Pentagon Would Ban Contractors That Don’t Protect Data
U.S. adversaries such as China and Russia could embed “exploits,” or malicious software, into the hardware of chips inside Internet-of-things electronic devices that are widely used in the military and the defense industry, according to a congressional watchdog group.
The report from the Government Accountability Office cautioned that the Pentagon has yet to come to grips with the vulnerabilities created by the use of smartphones, smart TVs and fitness meters.
“Internet-of-things devices pose numerous security challenges that need to be addressed,” the report warned of the Internet technology embedded in everyday objects, enabling them to send and receive data.
Digital technology and hacking tactics move much faster than government regulations, but the Pentagon does its best to keep up.
In the wake of a massive data breach at the Office of Personnel Management in 2015 — compromising the personal data of 21.5 million government employees and contractors — the Defense Department started drafting tough new cybersecurity regulations that are finally scheduled to take effect Dec. 31. These rules will affect every company that does business with the Defense Department.
The severity of the OPM attack and other breaches made the Pentagon realize that much of its data resides in contractors’ computer systems. Officials concluded that the Defense Department needed new policies to ensure companies keep close watch and protect that data.
Ryan Bradel, a government-contracting attorney at the law firm of Greenberg Traurig, said companies that want to do business with the Pentagon had better be acquainted with the phrase “covered defense information.”
This is a category of data that generally means unclassified information but nonetheless data that the Pentagon expects contractors to protect. And failure to do so could permanently disqualify a vendor from bidding on government contracts.
Defense companies that do classified work already have in place rigid cybersecurity controls. The contractors that are more worried are those that make commercial products but still have some level of access to covered defense information, Bradel said.
Covered defense information has a “complicated definition,” he said. It is unclassified but still sensitive. It includes technical data, operational security information, anything that falls under export controls or whatever else the government chooses to protect under a particular contract.
A company that makes a dual-use military-commercial product like a holographic rifle sight, for instance, would have to ensure the data about the product is shielded from intrusions or leaks, Bradel said. Although the technology is not classified, sights are export-controlled items that require a State Department license to be sold to a foreign buyer.
Bradel and other Washington attorneys have been flooded with inquiries from government contractors who fear they will be banned from federal work if they don’t implement the new requirements.
The rules fall under the National Institute of Standards and Technology’s “special publication 800-171.” The defense-specific requirements are in the Defense Federal Acquisition Regulation Supplement, or DFARS, titled, “Prime Contractor Responsibilities for Safeguarding Controlled Unclassified Information.”
Defense contractors have to comply with a list of 110 cybersecurity controls specified by NIST.
“There are a lot of small- to medium-size defense contractors that are unprepared to meet these extensive new regulations,” Bradel said.
Pentagon officials convened a large audience of contractors in June to discuss the new policies. Industry sources told RealClearDefense that government representatives assured contractors they would not engage in witch hunts, but nevertheless will expect companies to make every effort to comply.
If they can’t satisfy every requirement, contractors will be expected to disclose that upfront and likely will be given a chance to fix the problem. If they mislead the government in any way, they will be subject to disbarment.
The message from the Pentagon to all its suppliers: “We have important data that affects national security and you need to protect it,” said an industry source who attended the meeting.
How the Pentagon intends to police contractors’ cybersecurity efforts is still unclear. “What’s adequate security? The devil is in the details,” the source said. The thinking is that contractors already are highly motivated to protect their data, as cyberattacks are devastating to most businesses. The Pentagon has some unique demands, however, that could drive up compliance costs. Cybersecurity firms are known to charge anywhere from $75,000 to $250,000 for a basic “gap analysis.”
Under the new Pentagon rules, prime contractors have to “flow down” cybersecurity requirements to lower tier suppliers, creating a potential huge financial burden for cash-strapped small businesses. Some attorneys advise companies to avoid exposure to controlled defense information so they are not obligated to put extra cyber protections in place.
The new measures are bound to result in disputes over what constitutes controlled defense information. Small businesses fear that primes will err on the side of caution and demand that all data be treated as CDI.
Large defense contractors financially are much better positioned to absorb extra cybersecurity costs because they get reimbursed under “cost-plus” contracts for their overhead expenditures.
Commercial companies could end up passing the cost to customers by raising prices, Bradel noted. “Certainly they have to make a profit,” he said. The concern is that if they charge the government a higher price for a product, they put their future business at risk. “Contractors are complaining that they’re having a hard time passing on these costs to the government,” he said. “The government has its own budgetary pressures and they’re balking at all these costs.”
Meanwhile, the security worries that are being stoked about the Internet of things have the industry on alert for even more regulations down the road.
“Self-driving vehicles and commercial drones will be a big issue,” said Bradel. There are ongoing debates over the need to protect these systems from malicious hackers, he noted. “The thinking on how to deal with the potential threats, again, has not caught up with technology.”
The Internet of things is a worrisome area because it gets into privacy issues, experts have warned, and regulators are not sure how far they can go. “To regulate you have to have a consensus on what needs to be regulated,” an industry insider said. “The technical issues have to be fully identified before you can regulate.”