Making
sense of
DOD’s cyber
requirements
The Pentagon’s efforts to improve cybersecurity in its industrial base have raised some familiar concerns in the contracting community
BY DEREK B. JOHNSON
T he Defense Department is pushing forward on its efforts to improve cybersecurity in its industrial base, but so far the biggest roadblocks may be the same confusion,
doubt and uneven compliance from contractors that led to the vulnerabilities in the first place.
Officials from DOD and the National Institute of Standards and Technology gave updates on two nascent programs at a meeting of NIST’s Information Security and Privacy Advi- sory Board (ISPAB) in August: NIST’s new draft cybersecu- rity guidance for contractor systems that include high-value government assets and DOD’s Cybersecurity Maturity Model Certification (CMMC).
Both programs are designed to shore up different aspects of DOD’s cybersecurity requirements for contractors, and both are raising concerns among companies about how best to comply.
When NIST released its draft guidance for public com- ment earlier this year, it received more than 600 responses
that reflect confusion about the scope and application of the requirements. Victoria Pillitteri, a cybersecurity engineer at NIST, said every requirement listed in the draft received more than a dozen comments or critiques.
Cost, practicality and straightforward questions such as “does this apply to me or my systems?” were among the most common sentiments expressed, while certain requirements, such as the one for a 24-hour security operations center, were cited as unrealistic and cost-prohibitive for small and midsize contractors.
Unintended consequences?
Roger Wakimoto, a vice chancellor at the University of Cali- fornia, Los Angeles, wrote that his research team success- fully competed for hundreds of millions of dollars in federal research funding in 2017 and expressed concern that the enhanced requirements “may inflict unintended consequences on fundamental research.” He also said it is unclear whether the rules apply to basic research or academic institutions that use federal research funding.
“Unless agencies are mandated to state applicability in fund- ing announcements, this proposed change could be incredibly burdensome, as it is possible that applicants would not know that the award would fall under the new requirements until they are far along in the process of applying,” Wakimoto wrote.
CTIA, a trade association that represents the wireless com- munications industry, questioned whether NIST’s low cost assessment for compliance was accurate, saying the cost “will likely be substantial.”
Stronghold Cyber Security CEO Jason McNew expressed concern that a requirement to restrict access to systems and system components to only those information resources that are owned, provisioned, or issued by the organization would wreak havoc on an increasingly mobile IT workforce.
“Any \[bring-your-own-device policy\] goes out the window with this one for sure,” he wrote.
The search for a clear definition
Despite the complaints, the contracting community is unlikely to find sympathy among DOD officials or members of Con- gress, who have pushed for cybersecurity standards for the defense industrial base in the wake of a sustained campaign of digital espionage by China. Over the past 18 months, that campaign has hemorrhaged sensitive U.S. military secrets.
“Our adversaries aren’t looking at penetrating the nuclear triad at the highest point,” said Katie Arrington, special assis- tant to the assistant secretary of defense for acquisition for cyber, at the ISPAB meeting in August. “They’re going to the lowest tier to gain access, and they’re patient.”
The enhanced NIST security requirements would only
30 September/October 2019 FCW.COM