Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Pentagon Toughens Cybersecurity Requirements for Defense Contractors

The US Department of Defense (DoD) has published an amendment to the Defense Federal Acquisition Supplement which will require defense contractors to incorporate established information security standards across their unclassified networks and to report “cyber-intrusion incidents” that result in the loss of unclassified controlled technical information.

The US Department of Defense (DoD) has published an amendment to the Defense Federal Acquisition Supplement which will require defense contractors to incorporate established information security standards across their unclassified networks and to report “cyber-intrusion incidents” that result in the loss of unclassified controlled technical information.

According to the Department of Defense, the amendment will apply to all new contracts that will use or generate technical information. Based on figures from the Defense Technical Information Center, an estimated 6,555 contractors would be affected by the new security requirements.

Pentagon BuildingFor the curious, the DoD defines “controlled technical information” as technical data, computer software, and any other technical information covered by DoD Directive 5230.24 and DoD Directive 5230.25

Under the new policy, contractors must report certain cyber incidents that affect unclassified controlled technical information stored on or transiting contractor unclassified information systems, the DoD said. Contractors must report specific details of such incidents within 72 hours of discovery to the Department of Defense via the Defense Industrial Base Cybersecurity Information Assurance Program. 

Increasing security measures to comply with the requirements will come at a cost, but according to the Department of Defense, the impact should be minimal for most companies.

“Of the 6,555 contractors it is estimated that less than half of them are small entities. For the affected small entities a reasonable rule of thumb is that information technology security costs are approximately 0.5% of total revenues,” the Defense Department noted in a document posted Nov. 18. “Because there are economies of scale when it comes to information security, larger businesses generally pay only a fraction of that amount.”

Defense contractors throughout the department’s supply chain have been targeted by cyber criminals attempting to steal unclassified technical data, Frank Kendall, undersecretary of defense for acquisition, technology and logistics, said in a statement, calling the amendment “an essential step to ensure that this valuable information is protected.”

“We cannot continue to give our potential adversaries the benefits in time and money they obtain by stealing this type of information,” he added.

“Protection of technical information is a high priority for the department and is critical to preserving the intellectual property and competitive capabilities of our national industrial base,” the undersecretary continued. “This information, while unclassified, is comprised of data concerning defense systems requirements, concepts of operations, technologies, designs, engineering, production and manufacturing capabilities.”

Advertisement. Scroll to continue reading.

These new cybersecurity rules for Pentagon suppliers come in the face of an increasing number of attacks targeting Defense Contractors and the IT supply chain, both directly and indirectly.

While attacks targeting defense firms are increasing, they are not new.

In May 2011, Lockheed Martin detected what it called a “significant and tenacious attack on its information systems network”, which ended up being connected to the breach involving RSA’s SecurID technology.

Early this year, researchers from Symantec discovered a targeted attack that singled out high-level employees in the defense and aerospace industries.

In late September, Kaspersky Lab uncovered details of “Icefog”, a series of small yet sophisticated attacks targeting several industrial and high tech organizations in South Korea and Japan, many of which are linked to the high tech supply chain.  

Kaspersky Lab experts voiced concerns that the crew behind the Icefog attacks would target organizations in the Western world as well, including the U.S. and Europe.

More details on the amendments to the Defense Federal Acquisition Regulation Supplement can be found here.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem