The defense industry plays a vital role in national cybersecurity, as a provider of capabilities to help protect government networks and as a component of critical infrastructure. The Department of Defense (DoD), Congress and defense industry have pursued legislation and regulations that focus on protecting covered defense information, monitoring and reporting network intrusions, and detecting and avoiding counterfeit electronic parts. As these rulemakings progress to finalization, interested parties need to ensure that new practices and regimes are implementable; properly balance cost and risk; and are sufficient and flexible enough to provide adequate security to counter evolving cyber threats to government and industry networks, manufacturing systems and acquisition programs.
Recent attention has been placed on DoD’s August 26, 2015 interim rule implementing provisions within the National Defense Authorization Act for 2013 and 2015. The rule demands cyber incident reporting that could adversely affect a covered contractor information system, covered defense information or a contractor’s ability to provide critical operational support. Previously, DoD required implementation of select standards within National Institute of Standards and Technology Special Publication 800-53 to protect unclassified controlled technical information. The new rule instead demands compliance with NIST SP 800-171 standards which, according to the Office of Defense Procurement and Acquisition Policy, are better suited as they are intended for nonfederal organizations and are performance-based, among other reasons.
Although the new NIST standards requirement was delayed to provide time for implementation, there are still industry concerns about original interim rule and amendments made to it. Chief among these concerns are the associated costs, especially for small businesses; subcontractor requirements; liability issues; and the requirements' impact on DoD’s ability to access new suppliers. There is also uncertainty on how this new regulatory framework will interact with other governmentwide cybersecurity and information-sharing efforts and enforcement mechanisms, such as controlled unclassified information policy promulgated by the National Archives and Records Administration under Executive Order 13536, and the voluntary NIST cybersecurity framework. Improved interagency coordination will help government and industry remain resilient in countering cyber threats.