WASHINGTON — Defense Department acquisition chief Frank Kendall said the next generation of the Pentagon's influential acquisition document, Better Buying Power 3.0, will take aim at cybersecurity.
Already, defense acquisition rules are due to include a cybersecurity section, still being drafted. The "enclosure," meant for inclusion in the rules, known as DoD Instruction 5000.02, is aimed at concerns over attacks to the defense industrial base and the Defense Department's supply chain and maintenance systems.
"We worry about the weapons systems themselves and all of the connectivity they might have," said Kendall, speaking at a Bloomberg Government forum on Thursday. "These are ways in which a cyber threat can launch an attack, you can think of it as an attack surface, if you will."
When the Pentagon rolled out its draft of Better Buying Power 3.0, it included eight categories and a number of subcategories, and cybersecurity was not one of them. The final version of the document was expected to be released in March; and a new release date has not been set.
"We have a long way to go and I'm not sure where this trail will lead ultimately," Kendall said of the cybersecurity effort, "but we absolutely have to do a better job of protecting everything about our weapons systems, birth to death."
Separately, defense acquisition rules are due to include a cybersecurity section, still being drafted. The "enclosure," meant for inclusion in the rules, known as DoD Instruction 5000.02, is aimed at concerns over attacks to the defense industrial base and the Defense Department's supply chain and maintenance systems.
The Pentagon also added rules under the Defense Federal Acquisition Regulation Supplement in late 2013, to impose safeguards on unclassified controlled technical information residing on contractor information technology systems and databases.
"You can gain a great deal in terms of time and cost if you can extract unclassified design information and don't have to do that yourself, and that's been happening quite a bit unfortunately," Kendall said.
But do Don't new cybersecurity rules make the acquisitions process more cumbersome as Kendall and others attempt to simplify it? It's about "balance," Kendall said, comparing the rules to Pentagon requirements to protect classified information.
"If we don't do this, we are letting the enormous treasure of our nation be stolen," he said. "We have to protect it more than we have."
Kendall's remarks came days after Navy Vice Adm.iral Michael Rogers, commander of US Cyber Command and the National Security Aagency, said in congressional testimony that the current acquisition model is not agile enough to support innovation and rapid use of cyber capabilities.
Rogers, testifying before a House Armed Services subcommittee on March 4, said cyber acquisition programs must be built with the idea that they will be "refreshed" on a recurring basis to keep pace with rapid pace of technological developments.
"Let's say if you look at what it takes to put a satellite into orbit," Rogers said. "If you look at what it takes to build a major warship, for example. I mean we are talking five to 10 years. And the rate of change in the cyber dynamic in five to 10 years is just amazing to me."
Navy Vice Adm. Jan Tighe, the commander of Navy Fleet Cyber Command, said at the same hearing that sequestration-related budget cuts are, "throwing a monkey wrench in modernization plans [that are] very critical to closing vulnerabilities."
"So even beyond what we would call strict cyber investments, our acquisition process and focus on ensuring that our programs are not delivering vulnerable systems across the board, not just networks but across the board, is contingent on those modernization programs going forward." Tighe said.