NIST drafts enhanced cyber standards for defense contractors
The National Institute of Standards and Technology released new draft security requirements for Department of Defense contractors that store sensitive but unclassified information on private systems.
The enhanced requirements, which are open to public comment before going into effect, were triggered by a rash of data breaches in which sensitive defense information was stolen. Private contractors have been a critical weakness in DOD’s cybersecurity, particularly small subcontractors.
The culprits behind breaches are often nation-state attackers, particularly Iran, Russia and China, that have the capability to throw significant resources behind attacks. “For years, global competitors, and adversaries, have targeted and breached these critical contractor systems with impunity,” a report commissioned by the Navy on its cybersecurity found in March.
The new 81-page document outlines enhanced standards for topics ranging from access control to system and information integrity. The document is intended to enhance already in-place standards for contractors and give agencies soliciting contracts updated requirement language. The document outlines 31 recommendations, like dual-authorization, access restriction and network monitoring activities.
The DOD is also undertaking a new model it plans to roll out next year called Cybersecurity Maturity Model Certification. The model will be based on five levels of cybersecurity and incorporate NIST standards and input from the private sector and academia.
DOD CIO Dana Deasy said earlier this year that greatest risk comes from industrial base contractors that do not have the resources for the necessary cybersecurity.
“This problem is not necessarily a tier-one supply level,” Deasy told the Senate in January. “It’s down when you get to the tier-three and the tier-four” subcontractors.
Private industry has been the largest target for hacking government secrets. The U.S. intelligence community has attributed China as the most common adversary engaging in the theft of both government secrets and private intellectual property.
“We should be infuriated about what has happened to our data,” Katie Arrington, special assistant to the assistant secretary of Defense acquisition for cyber, said during a recent event.