The Defense Department’s initiatives for sharing cyber threat intelligence with contractors are set for a major expansion under the fiscal year 2021 defense policy bill currently being negotiated by House and Senate lawmakers.
Both the House and Senate versions of the FY-21 defense policy bill direct the Pentagon to establish a threat intelligence sharing program for the defense industrial base. The new requirements come as defense officials and lawmakers remain concerned about the amount of sensitive information being stolen from private sector networks, including those run by defense contractors.
Both bills would allow the Pentagon to establish a new program or modify an existing one.
During an Aug. 27 NextGov webinar, Terry Kalka, chief of mission support for the Defense Industrial Base Collaborative Information Sharing Environment, said “DCISE” is key to sharing information about cyber threats with contractors.
The DCISE program is the “operational focal point” for the Defense Industrial Base Cybersecurity program within DOD’s Cyber Crime Center, according to the center’s website. The center itself is administered by the Air Force Office of Special Investigations.
DCISE shares threat indicators and “contextual information” from government sources, usually at the unclassified or for official use only level, according to Kalka. Companies participating in the program can also share threat information with DCISE officials, who will then “anonymize” the information and share it with other companies in the program.
“A lack of awareness and a lack of current information on cyber threat is certainly one of the drivers for disappointing results from security controls,” Kalka said.
However, current efforts are limited compared to the expansive programs being considered by lawmakers.
For instance, the DCISE program is restricted by law to contractors with facility clearances, according to Kalka, even though much of the information being shared is unclassified.
The program is also voluntary. Kalka said about 700 defense contractors choose to participate in the program today. According to DOD estimates, there about 300,000 contractors in the defense industrial base, with at least 15,000 of those companies managing controlled unclassified information or higher levels of classified data on their networks.
However, the House bill would mandate all DOD contracts require participation in a threat intelligence sharing program within one year of the legislation being signed, although it gives the Pentagon the ability to waive those requirements for specific entities and classes of procurements. The Senate bill leaves it to the Pentagon to determine whether participation is mandatory or “encouraged.”
Regardless of the outcome of conference negotiation, the final bill is likely to move information sharing efforts beyond the current situation of voluntary participation limited to a minority of cleared defense contractors.
“It struck me as very interesting that in both versions of the proposed legislation, we’re looking at possibly an enforcement mechanism for the department to require DIB contractors to be part of threat intelligence programs,” Kalka said.
The cyber legislation moving through Congress is largely driven by recommendations from the Cyberspace Solarium Commission. The group’s final report recommended DOD require that contractors participate in a threat intelligence sharing program.
“The program’s ideal end state is to leverage U.S. government intelligence collection to create a better understanding of adversaries’ intelligence collection requirements,” the commission’s report states. “This action would help DOD and the intelligence community anticipate where adversaries will seek to collect against DIB targets, and then communicate that information to DIB network owners and operators so that they can proactively defend against impending adversary activities.”
The Pentagon’s new “Cybersecurity Maturity Model Certification” program, which will require contractors to achieve certification before winning an award, also includes requirements for participating in threat intelligence sharing programs as part of the more advanced levels four and five certifications, respectively. DOD plans to begin including CMMC requirements in contracts later this fall.
For contractors who cannot participate in the DCISE program, Kalka recommended becoming involved in the National Defense Information and Sharing Analysis Center (ND-ISAC). The non-profit organization is recognized by the U.S. government as the ISAC for the defense industry critical infrastructure sector.
“Whether you come to us or whether you work with a commercial provider or whether you work with an ISAC, you need some source of threat information more than just updating your antivirus because you know the enemy moves very quickly and attacks very rapidly, and we need to be able to respond rapidly,” Kalka said.