Both small and large sized contractors are struggling to be in line with the Pentagon’s updated network security rules, according to a Department of Defence study.
Kevin Fahey, assistant defence secretary for acquisition, told reporters on Monday that even though “for the most part, the big companies do very well, in no case do they meet everything that they thought they met.”
Part of the problem pertains to the fact that after large-sized companies tend to give their smaller subcontractors plenty of data that they don’t need, this information becomes vulnerable to foreign hackers.
Fahey also said that the “biggest part of our training and the problem is that our adversaries don’t try to come in through the big companies” and that they typically “come in through the fifth-, sixth-tier.”
“If you’re flowing down information they don’t need, then that’s bad. That’s where we’re seeing our biggest problem,” he pointed out.
Fahey explained that unlike previous years when the Pentagon turned a blind eye to the contractors self-certifying, the Department of Defence’s current stance is different.
“The way that it has been working in the past is: you claim you do it, and we never checked. You self-certify and if you’re not certified, you say here’s your get-well plan. Now we’re checking,” he underscored.
The website Defence Once in this context cited Jason Timm, the US Aerospace Industries Association’s assistant vice president for national security policy, as saying that he has not heard of anyone not getting a contract yet but that “the probability [of not getting one] is there.”
He added that areas in which contractors are having trouble meeting Pentagon standards include multi-factor authentication and FIPS (Federal Information Processing Standards)-validated encryption.
Pentagon's New Cyber Security Standards
The remarks came after the Pentagon released earlier this year a number of new guidance and memos to update its new cyber security standards which were introduced in January 2018 after hackers managed to steal sensitive data about the F-35 Joint Strike Fighter from an Australian subcontractor in 2016.
In line with the memos, the Pentagon warned the contractors that they will lose business if they or their suppliers do not meet the new rules.
