Updated with comment from Pentagon spokesman.
The Pentagon will delay a Jan. 1 deadline for all of its suppliers to meet a set of new regulations largely designed to better protect sensitive military data and weapon blueprints.
By year’s end, companies must instead merely show that they have a plan in place to meet the regulations, Ellen Lord, the defense undersecretary for acquisition, technology and logistics told the Senate Armed Services Committee.
“We said that clearly the only requirement for this year is to lay out what your plan is,” she said at the Dec. 7 hearing. “That can be a very simple plan. We can help you with that plan. We can give you a template for that plan. Then just report your compliance to it.”
Sen. Jeanne Shaheen, D-N.H., said at the hearing that small businesses are concerned they could not meet the Jan. 1 deadline. Lord said the topic also came up during a recent meeting of Pentagon officials and three trade associations that represent large and small defense firms.
The new regulations are meant to prevent the theft of sensitive data, which have been targeted by hackers. In October, U.S. officials acknowledged that hackers stole sensitive information about the F-35 Joint Strike Fighter from an Australian military supplier.
A Pentagon spokesman said the change should not be considered a delay in the deadline since contractors must still document by Dec. 31 how they will implement the new rules.
“We are not delaying the deadline,” he said in a email. “Contractors must document the state of their information system in a ‘system security plan’ and document how and when they will implement any ‘not yet implemented’ requirements in associated plans of action.”
(Here is a Sept. 21 memo from from Shay Assad, the director of defense pricing/defense procurement and acquisition policy, about the implementation of the new rules.)
Under the new rules, firms must meet 110 specifications, everything from checking identification and logging visitors to factories to having locks on the doors. Raytheon, one of the largest American largest defense firms, has created what it calls a “secure enclave,” where it shares encrypted data with its suppliers. It is also using special documents that expire after a certain period of time and cannot be forwarded.
Also, the rules require firms must tell the government within 72 hours if they have experienced a network breach. Companies that do not adhere to the new rules could lose existing contracts and be barred from seeking new government contracts.
“Part of the challenge is, whether a company is big or small, it doesn’t necessarily matter,” said Greg Gorman, senior federal manager for the Global Governments business at Forcepoint, Raytheon’s commercial cybersecurity business.
“It doesn’t mean they’re more important if they’re big because if you have a small company, it could be something where they make a shiny widget and that shiny widget is part of a guidance system that goes into a Patriot missile. If that company isn’t compliant, then Raytheon can’t buy that shiny widget from them anymore,” he said. “In a lot of cases, that shiny widget, those are the guys that invented it and so they have a patent on it.”
Raytheon alone has about 36,000 suppliers, ranging from large firms with tens of thousands of employees to small ones with just a handful of people. Roughly 65 percent of those suppliers also work for Lockheed Martin, Boeing, Northrop Grumman or other major defense contractors, Gorman said.
“A lot of these small companies, they really are a group of literally rocket scientists,” he said. “The closest they ever come to an IT department is when they go to Best Buy and they buy a new laptop. Part of the challenge that we have is, how do we put together a solution that is easy to install, easy to operate and will stay up and running.”
The new government regulations could make military suppliers more attractive to commercial clients as well, Michael Daly, Raytheon’s chief technology officer for cybersecurity and special missions, said.
“By raising them up and setting a standard for them … they’re eventually find that it’s easier and better for their business to move those best practices across their enterprise,” he said. “That’s going bleed out into the broader commercial sector.”
Companies down the supply chain have found themselves the targeted by hackers for more than a decade, particularly as large defense firms tightened their own network defenses. It’s not just defense suppliers that have been targeted, as production companies have found themselves the target of hackers looking to pirating of Hollywood TV shows and movies.
“When we elevated our security controls so that it became too costly for them to go after us, [the threat actors] moved their energy … into our supply chain,” Daly said. “These requirements are actually going to help us with a problem that has been persistent for a very long time.”