DoD’s new cyber rule misses critical consideration

The Defense Department's new rules for contractors to report cyber breaches could end up costing the military a lot more than it thinks.

The Defense Department’s interim rule detailing new cybersecurity requirements for contractors and for cloud services caused a lot of excitement in the federal community last week.

But what was lost in the discussion is whether the new cyber standards the Pentagon is laying out actually can be enforced and if so, what’s it going to cost DoD in the long run.

Rob Carey, a former DoD deputy chief information officer and now vice president of Navy Marine Corps programs at Vencore, said without a doubt, the new standards make sense and will help.

“This has been bubbling for years,” Carey said. “It’s good that the government and DoD are pushing expectations to industry in order to do business with the government by saying you will do the following things to protect information. I get it. The downside, however, is industry is ill prepared for this level of granularity and structure in the defensive infrastructure of their networks. In this case, the government is better at this, especially DoD, and yet they still have their hands full.”

Carey said the challenge for industry to meet DoD’s requirements are two-fold.

First, industry doesn’t have the same requirements as the government — meaning standards from the National Institute of Standards and Technology or the National Security Agency or even in laws such as the Federal Information Security Management Act — so they aren’t currently prepared to easily answer many of the questions the military is asking in the case of a cyber breach. And as we all know, there are two kinds of companies, those who have been breached and know it, and those who have been breached and don’t know it.

Second, Carey said there aren’t any details on how the government will oversee or ensure vendors are meeting these cyber requirements.

“Where we are heading is to ask who is liable if there is a breach, and I’m not sure if this gets us there,” he said. “It will raise the bar, but also drive up the cost of doing business with industry because they have to pay for the new controls, both hardware and software.”

Both of Carey’s point are valid. Over the years, industry executives have said they have the ultimate profit motive to be cyber secure: profit. But hacks of government and non-government continue to happen at an alarming rate. So if the profit motive is pushing industry to secure their systems and networks, why aren’t they doing a better job? And why would DoD need these requirements in the first place? (I know–because Congress passed a law. But lawmakers wouldn’t have seen a need for this law if there weren’t a rash of cyber attacks, and support from DoD.)

DoD reported in June that more and more the military services are adding contract language into awards requiring vendors to report cyber breaches.

DoD even admits this rule will cause vendors to provide a different or new type of effort.

“This rule requires that contractors report cyber incidents to the DoD. Of the required reporting fields several of them will likely require an information technology expert to provide information describing the cyber incident or at least to determine what information was affected, to be noted in the report,” the interim rule stated.

The challenges are especially true for small firms. DoD estimated this rule would affect about 10,000 contractors and less than half are small firms.

“These are steps down the right path, but I’m not sure how you enforce this,” Carey said. “I don’t think anyone should get excited about how this will fix all the cyber issues we face. Until there are huge investments in research and development, we are going to struggle with cybersecurity. What this is, is a set of things that will drive industry to get better and be more proactive, but also drive prices up.”

The question of burden is one that is coming up often, particularly around acquisition reporting. But the cyber burden question also needs to be considered.

So, comments to DoD on these new requirements are due by Oct. 26.

This post is part of Jason Miller’s Inside the Reporter’s Notebook feature. Read more from this edition of Jason’s Notebook.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories