FARNBOROUGH, UK — The Pentagon could stop awarding contracts to companies whose weapons are deemed vulnerable to cyber attacks, according to senior U.S. Defense Department officials.
Today, companies are responsible for assessing whether their own products meet DoD cybersecurity standards.
“Because of a couple recent events, we realized that that is not good enough,” Kevin Fahey, the assistant secretary of defense for acquisition, said Monday during a briefing at the Farnborough Air Show.
In February, Deputy Defense Secretary Patrick Shanahan issued a stern warning to companies: protect your networks or risk losing business. In June, Chinese hackers allegedly stole sensitive submarine warfare information from a contractor’s computer.
Officials from the Pentagon’s acquisition, intelligence, chief information officer and research-and-engineering offices are creating a way to test the cyber defenses of weapons when assessing bids from companies. The effort is called “Delivered Uncompromised.”
“If you think about our weapon systems today, the IT infrastructure is a part of our weapon system,” Fahey said.
MITRE Corp., a research-and-development firm, conducted a study, which is “the baseline of where we’re starting from,” Fahey said after the briefing.
The MITRE report noted supply chain vulnerabilities, according to a person familiar with its findings, and made a series of recommendations, including making cyber hardening a “fourth pillar” of acquisition, along with cost, schedule and past performance.
The Pentagon has taken a number of steps in recent months to tighten its cyber defenses. In February, the Defense Science Board made a series of recommendations to improve the way the Pentagon buys software. Two months later, Ellen Lord, the undersecretary for acquisition and sustainment, tapped Jeff Boleng — a former Air Force cybersecurity operations officer — as her special assistant for software acquisition. The Pentagon is also assessing the cyber vulnerabilities of its weapons and infrastructure. The efforts are all intertwined, according to a source with insight into the projects.
“We have to develop a way that we evaluate people’s capability in cyber security almost as a go, no-go versus it’s a comparison between cost, schedule and performance and cyber,” Fahey said after the roundtable. “Cost, schedule, performance always end up being one, two and three [in terms of priority] and then if you’re the fourth, you’re not that important.”
Officials are considering using a grading system for cyber standards that similar to the way it assesses the maturity of software. They are also considering creating “red teams” that would test contractors cyber defenses. Another consideration is offering contractors government-certified cyber tools.
“We know it’s really serious now that we need to make that as a priority and then figure out how do we help the small businesses, Fahey said. “One of the ideas is almost us maybe being able to deliver them the IT infrastructure as [government furnished equipment] that is cyber secure. That is a high priority across the department.”
Today companies have to declare that they comply with federal acquisition regulations, “but we really don’t check it,” Fahey said. If a company does not meet the standards, it’s not a condition that could prevent them from being awarded a contract. “You just have to come up with a plan on how you’re going to meet it,” he said.
Officials believe that requiring cyber hardening as part of a weapon competition will force companies to better protect their systems.
“If it becomes a competitive differentiator, then what ends up happening is you’ve got every incentive in the world to meet that standard and to use it because it’s something that you need to be successful,” Eric Chewning, deputy assistant secretary of defense for manufacturing and industrial base policy, said in an interview.
Said Fahey: “The only way you make it serious to industry is you make it part of the competition.”