US Contractors Struggling With Pentagon Cyber Security Standards

Uploaded on 2019-12-17 in NEWS-Cybersecurity News, GOVERNMENT-Defence, FREE TO VIEW

The US federal government relies on external service providers to help carry a wide range of government tasks using cyber and digital systems and many federal contractors, routinely process, store, and transmit sensitive federal information in their systems to support the delivery of essential products and services to federal agencies.

These include financial services lik web connectivity, email services; processing security clearances, healthcare data, providing cloud services, developing communications, satellites and weapons systems. Federal information is also frequently provided to or shared with entities such as State and local governments, colleges and universities as well as independent research organisations.

Foreign nations have clearly  recognised that one of the best pathways to hacking and stealing US government technology is by targeting its industrial base. 

Now Foreign countries are actively targeting and compromising US contractors so often that the Department of Defense asked the National Institute of Standards and Technology to develop custom security guidance to address the problem.
The Pentagon is making big moves in an effort to improve cybersecurity for its industrial base. However, the department's biggest roadblocks early on may be the same confusion, doubt and uneven compliance from contractors that led to the vulnerabilities in the first place.

Nine months ago the US Defence Department (DoD), said contractors not up to date on cybersecurity standards will only get a pass from the DoD for a short period before the DoD will begin auditing companies’ cybersecurity procedures that want to win contracts and it plans to start within the next 18 months, according to Ellen Lord, DoD undersecretary for acquisition and sustainment.

Some small companies are struggling to meet the Pentagon’s cyber network security rules, and even larger contractors aren’t doing as well as they think they are according  a recent DoD study.

One reason may be that big companies tend to give their smaller subcontractors a lot of data they don’t need, which then becomes vulnerable to foreign hackers. In 2016, hackers stole sensitive data about the F-35 Joint Strike Fighter from an Australian subcontractor. That and similar cases prompted the Pentagon to issue New rules for handling such information. By Jan. 1, 2018, companies were supposed to have a plan for meeting these new standards.

The Pentagon has been warning companies that they will lose business if they or their suppliers do not meet the rules. 

Areas in which companies are having particular trouble meeting the standards include multi-factor authentication and FIPS-validated encryption. Even full compliance doesn’t mean a company’s networks are safe from thieves and officials from the Department of Defense and the National Institute of Standards and Technology (NIST) are producing new draft cyber security guidance for contractor systems deemed high value assets to comply with thw Pentagon's Cybersecurity Maturity Model Certification (CMMC) program.   

Defense One:       Federal News Network:      Defense Systems:     FCW:      NIST:

You Might Also Read: 

Microsoft, Amazon CEOs Vow To Continue Defense Work:

 

« The Future Of Policing In A Cyber World
Going To The Dark Web »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

CSO

CSO

CSO serves enterprise security decision-makers and users with the critical information they need to stay ahead of evolving threats and defend against criminal cyberattacks.

Cyber Together

Cyber Together

Cyber Together is dedicated to advancing the cyber security industry by giving businesses access to Israel’s leaders, innovators and great minds in the field of cyber security.

Intertek Group

Intertek Group

Intertek Group provides Assurance, Testing, Inspection and Certification services. Activities include cybersecurity testing and certification.

Exostar

Exostar

Exostar is the cloud platform of choice for secure enterprise and supply chain collaboration solutions and identity and access management expertise.

SafeBreach

SafeBreach

SafeBreach's platform simulates hacker breach methods across the entire kill chain to identify breach scenarios in your environment before an attacker does.

Codified Security

Codified Security

Codified is a testing platform for mobile application software. We make it easier than ever for companies to detect and fix security vulnerabilities and ensure their applications are compliant.

CryptoTec

CryptoTec

CryptoTec is a provider of security concepts and encryption solutions for secure communication between decentralized computerized systems.

ERI

ERI

ERI is the largest fully integrated IT and electronics asset disposition provider and cybersecurity-focused hardware destruction company in the United States.

Prodera Group

Prodera Group

Prodera Group is a specialist technology consulting partner trusted to help navigate the complex and dynamic lifecycle of change and transformation.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Revere Technologies

Revere Technologies

Revere Technologies is a pure-play cyber security solutions and services provider in Sub-Saharan Africa.

Center for Medical Device Cybersecurity (CMDC) - University of Minnesota

Center for Medical Device Cybersecurity (CMDC) - University of Minnesota

CMDC’s mission is to foster university-industry-government partnerships to assure that medical devices are safe and secure from cybersecurity threats.

Scholarly Networks Security Initiative (SNSI)

Scholarly Networks Security Initiative (SNSI)

SNSI brings together publishers and institutions to solve cyber-challenges threatening the integrity of the scientific record, scholarly systems and the safety of personal data.

Jot Digital

Jot Digital

Jot Digital is a full-service technology company specializing in digital engineering, application modernization and business transformation.

Haiku

Haiku

Haiku stands at the forefront of cybersecurity upskilling, leveraging video games to immerse you in a flow state for accelerated, enduring learning.

CeTu

CeTu

CeTu - Data Orchestration for the Modern SOC. Strengthen security and optimize costs with the world's first AI-native platform for scaling and future-proofing your data stack.