Advances in Information technology in areas such as robotics, communication, and manufacturing are critical to U.S. technological superiority on the battlefield and provide great gains in U.S. productivity. However our reliance on information technology has also made us potentially vulnerable to cyber-attacks as our adversaries seek to undercut our economic, technological, and military advantages. Symantec’s 2016 Internet Security Threat Report stated that in 2015 globally there were over one million web attacks a day, 430 million new pieces of malware discovered, and over a half a billion records lost or stolen. The U.S. Government, therefore, must always be on guard to protect information critical to our national security and is being vigilant with the passage of several new acquisition regulations. At the Department of Defense the obligation to protect information extends beyond the government to our contractors and their supply chains. The Secretary of Defense stated in an October 2013 memo, “Stolen data provides potential adversaries extraordinary insight into the United States’ defense and industrial capabilities. Protection of this data is a high priority for the Department and is critical to preserving the intellectual property and competitive capabilities of our national industrial base and the technological superiority of our fielded military systems.”
"To reduce the regulatory burden on industry, DoD is working with other government agencies to coordinate regulatory actions in order to provide consistent cyber security protection across the government and its supply chains"
To protect the defense industrial base from cyber-attack, on December 30, 2015, DoD issued a new interim Defense Acquisition Regulation Supplement (DFARS) rule (DFARS § 252.204-7012) that requires, for all new contracts, DoD contractors at all levels of the supply chain to comply with two cyber security requirements:
1. They must provide adequate security to safeguard covered defense information that resides in or transits through their internal unclassified networks from unauthorized access and disclosure; and
2. They must rapidly report cyber incidents and cooperate with DoD to respond to these security incidents, including access to affected media and submitting malicious software.
To provide adequate security, contractors must implement the information security protections developed by the National Institute of Standards and Technology (NIST) as described in NIST Special Publication 800-171. The NIST standard is broken down into fourteen areas:
To reduce the regulatory burden on industry, the DoD is working with other government agencies to coordinate regulatory actions in order to provide consistent cyber security protection across the government and its supply chains. In addition to the DFARS interim rule, in May of 2016, the DoD, NASA, and the GSA issued a final Federal Acquisition Regulation(FAR) rule to implement requirements for the “Basic Safeguarding of Covered Contractor Information Systems”(see 81 Fed Reg. 30429). This rule establishes a baseline level of security for any contractor system that processes, stores, or transmits Federal information.In each of these areas, DoD contractors must adhere to specific security requirements. Implementation details are not specified in NIST SP 800-171, in order to allow industry the flexibility to satisfy the requirements in a manner consistent with their business operations. The rule requires contractors to notify the DoD CIO within 30 days of contract award of any security requirements not implemented at the time of contract award. Contractors may also propose alternate, but equally effective, measures to satisfy the NIST SP 800-171 requirements. Alternatives are to be submitted to the DoD CIO through the contracting officer for review and approval. The deadline for full compliance with DFARS § 252.204-7012 is December 2017.
Given today’s aggressive cyberespionage environment, I urge all DoD contractors who have not yet complied with the new DFARS clause to do so as soon as possible. The DoD understands that there may be cost implications to the implementation of this rule but the costs to the nation in lost intellectual property and potential lost technological advantage is far greater.