New DOD strategy aims to improve contractors’ cybersecurity, resiliency

To protect military contractors from adversary cyber attacks and intrusions, the Defense Department must commit to educating, measuring and driving improvements in the digital security and resiliency of the industrial base, according to new strategic guidance from the Pentagon.

The Defense Industrial Base Cybersecurity Strategy, released Thursday, is intended to steer the department and industry’s response to threats. Signed by Deputy Secretary Kathleen Hicks, it aims to strengthen companies doing business with the Pentagon — including small businesses and subcontractors — against adversaries seeking access to sensitive data, proprietary information and intellectual property of weapon systems and production nodes.

As part of that effort, the Pentagon will work with the defense industrial base (DIB) to enhance their network posture while also providing more cohesive strategic guidance for companies, according to David McKeown, deputy chief information officer for cybersecurity.

“Over the last several years the DIB has made great strides in improving cyber resiliency, security, compliance and understanding the threat landscape,” McKeown told reporters Thursday ahead of the document’s release. “Together through the DIB cybersecurity strategy, we will further advance our goals and improve DIB cybersecurity.”

The document outlines four main goals as well as corresponding objectives that cover activities from fiscal 2024 to 2027. It notes that while many of the efforts listed have either already begun or are part of the Pentagon’s broader approach to industrial base cybersecurity, the strategy will “sharpen the focus, collaboration and integration” of those objectives.

A key aim for the Pentagon will be working with the DIB to enhance companies’ protection against advanced threats. To do so, the department will continue to routinely evaluate contractor compliance with its cybersecurity requirements — largely through the Cybersecurity Maturity Model Certification (CMMC) program.

However, “[the] increasing number of threats resulting from the evolution and expansion of the digital ecosystem drives the need for enhanced requirements for a subset of critical programs or high value assets,” the strategy states. Therefore, the department will engage in future rulemaking that will expand on current requirements for the industrial base and introduce supplemental guidelines for those handling controlled unclassified information, it noted.

Compliance efforts like CMMC have come under scrutiny in the past, especially among small businesses and non-traditional defense contractors that believe the regulations will be expensive and arduous to keep up with.

McKeown emphasized that the new strategy takes contractors of all size into consideration, and that the department is committed to helping small firms strengthen their cybersecurity posture through a number of free resources.

In addition, McKeown’s office has been working with the Office of Small Business on a pilot to develop a secure, cloud-based environment for smaller companies to use and conduct work in, he said. Officials want to have around 50 to 75 companies involved in the program and begin work this year.

The goal will be to “prove out whether or not we can leverage the cloud to ensure that the data is secure in this cloud environment for the small businesses,” McKeown said. “And then we’ll have to look at how we scale that up and offer that to more and more small businesses over time, or how we get a price point which they can afford and just start leveraging themselves.”

The department also wants to create a new framework for sharing threat information with the industrial base; conduct analysis on potential cyber vulnerabilities in contractors’ IT ecosystems; improve how firms recover from malicious cyber activities to minimize loss of information; and measure the overall effectiveness of the DOD’s cybersecurity requirements. 

Other goals detailed in the strategy include strengthening the Pentagon’s internal governance structure for DIB cybersecurity, preserving the cyber resiliency of the defense supply chain, and boosting overall collaboration among government agencies and contractors on cybersecurity matters.

Stacy Bostjanick, chief of defense industrial base cybersecurity in the CIO’s office, emphasized that the Pentagon is dedicated to working with contractors, as well as an array of stakeholders across government, to execute the strategy.

“Our mission is to protect sensitive information, operational capabilities and product integrity by ensuring the generation, liability and preservation of U.S. warfighting capabilities,” Bostjanick told reporters. “Our vision is simple: a secure, resilient, technologically superior DIB.”