David McKeown, DOD’s chief information and security officer, briefs reporters on the release of the DoD Zero Trust Strategy and Roadmap at the Pentagon on Nov. 22, 2022.

David McKeown, DOD’s chief information and security officer, briefs reporters on the release of the DoD Zero Trust Strategy and Roadmap at the Pentagon on Nov. 22, 2022. DoD / U.S. Air Force Tech. Sgt. Jack Sanders

Pentagon Outlines Upcoming Contractor Cybersecurity Plan

Expect the congressionally mandated strategy by year’s end, DOD CISO says.

By November, Pentagon cybersecurity leaders aim to lay out just how private contractors will be expected to work with government agencies to safeguard data and ward off attacks.

“We are working on a strategy—a [defense industrial base] cybersecurity strategy—that we hope to have out later this year,” David McKeown, DOD’s chief information and security officer, said at GovExec’s Cyber Summit event Thursday. “Our strategy is bringing all of the pieces and parts within the department together…laying it out who's going to be doing what, and we overlay everything on top of the NIST cybersecurity framework.”

Lawmakers requested the strategy as a step toward reducing the vulnerabilities created by doing sensitive business with hundreds of thousands of private contractors.

McKeown said the strategy would have several phases, starting with identifying what needs to be protected, then figuring out what measures are needed to protect data, detect intrusions, respond to attacks, and recover from them. For example, DOD’s pending cyber certification program, CMMC, will fall under the “protect” phase.

The strategy document is also meant to guide companies to government cybersecurity resources. These include the Defense Cyber Crime Center and the NSA’s Cybersecurity Collaboration Center, which share threat intelligence and offer free tools like protective DNS and email security. 

“Right now, there's a lot of different paths that people are interfacing with the department and getting services [from] department,” McKeown said. “We have things that we are doing to support industry and all of those things. We will also be rationalizing the tools that we provide. For instance, the protected DNS is super simple to adopt, easy to implement. You don't have to be a rocket scientist at a small business to onboard that. We want to field some tools like that that are really good bang for the buck.”

To prevent data breaches caused by commercial vendors, including cloud service providers, McKeown said DOD is working to modify contract language to underline a contractor’s cybersecurity responsibilities.  

For example, if a defense worker’s personally identifying information is compromised in a data breach due to company neglect, “they should have to pay for identity theft protection,” he said.  

The Pentagon has also incorporated red-teaming to test the security of commercial cloud providers’ infrastructure on top of existing controls and assessments. But it’s not yet the status quo. 

Red teams are a scarce resource. I would love for it to become the status quo. We have some other things that go on inside the department that are very effective like ‘Hack the Pentagon,’ white-hat hackers are allowed to look at stuff like that,” he said. “We'll explore more and more ways of getting after this. We don't have enough resources to continually red-team everything under our purview. But we do want to intelligently deploy the red teams where we may have concerns.”