DOD issues new rules on unclassified net security
Pentagon wants contractors to implement information security standards on their networks and report cyberintrusions.
New regulations release by the Defense Department will require contractors to implement information security standards on their unclassified networks as a way to stem the theft of sensitive technical information by hackers.
The new rules published on Nov. 18 also require contractors to report cyber intrusions into their networks that result in the loss of unclassified technical data.
Acknowledging industry concerns that the proposed rules would have covered all unclassified networks operated by contractors, DOD said “the scope of the rule [was] modified to reduce the categories of information covered. This final rule addresses safeguarding requirements that cover only unclassified controlled technical information and reporting the compromise of unclassified controlled technical information.”
The new rules are part of a larger effort outlined in October by Defense Secretary Chuck Hagel to tighten security controls on unclassified networks as a way to stop the loss of what the Pentagon calls “unclassified controlled technical information” through cyber intrusions. In the past, many contractors have been reluctant to publicly disclose network breaches.
“We cannot continue to give our potential adversaries the benefits in time and money they obtain by stealing this type of information,” Frank Kendall, undersecretary of defense for acquisition, technology and logistics, said in a Nov. 19 statement. Neither Kendall nor the new rules identified the “potential adversaries,” but a Chinese military unit was cited in a report released earlier this year.
Also at issue were the types of standard security rules that will be implemented to protect unclassified data. DOD said several industry commenters raised the issue of adopting a variety of National Institute of Standards and Technology (NIST) security controls. This could lead to a broader interpretation of the security regulations that could stymie competition, the commenters argued.
DOD nevertheless said NIST security controls identified in the new rules “represent the minimum acceptable level of protection” and that the new regulations provide sufficient flexibility.
Concerns about military contractors using outsourced cloud computing was also raised. DOD said the new rules would consider cloud service providers to be subcontractors. Hence, it ruled, contractors are responsible for ensuring that subcontractors comply with the new network security regulations.