The Pentagon is moving forward with plans to score defense companies on cybersecurity, similar to measuring credit scores, as one Defense Department official says DOD's current efforts regarding contractor cybersecurity are not sufficient.
Kevin Fahey, assistant secretary of defense for acquisition, said DOD is making efforts to more effectively implement cybersecurity provisions in the Defense Federal Acquisition Regulation Supplement, which requires contractors to protect sensitive defense information in accordance with best practices published by the National Institute for Standards and Technology.
For instance, DOD recently provided guidance to contracting officers on how to take cybersecurity into account during source selection, and the Pentagon is working with NIST on an enhanced set of requirements for critical programs.
However, during a Wednesday event hosted by the National Defense Industrial Association in Washington, Fahey said the Pentagon's efforts are "not sufficient."
"That's not where we need to end up," he said of the current requirement. "That's sort of, in my opinion, a stop gap."
He said the Pentagon is moving toward viewing contractor cybersecurity similar to the "ISO 9000" series of international standards for quality management and quality assurance.
"We have to get to the point where it's like ISO 9000, where we figure out how do you certify industry being cyber-compliant," Fahey said. "We're going down that path."
DOD Chief Information Officer Dana Deasy also recently confirmed that Fahey's boss, Pentagon acquisition chief Ellen Lord, was considering using third-party companies to audit contractors' compliance with cyber requirements, with a particular emphasis on subcontractors and companies further down the supply chain.
"We are just in the early discussions of how we might do this," Deasy said during a Jan. 29 Senate Armed Services cybersecurity subcommittee hearing.
Over the past year, DOD officials have placed increasing emphasis on contractor cybersecurity and the security of the supply chain in general. While questions swirled around how DOD would apply the NIST requirements, then-Deputy Defense Secretary Pat Shanahan said last February the Pentagon wants to get to a point where defense contractors sign a "cyber disclosure statement that says, 'Everybody you do business with is secure.'"
"The culture we need to get to is we're going to defend ourselves, and just like with security clearances or any time information is compromised, we want the bar to be so high that it becomes a condition of doing business," Shanahan said at the time.
Last August, MITRE Corp. published a report, "Deliver Uncompromised," offering a series of recommendations on how the Pentagon could better secure its supply chain. DOD has endorsed the central recommendation of the report to elevate security as a "fourth pillar" in acquisition and last November set up a task force to protect the Pentagon's critical information and operations.
Among the MITRE report's many recommendations was a suggestion to measure contractors' cybersecurity risk, similar to how Moody's Investors Service rates companies' credit.
Fahey said the Pentagon doesn't have a time line to implement any sort of cyber score. But he said the idea is to have third-party companies certifying the cybersecurity of prime contractors, as well as subcontractors down the supply chain.
"It's almost like when you do a credit score," Fahey said. "How do we do, across industry, a cyber score?"
He said DOD is considering a "pathfinder" for the new initiative "where we can take an important program and do the industry re-composition that says here's the prime, here's the two, three, four, five [suppliers] and almost do a practice of how we would do the cyber scorecard across the board."
DOD is especially concerned about the cybersecurity of subcontractors and smaller suppliers who many not have the wherewithal or resources to use secure technologies and processes. But Fahey said the Pentagon would work with those suppliers "to make sure it's affordable all the way down the supply chain."
While he didn't have an implementation time line, Fahey said the Pentagon would come up with a detailed plan by the end of this year.
"The challenge will be how long it will take to implement it across our whatever the right number is, over 100,000 industry partners," he added.
To that end, he pledged the Pentagon would not begin implementing any sort of cyber scoring before coordinating with the defense industry. DOD officials met with the Aerospace Industry Association last week to discuss the plan, with plans to soon meet with the National Defense Industrial Association as well, according to Fahey.