CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Pentagon Toughens Cybersecurity Requirements for Defense Contractors

The US Department of Defense (DoD) has published an amendment to the Defense Federal Acquisition Supplement which will require defense contractors to incorporate established information security standards across their unclassified networks and to report “cyber-intrusion incidents” that result in the loss of unclassified controlled technical information.

The US Department of Defense (DoD) has published an amendment to the Defense Federal Acquisition Supplement which will require defense contractors to incorporate established information security standards across their unclassified networks and to report “cyber-intrusion incidents” that result in the loss of unclassified controlled technical information.

According to the Department of Defense, the amendment will apply to all new contracts that will use or generate technical information. Based on figures from the Defense Technical Information Center, an estimated 6,555 contractors would be affected by the new security requirements.

Pentagon BuildingFor the curious, the DoD defines “controlled technical information” as technical data, computer software, and any other technical information covered by DoD Directive 5230.24 and DoD Directive 5230.25

Under the new policy, contractors must report certain cyber incidents that affect unclassified controlled technical information stored on or transiting contractor unclassified information systems, the DoD said. Contractors must report specific details of such incidents within 72 hours of discovery to the Department of Defense via the Defense Industrial Base Cybersecurity Information Assurance Program. 

Increasing security measures to comply with the requirements will come at a cost, but according to the Department of Defense, the impact should be minimal for most companies.

“Of the 6,555 contractors it is estimated that less than half of them are small entities. For the affected small entities a reasonable rule of thumb is that information technology security costs are approximately 0.5% of total revenues,” the Defense Department noted in a document posted Nov. 18. “Because there are economies of scale when it comes to information security, larger businesses generally pay only a fraction of that amount.”

Defense contractors throughout the department’s supply chain have been targeted by cyber criminals attempting to steal unclassified technical data, Frank Kendall, undersecretary of defense for acquisition, technology and logistics, said in a statement, calling the amendment “an essential step to ensure that this valuable information is protected.”

“We cannot continue to give our potential adversaries the benefits in time and money they obtain by stealing this type of information,” he added.

“Protection of technical information is a high priority for the department and is critical to preserving the intellectual property and competitive capabilities of our national industrial base,” the undersecretary continued. “This information, while unclassified, is comprised of data concerning defense systems requirements, concepts of operations, technologies, designs, engineering, production and manufacturing capabilities.”

Advertisement. Scroll to continue reading.

These new cybersecurity rules for Pentagon suppliers come in the face of an increasing number of attacks targeting Defense Contractors and the IT supply chain, both directly and indirectly.

While attacks targeting defense firms are increasing, they are not new.

In May 2011, Lockheed Martin detected what it called a “significant and tenacious attack on its information systems network”, which ended up being connected to the breach involving RSA’s SecurID technology.

Early this year, researchers from Symantec discovered a targeted attack that singled out high-level employees in the defense and aerospace industries.

In late September, Kaspersky Lab uncovered details of “Icefog”, a series of small yet sophisticated attacks targeting several industrial and high tech organizations in South Korea and Japan, many of which are linked to the high tech supply chain.  

Kaspersky Lab experts voiced concerns that the crew behind the Icefog attacks would target organizations in the Western world as well, including the U.S. and Europe.

More details on the amendments to the Defense Federal Acquisition Regulation Supplement can be found here.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is founder and director of several leading cybersecurity industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.