23 June 2019

Cybersecurity in the defense industrial base


Defense manufacturers are investing in digital technology to accelerate product development, improve existing processes, and increase efficiency. In this article, we explore the major challenges related to cybersecurity regulations for defense contractors and how stakeholders can make progress toward cyber resiliency.

New regulations govern defense contractors and subcontractors

National security concerns elevate the importance of data security for defense manufacturers. They share and exchange covered defense information (CDI) and controlled unclassified information (CUI) on program specifications, technology, and equipment performance as they collaborate across research, design, development, and deployment of defense products. Given this sensitive data is exchanged across a highly distributed and complex supply chain, these suppliers may be exposed to threats from cyberattacks and theft of intellectual property. Apart from a national security threat, cyberattacks can also cause significant financial and reputational damage to defense contractors, which may disrupt supply chains and result in cost and schedule overruns.

The US governing authorities have issued several regulations related to cybersecurity compliance by defense contractors and subcontractors. Initially, there seemed to be some ambiguity in determining who is accountable and responsible across the defense industrial base (DIB) for evaluating suppliers’ compliance with national institute of standards and technology (NIST) SP 800-171.1 This approach allowed for the possibility of inconsistent adoption of these regulations; however, in a recent announcement by the Office of the Secretary of Defense, the Department of Defense (DoD) is now moving to enforce compliance with the defense federal acquisition regulation supplement (DFARS) 252.204-70122 cybersecurity down flow requirements.

High stakes for defense contractors

Stakes are high for DIB affiliates who provide research and development, manufacturing, mission assurance, engineering, logistics and acquisition, cybersecurity and IT, and testing and integration services. DIB affiliates are constantly innovating to produce technologically advanced products and the speed of innovation results in creating a significant amount of intellectual property (IP), which must be digitally protected by all participants in the supply chain. The risk of aggregated CDI and CUI with respect to future defense capabilities or IP being exposed to cyberattacks is a major threat to the national security of the United States.

Defense manufacturing often involves a complex global supply chain, involving tier-1, tier-2, and tier-3 contractors. This complexity introduces numerous cybersecurity risks as the involvement of multiple organizations places confidential information in environments with greater opportunity for compromise and exploitation. Moving further down the supply chain, lower tier suppliers generally face even more difficulties to secure sensitive data because of costly, inconsistent, or incompatible cybersecurity controls implementations or from a misinterpretation of the required regulations.

The US has faced numerous and varied cybersecurity threats in the past which have involved attempts at infiltrating networks of US public and private institutions to gain access to sensitive information.3 If the defense manufacturing chain is vulnerable to cyberattacks, it can pose major risks that may compromise a nation’s safety.

Current regulation and guidance

DFARS regulations and NIST guidance play an important role in the US to enable cybersecurity robustness. For defense contractors and sub-contractors, regulations can provide minimum guidance to assist them with becoming cyber-secure as referenced below: 
In the US, the DFARS requirements and compliance with the NIST SP 800-1714 govern the DIB and associated contractors. THE DFARS 204.73005requires contractors and subcontractors to protect CDI by applying specified network security requirements and necessitates reporting of cyber incidents. DFARS 252.204-70126 further expands the definition of CUI and identifies the NIST SP 800-171 framework as a source document for cybersecurity requirements. 

NIST SP 800-171, which lays down specific measures to safeguard sensitive information, acts as a minimum standard for companies in the DIB. 

To provide guidance for implementation and enforcement of the DFARS, a report by THE MITRE Corporation was published in August 2018, which advised the DoD to “Revise DoD 5000.02 and defense acquisition guidance to make security the fourth pillar of acquisition planning, equal in emphasis to cost, schedule, and performance.”7

Significant importance is being given to cybersecurity because of a robust regulatory system. However, these regulations will need to be clearly defined to avoid straining defense manufacturers in their adoption and implementation and to help avoid unidentified risks. Defense manufacturers and their suppliers in the US face various challenges when it comes to adhering to cybersecurity regulations.

Defense primes have a higher responsibility to ensure compliance

DoD has recently clarified the direction in which it plans to move to greater NIST adoption down into the DIB. On January 21, 2019, under the Secretary of Defense for acquisition and sustainment, Ellen Lord, issued a memorandum, requesting the Defense Contract Management Agency (DCMA) to validate prime contractors’ compliance with DFARS 252.204.7012.8 The memorandum focused on the DCMA assessing two key elements: 
Ensuring contract terms flow down to tier-1 level suppliers correctly 
Reviewing prime contractors’ procedures to assess compliance of their tier-1 level suppliers with DFARS 252.204-7012 and NIST SP 800-171 

Subsequently, on February 4, 2019, the DCMA officially updated its contractor purchasing system (CPSR) guidebook to include new procedures for its procurement analysts to assess the two aspects stated in the memorandum issued by Ellen Lord.9 Specifically, it stipulated that:

“The prime contractor must validate that the sub-contractor has a covered contractor information system (CCIS) that can receive and protect CUI. The prime contractor must show documentation that they have determined that the subcontractor has an acceptable CCIS to include an adequate system security plan (SSP).”

These steps assist the prime contractors to have a process to assess and validate the cyber controls a contractor has in place to address, at a minimum, the NIST SP 800-171 requirements and that items that were identified in previous Plan of Action and Milestones (POA&Ms) are being resolved as part of their self-certifications.

As the DoD starts to enforce evaluation of subcontractor’s cybersecurity controls by the DoD prime contractors, there are several measures that defense contractors, DoD, and the government can take to become cyber secure and compliant.

Prime contractors and original equipment manufacturers (OEMs) should focus on creating a robust cybersecurity framework, both to protect their own, and their supply chain partners’ cybersecurity. To be completely prepared, defense contractors should focus on both regulatory and non-regulatory approaches to addressing cybersecurity issues.

No comments: