The Pentagon wants to help boost cybersecurity for small contractors

The Pentagon is working on a shared virtual cloud-based workspace for contractors as a way to boost their cybersecurity and part of a larger strategic effort to make defense companies more secure. 

“There are some things that we’re working on with the Office of Small Business [Programs] to develop a purpose-built cloud that some of the small businesses can just shoehorn themselves into and work out of there,” David McKeown, the Pentagon’s deputy CIO for cybersecurity and chief information security officer, told reporters Thursday.

The goal is to introduce a pilot version this year with up to 75 small businesses to determine whether data can be adequately secured in a cloud environment. If it’s successful, the pilot could be scaled and offered to more companies, McKeown said.

“But at some point it may just be a service offering that they’ll have to consume themselves. But it sure will beat having to build out all of the cybersecurity inside their own networks and boundaries if they can work out of these environments,” he said. 

The move is part of a much larger push vis-a-vis the Pentagon’s newly released industrial cybersecurity strategy to improve data and network security in the defense industry base. The defense industrial base cybersecurity plan, which was originally supposed to be released last year, aims to centralize the Pentagon’s cyber efforts and resources, while making DOD’s roles clearer. 

“Everyone should believe in the power of the hacker, it’s been proven out many times,” McKeown said. “Our data, the adversary is looking for it and it really shortcuts their engineering and production time when they can just steal it from us and not have to sit down and do real engineering on their own…this is a real threat.”

The strategy comes as defense contractors face a constant threat of cyberattacks. The plan’s objectives: to improve how the Pentagon manages defense companies’ cybersecurity, to increase the industrial base’s security overall, to ramp up key production capabilities, and to boost collaboration. 

“We’re still seeing intrusions taking place. We track that pretty heavily as part of our mandatory reporting requirements: we collect those, we see the new ones that pop up on the weekly basis,” McKeown said. “The actual events matter to us, and we’re really paying attention to those so we can learn lessons from them and apply them.” 

The congressionally mandated strategy aims to walk companies through what the cyber requirements are, parts of the process, and what assistance is available. 

Right now about 1,500 companies use the voluntary cybersecurity assistance services through the Defense Department’s Cyber Crime Center, or DC3. That’s a fraction of the estimated 200,000 or more companies that contract with the Defense Department, and something officials would like to change.

“We have a [cyber resilience analysis] process where [DC3] can collaborate with the small business, walk them through their networks, help them understand where their vulnerabilities and gaps are. And so we highly encourage those that handle [controlled unclassified information] today to sign up for the program,” said Stacy Bostjanick, the Pentagon’s lead for defense industrial base cybersecurity efforts. “We're looking forward to having a problem with too many people in the program.”