NDIA releases cybersecurity policy report


ARLINGTON, VA – Contractors continue to work with the Defense Department to assuage the loss of valuable data and information through cyberbreaches. Current regulatory schemes aimed at ensuring adequate cyber-fortifications have suffered from noted complexity and compliance gaps, leading to a call for more action by government and industry.

The Defense Department’s new Cybersecurity Maturity Model Certification (CMMC) program aims to increase compliance and real-security levels across industry while also creating a unified set of cybersecurity standards. The National Defense Industrial Association applauds these efforts and the transparent, informative and collaborative efforts the Defense Department has made. NDIA has broadly supported CMMC's development throughout 2019 and looks forward to continued work with the Defense Department as it seeks to finalize and implement the program in 2020.

In the meantime, NDIA has released a report on the state of the defense-sector cybersecurity as it stands under the current regulatory framework. "Beyond Obfuscation: The Defense Industry’s Position within Federal Cybersecurity Policy"is a deep look at recent cyberbreaches, an examination of the regulatory environment governing cybersecurity, and a presentation of results from a cybersecurity survey done earlier this year of defense industrial base members. The report, released Oct. 1, searches for clarity in an often complex and ever-evolving landscape of policy.

About 300 industry members – a span of small, medium and large companies throughout the United States and across technology, services, manufacturing and other sectors – responded to the survey. Some of its major findings include:

  • More than 25 percent of respondents said they had experienced a cyberattack.
  • A majority of respondents view cybersecurity compliance as a “cost driver,” noting the outsized impact it has on their contract bids.
  • Small businesses are implementing cyber-fortifications at a much lower rate than larger businesses.
  • About 44 percent of prime contractor respondents do not meet federal cybersecurity regulations, namely having a site security plan from their subcontractors.

NDIA’s Corbin Evans, director of regulatory policy, and Christopher Smith, regulatory policy associate, served as the project directors of the yearlong effort. Evans noted this project began long before the DOD’s Cybersecurity Maturity Model Certification program was publicly considered, though there is relevant discussion of the planned CMMC policy.

To speak with Evans or Smith or for more information, contact Evamarie Socha at esocha@ndia.org or (703) 247-2579.

About NDIA

The National Defense Industrial Association (NDIA) is America's leading defense industry association promoting national security. NDIA provides a legal and ethical forum for the exchange of information between industry and government on national security issues. NDIA and its members foster the development of the most innovative and superior equipment, training, and support for warfighters and first responders through its divisions, local chapters, affiliated associations, and events. For more information, visit NDIA.org