The US Department of Defense (DoD) has published an amendment to the Defense Federal Acquisition Supplement which will require defense contractors to incorporate established information security standards across their unclassified networks and to report “cyber-intrusion incidents” that result in the loss of unclassified controlled technical information.
According to the Department of Defense, the amendment will apply to all new contracts that will use or generate technical information. Based on figures from the Defense Technical Information Center, an estimated 6,555 contractors would be affected by the new security requirements.
For the curious, the DoD defines “controlled technical information” as technical data, computer software, and any other technical information covered by DoD Directive 5230.24 and DoD Directive 5230.25.
Under the new policy, contractors must report certain cyber incidents that affect unclassified controlled technical information stored on or transiting contractor unclassified information systems, the DoD said. Contractors must report specific details of such incidents within 72 hours of discovery to the Department of Defense via the Defense Industrial Base Cybersecurity Information Assurance Program.
Increasing security measures to comply with the requirements will come at a cost, but according to the Department of Defense, the impact should be minimal for most companies.
“Of the 6,555 contractors it is estimated that less than half of them are small entities. For the affected small entities a reasonable rule of thumb is that information technology security costs are approximately 0.5% of total revenues,” the Defense Department noted in a document posted Nov. 18. “Because there are economies of scale when it comes to information security, larger businesses generally pay only a fraction of that amount.”
Defense contractors throughout the department’s supply chain have been targeted by cyber criminals attempting to steal unclassified technical data, Frank Kendall, undersecretary of defense for acquisition, technology and logistics, said in a statement, calling the amendment “an essential step to ensure that this valuable information is protected.”
“We cannot continue to give our potential adversaries the benefits in time and money they obtain by stealing this type of information,” he added.
“Protection of technical information is a high priority for the department and is critical to preserving the intellectual property and competitive capabilities of our national industrial base,” the undersecretary continued. “This information, while unclassified, is comprised of data concerning defense systems requirements, concepts of operations, technologies, designs, engineering, production and manufacturing capabilities.”
These new cybersecurity rules for Pentagon suppliers come in the face of an increasing number of attacks targeting Defense Contractors and the IT supply chain, both directly and indirectly.
While attacks targeting defense firms are increasing, they are not new.
In May 2011, Lockheed Martin detected what it called a “significant and tenacious attack on its information systems network”, which ended up being connected to the breach involving RSA’s SecurID technology.
Early this year, researchers from Symantec discovered a targeted attack that singled out high-level employees in the defense and aerospace industries.
In late September, Kaspersky Lab uncovered details of “Icefog”, a series of small yet sophisticated attacks targeting several industrial and high tech organizations in South Korea and Japan, many of which are linked to the high tech supply chain.
Kaspersky Lab experts voiced concerns that the crew behind the Icefog attacks would target organizations in the Western world as well, including the U.S. and Europe.
More details on the amendments to the Defense Federal Acquisition Regulation Supplement can be found here.