Defense contractors are not required to disclose their cybersecurity effort and waiting on them to voluntarily do so has left gaps in security, a top defense cyber official said on Nov. 16 at Politico’s Defense Summit.
David McKeown, the Pentagon’s acting principal deputy chief information officer, elaborated that the voluntary nature of disclosing cybersecurity efforts and practices is a “failing point.” While contractors are expected to adhere to specific cybersecurity standards, “assessments conducted by the [Department of Defense (DoD)] show that most fail to meet those standards,” he said.
McKeown listed various ways DoD cyber experts can assist vendors, free of charge, to meet those expected cybersecurity standards, including on-site network assessments, sharing threat intelligence, shoring up email security, and providing protective network-security services.
“But only around one percent of our hundreds of thousands of contractors take advantage of these offerings”, he said.
McKeown explained that the upcoming Cybersecurity Maturity Model Certification program – expected to go into effect early next year – will require all defense contractors to go through a third-party verification process attesting to their cybersecurity and processes. The program “is an opportunity for us to reach out to contractors,” he said.
In addition, Sen. Mike Rounds, R-S.D., the ranking member on the Senate Armed Services Committee’s Subcommittee on Cybersecurity, said the United States is facing a “public-policy challenge,” when it comes to defending the United States and its citizens against cyberattacks.
“If you were to ask someone in the public, who’s responsible for defending me against an incoming missile attack, well, everybody would say it’s the Pentagon, it’s the [DoD]. But what about an incoming attack on a cyber system? Well, why wouldn’t it be the [DoD]? And yet the [DoD] does not work within the United States, Homeland Security does,” Sen. Rounds said.
Current coordination and information sharing dynamics between DoD and Homeland Security and companies is a voluntary process. Sen. Rounds explained that there must be a standard of acceptance for what is considered appropriate and expected defensive capabilities “built into everybody’s systems by the businesses and the individuals themselves,” he said.
“That coordination, that ‘whole of country’ is critical, but that requires a national policy that understands it, and appropriately implements it. We’ve got a long way to go on that,” Sen. Rounds said.
NEW: The @CISAgov has named Dr. Elizabeth Kolmstetter the agency’s first-ever Chief People Officer. meritalk.com/articles/cisa-…
About 10 hours ago
Defense contractors are not required to disclose their #cybersecurity effort and waiting on them to voluntarily do so has left gaps in security🔒, according to a top defense cyber official. meritalk.com/articles/contr…
About 10 hours ago
The @DeptVetAffairs has appointed Devon Beard as its new director of operations for End User Operations within the Office of Information and Technology. meritalk.com/articles/va-ap…
About 10 hours ago
#ComputerVision – an emerging #AI capability used in situations like a self-driving 🚗 determining whether it’s in a lane or not. How can agencies apply this tech in #government? Experts from @NVIDIAVirt and @GAIFederal explore in a new #MeriTalking 🎧: ow.ly/vCNK50LCVMf pic.twitter.com/1C9HkgDbZ6
About 13 hours ago
Get ready to boost cyber resiliency with @SplunkGov at #SplunkGovSummit on 12/14 in D.C. Gain critical insights from government and industry leaders on how to unlock innovation and meet any mission. Register: ow.ly/Z71M50LFTjV pic.twitter.com/j7digfG23d
About 16 hours ago