Pentagon will soon hold contractors to elevated cyber standards
The Defense Department in recent years has implemented heightened cybersecurity regulations to protect its sensitive data, and now it must hold its industry partners to the same standards as they face the same threats, the Pentagon’s top IT official said Friday.
“The cyberthreat is not going away; we have to defend our networks and systems, and you’re part of that defense,” acting DOD CIO John Zangardi said. “DOD is facing the same threats that you are. And with these regulations, we are asking to implement some of the same defenses as we are implementing for the department’s networks.”
Zangardi’s comments came at the opening of a DOD industry day centered around the implementation of an updated regulation that requires all vendors who do business with the department to more safely guard “covered defense information” that is transmitted to or stored in their systems or networks for contracted work.
“It’s critical that the information we put out there, that you receive or that you develop in support of DOD’s warfighting mission is protected,” the acting CIO said. “We can’t expect anything less in this current environment.”
“This is the thing that gets us to where we want to be in terms of protecting our data,” he said.
Other subject matter experts from Zangardi’s office and the Office of the Undersecretary of Defense for Acquisition, Technology, and Logistics fielded questions from industry stakeholders in how they should interpret the updated requirement.
The new acquisition regulation, passed as a final rule in October 2016, defines covered defense information as “unclassified controlled technical information or other information” as described in the National Archive and Records Administration’s Controlled Unclassified Information (CUI) Registry “that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies.”
For such information that contractors hold on their networks or systems, they must provide “adequate security” — at minimum complying with the National Institute of Standards and Technology’s Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” The publication offers cybersecurity guidance on things like multifactor authentication and cyber-incident response.
Defense contractors have until the end of calendar year 2017 to begin complying with a new Pentagon regulation: “Safeguarding Covered Defense Information and Cyber Incident Reporting,” which also further details how a contractor should respond to and report a cyber incident.
DOD doesn’t plan on changing any of the provisions at this point, Zangardi said.
The updated regulation calls directly to the DOD Cyber Strategy of 2015, he said. “It relates directly to what we’re asking you to do today: these include information sharing, building bridges to the private sector and developing and implementing private sector exchange programs, and last but not least, improving accountability and responsibility for the protection of data across DOD and the defense industrial base.”
“We need to protect this information, whether it resides in the department’s networks or systems, or on your networks and systems as our partners in industry. Our adversaries seek it for many reasons,” Zangardi explained. “They may be trying to leap ahead in technology, develop capabilities to counter our in a warfighting situation. We need to protect this information so our capabilities are not exploited, misdirected, countered or cloned. We invest a lot of dollars, and we have an obligation to the taxpayers of this country to make sure the money we they spend on defense is protected.”
“Protecting this information saves warfighter lives,” he said.
The department also recently implemented a new regulation for training contractors on how to recognize and respond to insider threats.