Small Contractors Struggle to Meet Cyber Security Standards, Pentagon Finds

 In GDI, Defense, Cyber/ICT, Air, Threats, Information

Even large com­pa­nies aren’t doing as well as they think they are, the assis­tant acqui­si­tion chief said Monday.

Small com­pa­nies are strug­gling to meet the Pentagon’s newish net­work secu­ri­ty rules, and even larg­er con­trac­tors aren’t doing as well as they think they are, a recent depart­ment study has found.

“For the most part, the big com­pa­nies do very well,” Kevin Fahey, assis­tant defense sec­re­tary for acqui­si­tion, told reporters at the Pentagon on Monday. “But in no case do they meet every­thing that they thought they met.”

For one thing, big com­pa­nies tend to give their small­er sub­con­trac­tors a lot of data they don’t need, which then becomes vul­ner­a­ble to for­eign hack­ers. 

“The biggest part of our train­ing and the prob­lem is that our adver­saries don’t try to come in through the big com­pa­nies, they come in through the fifth‑, sixth-tier,” Fahey said. “If you’re flow­ing down infor­ma­tion they don’t need, then that’s bad. That’s where we’re see­ing our biggest prob­lem.”

In 2016, hack­ers stole sen­si­tive data about the F‑35 Joint Strike Fighter from an Australian sub­con­trac­tor. That and sim­i­lar cas­es prompt­ed the Pentagon to issue new rules for han­dling such infor­ma­tion. By Jan. 1, 2018, com­pa­nies were sup­posed to have a plan for meet­ing these new stan­dards.

“The way that it has been work­ing in the past is: you claim you do it, and we nev­er checked,” Fahey said. “You self-cer­ti­fy and if you’re not cer­ti­fied, you say here’s your get-well plan. Now we’re check­ing.”

Related: The World Needs Twice as Many Cybersecurity Pros, Report Says

Related: Cyber Threats Are Emerging Faster Than DHS Can Identify and Confront Them

Related: The US Must Prepare for a Cyber ‘Day After’

The Pentagon has been warn­ing com­pa­nies that they will lose busi­ness if they or their sup­pli­ers do not meet the rules. 

“I have not heard of any­one not get­ting a con­tract, but the prob­a­bil­i­ty [of not get­ting one] is there,” said Jason Timm, the Aerospace Industries Association’s assis­tant vice pres­i­dent for nation­al secu­ri­ty pol­i­cy.

Areas in which com­pa­nies are hav­ing trou­ble meet­ing the stan­dards include mul­ti-fac­tor authen­ti­ca­tion and FIPS-val­i­dat­ed encryp­tion, Timm said.

And of course, even full com­pli­ance doesn’t mean a company’s net­works are safe from thieves.

“You have a bet­ter sense of your secu­ri­ty, but that doesn’t mean you are secure,” Timm said. “You can con­trac­tu­al­ly be com­pli­ant, but that doesn’t mean you are secure.”

Source: Defense One

Recommended Posts

Start typing and press Enter to search