Contractors wonder how DOD will enforce supply chain security requirements

By Justin Doubleday / March 30, 2018

Senior Defense Department officials are calling on industry to better protect their supply chains from cyber threats, but uncertainty surrounding DOD's implementation of stringent network security requirements has companies wondering how the department will enforce compliance moving forward. 

The Pentagon had originally set Dec. 31, 2017, as the deadline for defense contractors to comply with the National Institute of Standards and Technology publication for handling controlled unclassified information. The NIST rule lays out security controls and processes contractors should implement to protect federal information in their networks.

But in December, Pentagon acquisition chief Ellen Lord said DOD was not enforcing full compliance by Dec. 31, and is instead requiring contractors to document their compliance with a so-called "system security plan" and develop a "plan of action" for how and when they will address areas where they're not compliant. She suggested DOD was softening the deadline in response to concerns from smaller companies who feared they would not be able to comply in time.

The current process amounts to a "self-certification model," according to Kevin Cummins, vice president of technology at the Professional Services Council, which represents a range of government contractors. The NIST publication is included in a provision in the Defense Federal Acquisition Regulation Supplement, and it flows down from prime contractors to subcontractors.

"The subs have heard very clear that, 'Thou shalt be compliant, or you won’t be able to partner with us,'" Cummins said in an interview with Inside Defense. 

In recent months, some subcontractors have received letters from their business partners asking them to certify that they're complying with the regulation, according to Olga Torres, managing partner of Torres Law, which specializes in industrial security and export law.

"The implied consequence of course is, 'Otherwise, we're not going to do business with you -- you're going to lose a contract,'" Torres told Inside Defense. "But they're not explicitly stating it."

But Torres said DOD has not put a mechanism in place to actually confirm whether companies are working toward compliance with the 110 controls laid out in the NIST publication. Instead, as noted by Cummins, companies are only required to say that they are doing so.

Torres said she is waiting to see if the government will implement a process "with a little more teeth," such as audits or a new deadline for full compliance.

"Something that maybe incentivizes people to go, 'OK, we need to get it done by such and such date,'" she said.

Pentagon spokeswoman Heather Babb told Inside Defense compliance with the NIST rules would be enforced using "existing generally applicable contractor compliance monitoring mechanisms." The Defense Contract Management Agency "will verify that applicable cybersecurity clauses are in the contract,” Babb said, and then will “engage with contractors regarding implementation of DFARS Clause 252.204-7012, as part of its normal software surveillance activities."

The defense supply chain's vulnerability to cyber threats has been highlighted by several high-ranking officials in recent months. During a Feb. 27 Senate Armed Services Committee hearing, the outgoing head of U.S. Cyber Command, Adm. Mike Rogers, said "malicious state actors" like Russia and China are mounting "sustained campaigns" to steal information from the defense industry.

"How do we better work the DOD role in the defense industrial base to clear defense contractors?" Rogers said. "We've got to get a different dynamic here. We've got to look at that differently."

President Trump's pick to replace Rogers, Army Lt. Gen. Paul Nakasone, echoed those comments two days later.

"As military defenses are relatively formidable, critical infrastructure and the defense industrial base and private sector are likely seen as a rich source of information and a critical vulnerability in the nation’s armor," Nakasone stated in written testimony prepared for his March 1 confirmation hearing.

During the March 6 McAleese/Credit Suisse conference in Washington, Vice Chairman of the Joint Chiefs of Staff Gen. Paul Selva urged industry to constantly be asking questions about their cybersecurity and potential intrusions in their networks.

"What I can't do is defend every network in this room -- I just flat don't have the resources," Selva said in a room full of defense industry executives. "So we all owe it to each other to think critically about that part of the equation. What do you not know about your networks?"

'The nature of the beast'

The "attack surface" for adversaries in cyberspace is largely due to the interconnected nature of applications, according to Bill Curtis, executive director of the Consortium for IT Software Quality. Even secure applications that hold sensitive data are put at risk if they're connected to non-sensitive systems that aren't secured properly.

Curtis suggested DOD needs to audit contractors at both the process and the technology levels to identify and prioritize risks.

"It's a risk-management problem where you identify the greatest vulnerabilities both in terms of the process and the technology, the software systems, and you begin systematically eliminating the easiest ways to break in until you have the lowest amount of risk," Curtis told Inside Defense.

Such an approach will require "an awful lot of training" for acquisition and contracting officials, he added.

"They're used to acquiring things that are normally hardware, and now they're acquiring things that are primarily software-intensive," Curtis said. "They don't necessarily understand the nature of the beast. . . . The better they understand it, the more likely they are to put intelligent requirements into their contracts."

Acting DOD Chief Information Officer Essye Miller recently suggested the Pentagon is looking to get its program managers focused on cybersecurity, in addition to the three pillars of cost, schedule and performance.

"How do we look at the acquisition process and lay out the criteria that we need to look for before we allow a milestone decision to go forward?" Miller said during a Feb. 27 cyber conference in Arlington, VA. "We're in this culture where our program managers are growing up, are raised rather, to focus on those three things: cost, schedule and performance."

PSC's Cummins said he believes the current framework based on working toward compliance with the NIST publication is just a "waypoint" in DOD's efforts to enforce "cyber hygiene" throughout its supply chain.

"We're encouraging DOD to communicate with stakeholders, industry groups and encouraging dialogue," he said.

Despite questions surrounding the way forward, Deputy Defense Secretary Pat Shanahan earlier this year signaled the Pentagon wants to move to a model where prime contractors take responsibility for the security of their supply chains.

During an early February keynote at the AFCEA West conference in San Diego, CA, Shanahan suggested to industry that, similar to financial disclosure statements, they could sign a "cyber disclosure statement that says, 'Everybody you do business with is secure.'"

"I don't think you'd sign that tomorrow, but we need to get to that level because your secrets, our secrets are exposed," Shanahan said. "The culture we need to get to is we're going to defend ourselves, and just like with security clearances or any time information is compromised, we want the bar to be so high that it becomes a condition of doing business.

"We won't drop that safe on anyone's head right away," he added. "But that's where we want to get to. It's too important."