The Pentagon’s top acquisition official said the department is working with government agencies to develop cybersecurity standards that industry partners would need to follow before they can win a contract.
Ellen Lord, the Pentagon’s undersecretary for acquisition and logistics, said in a March 25 event that the department is working with officials from the National Institute of Standards and Technology and hopes to have new metrics on minimum cybersecurity practices later this year. NIST helps provide IT standards for federal government agencies.
Ideally, she said, the Defense Department would begin to use those standards within the next 18 months to help determine whether to award a business a contract.
“We are deriving cybersecurity standards form the NIST standards,” she said. “We will have metrics associated with those. We’ll stand up third-party auditors.”
Lord expects to work with officials from the Johns Hopkins University Applied Physics Laboratory on the project as well.
“We’re probably 18 months out from making those a clear discriminator in terms of acquisition downselects,” she said.
In the past two years, Pentagon officials have become increasingly concerned that one of their greatest cybersecurity risks lies in the second- and third-tier contractors who work with the Defense Department and the largest defense companies.
In September, Patrick Shanahan, then the department’s deputy secretary and now the acting secretary, said cybersecurity would become a key measurement for how industry is judged by the department. He called it the “fourth critical measurement” behind quality, cost and schedule.
“Security is one of those measures that we need to hold people accountable for,” he said.
But the issue becomes complicated for smaller contractors with fewer resources.
In written testimony dated March 26 to the Senate Armed Services Committees cybersecurity subpanel, John Luddy, the vice president for national security at the Aerospace Industries Association, said while he applauded the idea of reporting breaches and applying standards, “the dynamic nature of cyber security today makes it extremely difficult for small to mid-size suppliers to create self-sustaining cyber security programs capable of managing the risk posed by advanced adversaries.” AIA has suggested its own standards for cybersecurity, one that it argues is not a one-size-fits-all checklist for compliance.
Aaron Mehta was deputy editor and senior Pentagon correspondent for Defense News, covering policy, strategy and acquisition at the highest levels of the Defense Department and its international partners.