It’s now been almost two years since the Defense Department issued a final rule requiring contractors to inform the government when their systems have been involved in cybersecurity breaches and that government technical data has been stolen. But as can sometimes happen in a vast bureaucracy, the rule has been slow to take hold.
That’s according to some new metrics the Office of the Secretary of Defense released last week that don’t even try to measure whether contractors are reporting security breaches. Instead, they merely ask whether the military services and agencies have updated their contract language to require companies to abide by the new rule. After two years of preparation, almost a quarter of the contracts that should include the new language still don’t.
DoD’s office of Defense Procurement and Acquisition Policy first started compiling the compliance data and publicly reporting it earlier this year. The second quarterly scorecard DoD published last week gives the first indication of progress, or lack thereof. The Navy wins the award for most improvement: it included the new clause in 87 percent of its relevant contracts in the second quarter of 2015, compared to 46 percent in the quarter before. The Army and Air Force came in at 41 percent and 42 percent, respectively. Other Defense agencies, which encompass organizations like the Missile Defense Agency and the Defense Information Systems Agency also improved, bringing their collective score from 26 percent to 63 percent since the public scorecard reporting began.
The Pentagon has consistently expressed concern about the type of data involved in the scorecard. While classified data is subject to rigorous protections, technical information that doesn’t rise to the level of state secrets can still be used by foreign countries to narrow the technology cap the U.S. now enjoys and it’s frequently a target for hackers, as Frank Kendall, the Pentagon’s top acquisition official noted last month.
“We’re going to revisit those [rules] as we get some more data this year and see if they’re tight enough,” he said. “We’re losing a lot of time advantage and a lot of financial advantage by having this data be extracted from us. We need to think about every interface that a weapons system has and whether it’s accessible through cyber methods or not. We need to think about all of the systems that weapons system touches or is dependent upon. So there’s a discipline we have to put into our management of this and we need to make it just a higher priority than we have in the past.”