recommended reading

New mandate would require military contractors to report cyber breaches

Defense Department file photo

This story has been updated with comments from the Defense Department.

The Defense authorization bill approved by Congress last week would require contractors to tell the Pentagon about penetrations of company-owned networks that handle military data. If President Obama signs the legislation into law, it would make permanent part of a Pentagon test program under which participating contractors report computer breaches in exchange for access to some classified cyber threat intelligence.

What began as a defense industrial base pilot program in 2011 was opened to all interested military vendors in May. In October, reports surfaced that five of the 17 initial contractors dropped out of part of the program in which the National Security Agency shares classified threat indicators with the participants, apparently because they concluded the requirements for participation were too expensive and time-consuming for any enhanced security benefit. At the time, Lockheed Martin Corp. executives who help run the program noted the growth potential of another segment of the program that allows contractors to voluntarily share information about breaches to their networks without revealing identifying information to fellow contractors and the government. Now they say interest in the whole program is increasing.

On Wednesday, Defense officials provided contradictory information about the popularity of the classified service. The number of participants in that component, called the Defense Industrial Base Enhanced Cybersecurity Services, or DECS, has not changed, said Pentagon spokesman Lt. Col. Damien Pickart.  “Today, 12 DIB companies continue to receive DECS services,” he said, referring to the same total reported in October.

The new mandate would arrive as Congress and the White House grapple with requiring similar communications across all critical sectors, including the energy, healthcare and defense industries. Obama as early as January is expected to issue an executive order, which doesn’t carry the heft or permanence of law, directing those sectors to report incidents and adhere to new cybersecurity standards.

But the Defense legislation stops short of requiring participation in the industrywide information-sharing program. And it does not address the Pentagon’s end of the deal, in which NSA shares classified warnings of imminent threats.

That second part basically reveals to contractors, or their Internet service providers, digital footprints of malicious software so antivirus scans can block the malware. The program’s regulations state that, in exchange for this intelligence, contractors must disclose breaches they have suffered “within 72 hours of discovery.”

Congress’s measure only states that contractors are mandated “to rapidly report” to the Defense Department each “successful penetration of the network or information systems” carrying military data.  

Earlier last week, Lockheed Martin executives said the whole voluntary program has flourished since the October reports of dropouts. The executives said they are not concerned about those departures and anticipate the program will grow.

It is believed the departing defense contractors, some of whom specialize in cyber defense, felt NSA’s intelligence was no more valuable than their own detective work.

But officials at Lockheed Martin, which is itself a major cybersecurity player and program participant, said the company is benefiting from the openness.

“We have a strong knowledge base but nobody is above learning from other people,” said Robert F. Smith, vice president of space and cyber for Lockheed Martin. “Everybody is better off when they get more information.”

However, Defense officials on Monday said that only the unclassified information-sharing component, which circulates non-identifying reports about company network penetrations, has attracted new members. That piece of the program has grown from 34 to 70 contractors, with new companies joining weekly, Pickart said. The department has “developed an outreach strategy” to encourage membership in both program elements, he said. But  “it is a business decision whether to voluntarily participate or not” in the classified service, Pickart stressed. 

The five contractors that left might rejoin if they can lessen the financial burden by applying the protections without an ISP, he added.

Lockheed has been tasked with, among other things, expanding the program to potentially 2,600 defense contractors, although it’s not clear how many of those will participate. On Monday, Lockheed spokesman Ken Darby said in an email that “under the DoD’s direction, we cannot release the number of companies participating in the program.” The total number of companies has grown since May, he reiterated, “and the fact that the total continues to increase demonstrates the value of the program.”

Threatwatch Alert

Credential-stealing malware / User accounts compromised / Software vulnerability

Android Malware Infects More than 1M Phones, Adds 13,000 Devices a Day

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.


When you download a report, your information may be shared with the underwriters of that document.