Pentagon contractors are racing to meet a Dec. 31 deadline to have in place tight controls on sensitive information and ensure weapons systems under their watch are safe from hacking and tampering.
The measures are viewed as necessary at a time of heightened fears of cyberattacks and insider leaks. They are also causing widespread anxiety in the industry as the Pentagon shifts more of the security burden to suppliers, many of which are small businesses that lack resources to harden information networks and production facilities.
The companies most affected by this policy are the Pentagon’s top-tier firms that handle secret, sensitive information. Prime contractors are responsible for assembling weapon systems using software and components supplied by hundreds or thousands of sub-tier suppliers, depending on the size of the program. The F-35 Joint Strike Fighter, for example, has 1,300 suppliers.
Starting next year prime contractors will have to demonstrate to the government that they have a handle on the security of their entire supply chain. They will be responsible for identifying subcontractors that pose a risk and keep the government informed of any potential or actual threats. They will also have to keep close tabs on vendors to prevent the inadvertent or intentional use of counterfeit electronic parts.
The consequences of failing to comply would be severe. Prime contractors will be held accountable for breaches of defense systems along the entire supply chain and, if found negligent, could be legally liable and possibly be barred from bidding on future Pentagon contracts.
Meeting the year-end deadline is becoming a “huge challenge,” said John Jordan, director of compliance for global supply chain at Northrop Grumman Corp. Pentagon officials informed contractors last week that there are 110 controls that will need to be in place. The goal is achievable for large firms like Northrop but could overwhelm small businesses in the lower tiers of the supply base, Jordan said Wednesday at a Defense One industry event in Washington, D.C.
Northrop Grumman and other prime contractors have in recent years enhanced their security measures in response to regulations the Pentagon has rolled out. In preparation for the Dec. 31 deadline, primes have increased communication with subcontractors to make sure they understand the rules, Jordan said. Large companies have invested in websites, videos and other tools to help small businesses understand the new controls. Cybersecurity is “second nature” to big defense primes, but it can be daunting to small firms, he noted. “You say ‘dual-factor authentication’ to a small business and in some cases their heads start spinning.”
The regulations could create huge headaches for contractors that in many cases depend on single-supplier sources for key components used in weapon systems. If a subcontractor cannot meet the required protections, the prime will be precluded from sharing any sensitive information with that supplier.
Andy Kemp, director of Dell EMC national security group, suggested the Pentagon has lagged behind other industries in supply chain protection, considering the breadth and depth of the threats. The financial sector has been far more aggressive than defense, Kemp said. The information-technology industry has helped financial firms harden their systems and is ready to assist the Pentagon, “but we need the Department of Defense to move at that pace.”
Technologies like artificial intelligence and advanced data analytics increasingly have been used to build tools to detect high-risk suppliers, said Jeffrey Miller, managing director of Accenture Federal Services. A major problem in large defense programs is actually identifying who the suppliers are, he said. “Our advanced weaponry uses so much code and such a broad variety of electronic chips that protection tools are hard to scale,” Miller added. To protect the military supplier base, the government also will have to monitor foreign acquisitions of U.S. companies more closely because, he noted, if an adversary is not able to steal information, it could buy it. “That is an issue we have to be concerned about.”
To combat insider leaks or sabotage, the Pentagon is stepping up oversight of employees and contractors who get security clearances, said Benjamin Richardson, deputy director for information and industrial base protection at the Department of Defense
In a briefing to contractors June 23 in Alexandria, Va., defense officials cautioned that the Dec. 31 deadline is firm and will not be extended. John Zangardi, the Defense Department’s acting chief information officer, said cyber incidents have surged by 38 percent since 2014, with the costs of those incidents estimated at $400 billion. According to a report by the law firm Covington & Burling, the message from the Pentagon is that they need more help from contractors to protect information.
The new rule will be a major test “for even the most experienced contractors," said Nelson Kanemoto, founder of the cybersecurity firm eResilience. The news that the deadline will not be changed ratchets up the pressure, he said. “If you're non-compliant at the end of the year you risk having to stop work."
In discussions about the security of the defense supply chain, the Pentagon rarely mentions specific countries it worries about, although China is clearly the big bad boogeyman. The U.S. China Economic and Security Review Commission in May solicited bids for an “unclassified report on supply chain vulnerabilities from China in U.S. federal information technology procurement.”
Congress established the commission in 2000 to monitor and study the national security implications of China’s economic relationship with the United States. Bids for the report on supply chain vulnerabilities were due June 14 and work has to be completed within 90 days.
Brian Berger, executive vice president of the cybersecurity company Cytellix, said the Defense Department supply chain is “particularly vulnerable to high-profile targeting.” With valuable assets and limited protection, it is a “hacker’s paradise,” Berger wrote in a National Defense Magazine article. “As one of the largest and most operationally volatile supply chains in the world, an attack on this key resource could have potentially catastrophic effects, and may inhibit the military’s ability to respond to a contingency.”