Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Pentagon Toughens Cybersecurity Requirements for Defense Contractors

The US Department of Defense (DoD) has published an amendment to the Defense Federal Acquisition Supplement which will require defense contractors to incorporate established information security standards across their unclassified networks and to report “cyber-intrusion incidents” that result in the loss of unclassified controlled technical information.

The US Department of Defense (DoD) has published an amendment to the Defense Federal Acquisition Supplement which will require defense contractors to incorporate established information security standards across their unclassified networks and to report “cyber-intrusion incidents” that result in the loss of unclassified controlled technical information.

According to the Department of Defense, the amendment will apply to all new contracts that will use or generate technical information. Based on figures from the Defense Technical Information Center, an estimated 6,555 contractors would be affected by the new security requirements.

Pentagon BuildingFor the curious, the DoD defines “controlled technical information” as technical data, computer software, and any other technical information covered by DoD Directive 5230.24 and DoD Directive 5230.25

Under the new policy, contractors must report certain cyber incidents that affect unclassified controlled technical information stored on or transiting contractor unclassified information systems, the DoD said. Contractors must report specific details of such incidents within 72 hours of discovery to the Department of Defense via the Defense Industrial Base Cybersecurity Information Assurance Program. 

Increasing security measures to comply with the requirements will come at a cost, but according to the Department of Defense, the impact should be minimal for most companies.

“Of the 6,555 contractors it is estimated that less than half of them are small entities. For the affected small entities a reasonable rule of thumb is that information technology security costs are approximately 0.5% of total revenues,” the Defense Department noted in a document posted Nov. 18. “Because there are economies of scale when it comes to information security, larger businesses generally pay only a fraction of that amount.”

Defense contractors throughout the department’s supply chain have been targeted by cyber criminals attempting to steal unclassified technical data, Frank Kendall, undersecretary of defense for acquisition, technology and logistics, said in a statement, calling the amendment “an essential step to ensure that this valuable information is protected.”

“We cannot continue to give our potential adversaries the benefits in time and money they obtain by stealing this type of information,” he added.

“Protection of technical information is a high priority for the department and is critical to preserving the intellectual property and competitive capabilities of our national industrial base,” the undersecretary continued. “This information, while unclassified, is comprised of data concerning defense systems requirements, concepts of operations, technologies, designs, engineering, production and manufacturing capabilities.”

These new cybersecurity rules for Pentagon suppliers come in the face of an increasing number of attacks targeting Defense Contractors and the IT supply chain, both directly and indirectly.

While attacks targeting defense firms are increasing, they are not new.

In May 2011, Lockheed Martin detected what it called a “significant and tenacious attack on its information systems network”, which ended up being connected to the breach involving RSA’s SecurID technology.

Early this year, researchers from Symantec discovered a targeted attack that singled out high-level employees in the defense and aerospace industries.

In late September, Kaspersky Lab uncovered details of “Icefog”, a series of small yet sophisticated attacks targeting several industrial and high tech organizations in South Korea and Japan, many of which are linked to the high tech supply chain.  

Kaspersky Lab experts voiced concerns that the crew behind the Icefog attacks would target organizations in the Western world as well, including the U.S. and Europe.

More details on the amendments to the Defense Federal Acquisition Regulation Supplement can be found here.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Funding/M&A

Twenty-one cybersecurity-related M&A deals were announced in December 2022.

CISO Conversations

In this edition of CISO Conversations, SecurityWeek speaks to two city CISOs, from the City of Tampa, and from Tallahassee.