Department of Defense Enforcing Contractor Cybersecurity Compliance

A cyberattack occurs every 39 seconds somewhere in the world. It is well known that our adversaries use vulnerabilities in the industrial base supply chain, from top tier to lower tier suppliers, to penetrate unprotected systems. While small manufacturers may believe they are safe from these attacks, believing they strike more at Prime contractors, nothing could be further from the truth.

All contractors within the defense industrial base need to recognize the risks involved with holding sensitive data and information – regardless of their company’s size. By taking proper precautions and following preventative measures to ensure the information is guarded and protected, breaches are more likely to be avoided.

The Department of Defense (DoD) considers cybersecurity in the defense industrial base among their top priorities. There is mounting concern about adversaries stealing sensitive data in the defense supply chain, driving the Pentagon to also mandate compliance with cybersecurity requirements at lower tiers of the supply chain.

A January 2019 memorandum from Ellen Lord, Under Secretary of Defense for Acquisition and Sustainment, states that the Pentagon is directing the Defense Contract Management Agency (DCMA) to assess and enforce compliance to cybersecurity requirements.

The memo highlights the obligation of contractors to have procedures in place that ensure the contractual flow down of the Defense Federal Acquisition Regulation Supplement (DFARS) requirement and assess the compliance of their tier-one level suppliers.

The DFARS clause requires that Primes and their supply chain implement, at a minimum, the security requirements in NIST SP 800-171 to protect sensitive information, classified as Covered Defense Information. This standard provides suppliers with guidelines for closing gaps in their existing security systems while creating prevention and response plans for potential cyberattacks in the future.

The memo from Lord creates a mechanism for the DCMA to begin checking contractor’s supply chain cybersecurity compliance. The Pentagon is also working to ensure a unified approach across the DoD. This includes a set of minimum cybersecurity compliance requirements to remain in the defense supply chain.

The risk lower tier suppliers pose will continue to motivate the Pentagon to tighten oversight that larger defense contractors limit the sensitive information they send down their supply chains and assure their subcontractors are taking adequate security measures. In testimony before Congress, DoD Chief Information Officer Dana Deasy said, “This problem is not necessarily concentrated at the tier-one supply level. It’s also down at the tier-three and the tier-four.”

Defense suppliers and contractors who want their cybersecurity to be compliant, their data to be protected, and their business to stay competitive should contact VMEC to learn about services that can help them guard their sensitive and proprietary information.

This blog posting was written by Jeffrey Orszak, Technology & Innovation Manager at CONNSTEP, the official representative of the MEP National Network in Connecticut.