On March 26, 2019, the Senate Armed Services’ Subcommittee on Cybersecurity held a hearing to receive testimony assessing how the Department of Defense’s (“DOD”) cybersecurity policies and regulations have affected the Defense Industrial Base (“DIB”).
To gain a better understanding of the DIB’s cybersecurity concerns, the Subcommittee invited William LaPlante, Senior Vice President and General Manager of MITRE’s National Security Sector; John Luddy, Vice President For National Security Policy at the Aerospace Industries Association; Christopher Peters, Chief Executive Officer of the Lucrum Group; and Michael MacKay, the Chief Technology Officer of Progeny Systems Corporation.
In their opening remarks, the Chairman of the Subcommittee, Senator Mike Rounds (R-SD), and Ranking Member, Senator Joe Manchin (D-WV), acknowledged industry concerns about the DOD’s lack of clarity and disparate implementation of cybersecurity regulations, such as guidance relating to DFARS 252.204-7012 (“DFARS Cyber Rule” or “Rule”) and National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171.
Senator Rounds stated that he “expects [DOD] to come up with measured policies to make improvements in [cybersecurity]” and he “hope[s] DOD takes seriously the concerns of the DIB.” He further noted that DOD “cannot simply apply increasingly stringent cybersecurity requirements on its contractors” and that “doing so without subsidy or assistance is unlikely to particularly improve cybersecurity [for] the DIB” and would likely drive the most innovative small businesses out of the supply chain. Senator Rounds called for putting a program in place to ensure the best possible protections for contractors regardless of size and referred to the “Achilles heel” of this issue as the desire to use a large number of small contractors while still needing to protect sensitive government information. Later in the hearing, Senator Manchin expressed great concern over the cyber incidents experienced by DOD contractors and urged the witnesses to “tell [the Subcommittee] what you need . . . [the Subcommittee] is here to fix it and you’re here to tell us what’s broken.”
Summarized below are key points discussed during the hearing:
- Clear, Scalable, and Consistent Cybersecurity Policy: Witnesses representing the DIB agreed that the future of the defense industry is dependent on robust cybersecurity and, to that end, expressed the need for DOD to clarify critical aspects of existing policy. For instance, the identification and definition of Controlled Unclassified Information and its subset, Covered Defense Information (“CDI”) was highlighted as an area of concern. DIB witnesses testified that the current definition of CDI in the DFARS Cyber Rule has become very broad. They suggested that DOD collaborate with the DIB to identify critical information so contractors are not protecting mundane data, but focusing on securing truly sensitive information. John Luddy noted that “with limited resources, if [contractors] try to protect everything that is currently considered CDI, we may under-protect the really important things.”
- Unified DOD Approach: All of the witnesses emphasized the need for DOD to take a unified approach to cybersecurity that helps to minimize the burden on industry. The industry witnesses were clear that, together with large prime contractors, DOD can help support the middle and lower-tier suppliers to be cyber secure, but clear guidance and programs must first be in place. Currently, DOD has taken an “ad hoc, service-by-service” approach as it works towards developing actionable regulations that has resulted in segmented and overlapping contractor infrastructure, and increased costs. The DIB witnesses commended recent memoranda issued by Ellen Lord, the Under Secretary of Defense for Acquisition and Sustainment, that clarified requirements for contracts overseen by the Defense Contract Management Agency, but they also noted that the memoranda “raised issues that need to be collaboratively assessed.” The witnesses made plain the need for more opportunities to contribute to future standards and guidance by DOD.
- Measuring and Certifying Cybersecurity Compliance: The DIB witnesses highlighted the numerous NIST SP 800-171 controls and the need to develop an approach using “real, objective metrics” that helps industry measure their cybersecurity performance against those controls. Defense contractors have been frustrated with the lack of clear metrics for compliance, which has resulted in the perception of DOD’s uneven enforcement of standards. The witnesses urged DOD to adopt a standard interpretation of NIST SP 800-171 as a useful baseline and starting point. They would prefer that DOD “set the bar high and set it once to hold all [companies] accountable, not only to spare companies from the cost, but also the need to adjudicate between different and potentially conflicting direction.”
- Information Sharing: The witnesses also drew attention to the need for greater information sharing. One idea raised by the DIB witnesses included the formation of a centralized DOD threat sharing initiative that distributes relevant and timely data to the DIB to bolster cybersecurity efforts. The representatives acknowledged the tension between information sharing that is aimed at identifying and addressing threats and information that is competitive or business sensitive. But, there was a consensus that progress on information sharing has been made within the DIB and that further improvements would be welcome.
Throughout the hearing, members of the Subcommittee and representatives from the DIB seemed to agree that greater collaboration with DOD on contractor cybersecurity issues and supply chain issues would be necessary to address systemic concerns. While there was a broad focus on DFARS requirements and NIST SP 800-171, a number of related issues were raised with the goal of helping businesses prioritize investments and meet DOD’s cybersecurity standards. As the cybersecurity efforts by DOD and the DIB continue, there was consensus during the hearing for a considered approach to partitioning cybersecurity responsibility among DOD, prime contractors, and their subcontractors so that no single entity shoulders the entire burden.