Released earlier this year, the Department of Defense’s Defense Industrial Base Cybersecurity Strategy 2024 emphasizes the importance of protecting the contractors who supply critical expertise, materials, and infrastructure for national defense from the threat of cyberattacks. However, despite the department’s efforts to both strengthen requirements and provide tools to help contractors harden their cybersecurity posture, confusion is high and adoption of available resources low.
As one part of this plan, the DoD is focused on encouraging the use of the cyber protection services it offers by making them easier to access and expanding the number of companies eligible to use them.
When the plan was released, Chief Information Security Officer David McKeown frankly acknowledged the difficulty contractors faced, stating, “We were very disjointed between the different stakeholders in the department that delivered services, and a lot of DIB partners were complaining that we didn’t have a single point of entry. The goal here with this strategy is to highlight a way forward where we’ll have a more centralized and more cogent approach, where everybody in the department knows what their role is, rather than having to have 15 different connections to different stakeholders.”
Among the steps to improve awareness of the “cybersecurity-as-a-service” offerings already available from the DoD are a partial list of such services and support, with eligibility criteria and descriptions, in Appendix III of its Cybersecurity Strategy. It also plans a relaunch of the Defense Industrial Base Cybersecurity Portal (DIBNet) with new features. These are to include an API that will let companies automatically access cyber threat alerts and warnings from the DoD.
It’s clear the Department of Defense has a long way to go in effectively gathering information about cyber threats from members of the Defense Industrial Base. While an estimated 70,000 to 75,000 companies are estimated to handling controlled unclassified information (CUI), only 1,500 were participating in the DoD’s voluntary information-sharing programs as of the release of the plan. To encourage greater buy-in, the DoD expanded eligibility criteria as of April 11, 2024, to allow participation by non-cleared defense contractors.
It remains to be seen if the National Security, the DoD Cyber Crime Center (DC3), and other DoD departments that provide its cybersecurity offerings will be able to keep up if participation sharply increases. However, in light of the limited participation to date, officials do not anticipate any immediate problems.
One area in which the Cybersecurity Plan is light on details is its relationship with the Cybersecurity Maturation Model Certification (CMMC) program. This is not surprising, given that the DoD just published the second of two proposed rules that set forth key requirements of CMMC on August 15, with a public comment period open until October 14. However, the strategy includes as an objective the need to “in collaboration with the DIB… seek to measure the effectiveness of cybersecurity requirements associated with programs, pilots, and services to inform subsequent efforts and iterative improvements.” It is to be hoped that the DoD will continue to work to clarify vendors’ responsibilities for safeguarding data and reporting cyber incidents.
Defense contractors and subcontractors present tempting targets for state and nonstate malicious actors seeking an easier means of stealing sensitive information. If you’re unsure you’ve met your compliance requirements or that your current state of cybersecurity readiness is sufficient, your business could be at risk. With over 25 years of experience in IT and cybersecurity, Right Click can cut through the confusion to help you achieve and maintain accurate compliance with all applicable regulations and stay ahead of emerging cyber threats. To learn more, schedule your consultation by contacting us here.