoD’s contracting officers to insert new language into their contracts requiring, among other things, multifactor authentication on any contractor-owned system that houses unclassified but “controlled” Defense information and quick notification to DoD when any of those systems appear to have been breached.
“We’re hearing from a lot of our people in out in the field saying, ‘Hey, this is going to be a huge impact to our small contractors,’” Carol White, the Air Force’s deputy director for small business programs, said during a panel I moderated last week at AFCEA NoVA’s annual Air Force IT day. “It’s mostly anecdotal at this point, and we need to hear more from our small business contractors, but this is potentially going to drive up their costs.”
The deviation requires contractors to implement the government’s specific technical standards for multifactor authentication, which are laid out in the National Institute of Standards and Technology’s Special Publication 800-171. In some cases, those standards must be applied even to systems that sit within the local network in a company’s building, even if it’s not accessible via the public Internet.
If a contractor finds an indication of a breach, the new rules also require vendors to notify DoD within 72 hours. But they can only do that through DoD’s tightly-controlled DIBNet, which can only be accessed by companies who’ve gone through the expense and bureaucratic hoops to acquire electronic security certificates that meet DoD’s standards.
That’s not a problem for the department’s prime vendors who already transact billions of dollars each year with DoD. But, it’s a potential issue for smaller companies and nontraditional contractors from whom the department says it’s seeking more innovation, because the class deviation also requires all vendors to impose the same requirements on all of their subcontractors.
The multifactor authentication portion of the new rules gives some leeway to the DoD Chief Information Officer to grant waivers from the new rules in case a given vendor can’t comply.
But John Mills, the chief of the cybersecurity strategy division in the CIO’s office, suggested those waivers would be relatively rare. Multifactor authentication is at the top of the list of priorities on the new cybersecurity scorecard on which all Defense components are graded, and that scorecard goes directly to the Secretary of Defense each month.
“It’s a driving indicator of how the department is doing in the whole realm of cyber war, so it’s very important,” Mills said. “There are some waiver-able aspects, but this gets very high level attention. There are some reasonable explanations for why companies can’t meet our standards in some cases, but we need to have a very, very high bar for issuing those waivers.”