US Contractors Struggling With Pentagon Cyber Security Standards

Uploaded on 2019-12-17 in NEWS-Cybersecurity News, GOVERNMENT-Defence, FREE TO VIEW

The US federal government relies on external service providers to help carry a wide range of government tasks using cyber and digital systems and many federal contractors, routinely process, store, and transmit sensitive federal information in their systems to support the delivery of essential products and services to federal agencies.

These include financial services lik web connectivity, email services; processing security clearances, healthcare data, providing cloud services, developing communications, satellites and weapons systems. Federal information is also frequently provided to or shared with entities such as State and local governments, colleges and universities as well as independent research organisations.

Foreign nations have clearly  recognised that one of the best pathways to hacking and stealing US government technology is by targeting its industrial base. 

Now Foreign countries are actively targeting and compromising US contractors so often that the Department of Defense asked the National Institute of Standards and Technology to develop custom security guidance to address the problem.
The Pentagon is making big moves in an effort to improve cybersecurity for its industrial base. However, the department's biggest roadblocks early on may be the same confusion, doubt and uneven compliance from contractors that led to the vulnerabilities in the first place.

Nine months ago the US Defence Department (DoD), said contractors not up to date on cybersecurity standards will only get a pass from the DoD for a short period before the DoD will begin auditing companies’ cybersecurity procedures that want to win contracts and it plans to start within the next 18 months, according to Ellen Lord, DoD undersecretary for acquisition and sustainment.

Some small companies are struggling to meet the Pentagon’s cyber network security rules, and even larger contractors aren’t doing as well as they think they are according  a recent DoD study.

One reason may be that big companies tend to give their smaller subcontractors a lot of data they don’t need, which then becomes vulnerable to foreign hackers. In 2016, hackers stole sensitive data about the F-35 Joint Strike Fighter from an Australian subcontractor. That and similar cases prompted the Pentagon to issue New rules for handling such information. By Jan. 1, 2018, companies were supposed to have a plan for meeting these new standards.

The Pentagon has been warning companies that they will lose business if they or their suppliers do not meet the rules. 

Areas in which companies are having particular trouble meeting the standards include multi-factor authentication and FIPS-validated encryption. Even full compliance doesn’t mean a company’s networks are safe from thieves and officials from the Department of Defense and the National Institute of Standards and Technology (NIST) are producing new draft cyber security guidance for contractor systems deemed high value assets to comply with thw Pentagon's Cybersecurity Maturity Model Certification (CMMC) program.   

Defense One:       Federal News Network:      Defense Systems:     FCW:      NIST:

You Might Also Read: 

Microsoft, Amazon CEOs Vow To Continue Defense Work:

 

« The Future Of Policing In A Cyber World
Going To The Dark Web »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Perspective Risk

Perspective Risk

Perspective Risk provides penetration testing, security assessments, risk management & compliance solutions, InfoSec training and consultancy services.

CryptoCodex

CryptoCodex

Cryptocodex has developed Counter-Fight, the most advanced, yet simple to implement, counterfeit detection system.

SecLytics

SecLytics

SecLytics is the leader in Predictive Threat Intelligence. Our SaaS-based Augur platform leverages behavioral profiling and machine learning to hunt down cyber criminals.

LightEdge Solutions

LightEdge Solutions

LightEdge’s highly-trained compliance and security experts take the guesswork out of keeping your business protected.

ODSC

ODSC

ODSC is a security systems integrator that provides services and expertise in identity management and access.

HackControl

HackControl

HackControl services include penetration tests, security audits, block chain audits and brand and anti-phishing protection.

PurpleSynapz

PurpleSynapz

PurpleSynapz provides hyper-realistic Cyber Security Training with a modern curriculum and Cyber Range.

Maven Security Consulting

Maven Security Consulting

Maven Security Consulting helps companies secure their information assets and digital infrastructure by providing a wide range of customized consulting and training services.

cleverDome

cleverDome

cleverDome has created the first community built and proven model that redefines the standards for protecting the most confidential data and information of consumers in the cloud.

Neosec

Neosec

We’re reinventing API security. Understanding behavior requires data, analytics, and intelligence. Neosec brings XDR techniques to application security.

Atomic Data

Atomic Data

Atomic Data is an on-demand, always-on, pay-as-you-go expert extension of your enterprise IT team and infrastructure.

Secora Consulting

Secora Consulting

Secora Consulting is a professional services company specialising in tailored cybersecurity assessments and cyber advisory services.

TAFEcyber

TAFEcyber

TAFEcyber is an Australian based consortium focusing on the skilling of the fast-growing cyber security workforce through education and training.

Silent Circle

Silent Circle

Silent Circle is the leader in end-to-end enterprise solutions for secure mobile communications.

Evolver

Evolver

Evolver delivers technology services and solutions that improve security, promote innovation, and maximize operational efficiency in support of government and commercial customers.

Ncontracts

Ncontracts

Our mission at Ncontracts is to continually improve our clients’ ability to manage risk and compliance.