14:20 GMT11 May 2021
Listen Live
    Get short URL

    Over the past several months, the US Department of Defence has issued a spate of new memos to tighten its cyber security standards for contractors that are interested in doing business with the Pentagon.

    Both small and large sized contractors are struggling to be in line with the Pentagon’s updated network security rules, according to a Department of Defence study.

    Kevin Fahey, assistant defence secretary for acquisition, told reporters on Monday that even though “for the most part, the big companies do very well, in no case do they meet everything that they thought they met.”

    Part of the problem pertains to the fact that after large-sized companies tend to give their smaller subcontractors plenty of data that they don’t need, this information becomes vulnerable to foreign hackers.

    Fahey also said that the “biggest part of our training and the problem is that our adversaries don’t try to come in through the big companies” and that they typically “come in through the fifth-, sixth-tier.”

    “If you’re flowing down information they don’t need, then that’s bad. That’s where we’re seeing our biggest problem,” he pointed out.

    Fahey explained that unlike previous years when the Pentagon turned a blind eye to the contractors self-certifying, the Department of Defence’s current stance is different.

    “The way that it has been working in the past is: you claim you do it, and we never checked. You self-certify and if you’re not certified, you say here’s your get-well plan. Now we’re checking,” he underscored.

    The website Defence Once in this context cited Jason Timm, the US Aerospace Industries Association’s assistant vice president for national security policy, as saying that he has not heard of anyone not getting a contract yet but that “the probability [of not getting one] is there.”

    He added that areas in which contractors are having trouble meeting Pentagon standards include multi-factor authentication and FIPS (Federal Information Processing Standards)-validated encryption.

    Pentagon's New Cyber Security Standards

    The remarks came after the Pentagon released earlier this year a number of new guidance and memos to update its new cyber security standards which were introduced in January 2018 after hackers managed to steal sensitive data about the F-35 Joint Strike Fighter from an Australian subcontractor in 2016.

    In line with the memos, the Pentagon warned the contractors that they will lose business if they or their suppliers do not meet the new rules.


    Pentagon Sets Guidelines for Legal Hacking of Its Cyber Resources
    Pentagon in Pursuit of Enhanced F-35 Cyber Protection
    Pentagon Agency Contract Seeks to Automate Cyber Defense Tools - BAE Systems
    contractors, cyber security, Pentagon, US
    Community standardsDiscussion