United States: DOD And Other Agencies Seek To Enhance Contractors' Cyber And Supply Chain Security

Introduction/Overview

The Department of Defense (DOD) and its component services and agencies are taking several independent steps to assess and enhance their cyber and supply chain security that will directly or indirectly affect DOD contractors and subcontractors. Other federal agencies, including the Department of Homeland Security (DHS), Commerce, and General Services Administration (GSA), are also considering or implementing measures to enhance cyber and supply chain security that will directly or indirectly affect government contractors and their supply chains. These initiatives will intensify scrutiny of government contractors and subcontractors, increase their cyber and supply chain security compliance requirements, and affect their ability to compete for, and win, government contracts. This paper summarizes these initiatives and states our view that, despite the proposal and likely adoption of a comprehensive new Federal Acquisition Regulation (FAR) cybersecurity clause next year, federal government contractors and subcontractors are likely to face multiple, overlapping, and possibly conflicting cybersecurity and supply chain requirements for some time to come.

Key Actions:

• Secretary Mattis established a Protecting Critical Technology Task Force to address cybersecurity and supply chain risk.
• The Navy set forth stringent new cybersecurity requirements for critical technologies and programs that go well beyond the requirements of DFARS 252.204-7012.
• DOD issued final guidance to requiring activities for evaluating contractor compliance with the NIST Special Publication (SP) 800-171 (NIST 800-171) standards and for imposing additional safeguards.
• DOD is auditing its contractors' compliance with cybersecurity requirements.
• DOD is supporting measures such as software BOMs and blacklists to identify and remove high-risk suppliers from its supply chain.
• DOD and DHS are implementing a Memorandum of Understanding regarding their respective roles in safeguarding critical infrastructure.
• GSA proposed new cyber incident reporting and system access requirements for its contractors.
• TSA adopted a cybersecurity roadmap to guide its efforts to ensure aviation and other transportation system resilience.

Background

Even though the dust has barely settled on DOD's imposition of "adequate security" requirements through implementation of the Defense Federal Acquisition Regulation Supplement (DFARS) -7012 clause and the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 standards, DOD and other federal agencies face growing pressures to do more to safeguard their own, and their contractors', cyber and supply chain security.¹ These pressures have grown due to recent adversarial nation-state attacks on DOD and contractor information systems, as well as official and press reports on supply chain vulnerability to such attacks. These reports include the September 2018 White House Report on Assessing and Strengthening the Manufacturing and Defense Industrial Base and Supply Chain Resiliency of the United States, an October 2018 Government Accountability Office (GAO) Report that was critical of DOD weapons systems cybersecurity², and various Bloomberg press articles reporting that Chinese intelligence services had directed subcontractors to implant malicious chips in Supermicro server motherboards that were allegedly incorporated into the information systems of thirty large U.S. firms, including several contractors.

Even before these reports, DOD had announced a new Cybersecurity Strategy and begun an initiative focused on industry delivery of capabilities, services, technologies and weapons systems uncompromised by adversaries. As part of this initiative, MITRE Corporation issued a report in August 2018 titled "Delivered Uncompromised: A Strategy for Supply Chain Security and Resilience in Response to the Changing Character of War," in which it recommended numerous enhancements for contractors' systems against hardware and software risks, including, most notably, making security the "fourth pillar" of acquisition planning in addition to cost, schedule, and performance.

Most recently, on December 14, 2018, the Wall Street Journal reported that Chinese hackers breached sensitive Navy data on contractor and research systems, leading Navy Secretary Spencer to order a classified review that validated the Navy's concerns and laid the groundwork for a response.³ The Wall Street Journal article reported that Mr. Spencer's review comes as DOD "has struggled to steer its bureaucracy to more thorough digital security practices and give incentives to its subcontractors to safeguard themselves," and that "senior Pentagon leaders view the military's acquisition process as inadequately structured to hold contractors and subcontractors accountable for cybersecurity."⁴

To view the full article please click here.

Footnotes

1 For example, Section 1647 of the FY 2016 National Defense Authorization Act requires DOD to complete an evaluation of the cybersecurity vulnerabilities of each of its major weapons systems by December 31, 2019.

2 On December 12, 2018, GAO also released testimony before the Subcommittees on Government Operations and Information Technology, Committee on Oversight and Government Reform, House of Representatives. See https://www.gao.gov/products/GAO-19-275T. In the testimony, GAO concluded "federal agencies have taken steps to improve the management of information technology (IT) acquisitions and operations and ensure federal cybersecurity through a series of initiatives," but "significant actions remain to be completed."

3 Gordon Lubold and Dustin Volz, Chinese Hackers Breach U.S. Navy Contractors, Wall Street J. (Dec. 14, 2018), https://www.wsj.com/articles/u-s-navy-is-struggling-to-fend-off-chinese-hackers-officials-say-11544783401.

4 Id.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.