Pentagon Considers Cybersecurity Certification for Its Contractors


It’s still unclear what would be required for certification or how much it would cost for businesses.

In cybersecurity, you’re only as strong as your weakest link. For the Defense Department, the area with the fewest cyber protections are the defense contractors the department works with, particularly the small businesses that don’t have the expertise or resources to build a robust security posture.

The Pentagon put together a task force to assess whether small businesses within the defense industrial base are complying with the cybersecurity framework published by the National Institute of Standards and Technology and provide assistance to companies that need help.

The department issued a new rule last year requiring vendors to show that they are in compliance with NIST standards or have a plan to get there quickly. Those plans were due Jan. 1.

“Where are we in actually implementing the NIST standard? Is it working? I would argue right now it’s not. We basically say, ‘Hey, tell us if you’re compliant.’ And we don’t actually check,” Kevin Fahey, assistant secretary of defense for acquisition, said during a keynote at the annual Charleston Defense Contractors Association Summit in South Carolina.

Within the next year, Fahey said he hopes to have a method to certify cybersecurity of Defense Department vendors. That process begins with ensuring companies are compliant with NIST standards.

“That will be the first step, which is a huge step,” he said. “Then, how do we change the NIST to maybe be even more encompassing to make sure we’re doing things?”

Fahey acknowledged that second step might be cause for concern among the defense industrial base, as it is not yet clear exactly what that would mean or, more importantly, how much it would cost. As a remedy, he cited upcoming pilots to allow small businesses to use the department’s secure environments, putting the cost and security onus on the government rather than the contractor.

“Is there a way that we certify industry to be cyber-compliant to protect our data?” Fahey asked. “We need to figure it out and we need to figure it out fast.”