* "Deliver Uncompromised," the "Fourth Pillar of Acquisition" or "Securing the DoD Supply Chain"--no matter what turn of phrase one uses to discuss protecting the defense industrial base and the equipment and support it provides warfighters from cyber threats, this issue stands front and center for the Pentagon and for the people and companies that provide its capabilities.
Experts estimate losses of about $600 billion per year in the transfer of wealth, expertise and trade secrets due to cyber crime. Adversaries and bad actors specifically target the defense industrial base, using the pilfered data to close capability gaps with the United States, its allies and partners.
The National Defense Strategy and the National Cyber Strategy lay it bare, "Our competitors--including... foreign adversaries such as Russia and China--are also using cyber to try to steal our technology." Protecting U.S. advantages demands better government-industry collaboration. Fortunately, that is happening with the end state an effective, holistic cyber defense.
Despite being the home of cyberspace and the innovative tech giants who used it to transform society and the economy, America--both its government and its traditional industries--has responded slowly to growing and increasingly adaptive cyber threats. That said, stakeholders now recognize the challenge and have begun responding with concrete actions. Called out in the series of 2018 strategy documents, the cyber hygiene of U.S. government contractors, especially those in the defense industrial base, will likely soon require third-party cybersecurity certification for contractors to participate in any Defense Department contract.
No longer will lower-tier members of the supply chain meet standards by merely self-reporting their success following their own plan to meet NIST 800-171 standards. The tried and true adage that "what gets measured gets done" will rule.
Importantly, as the Pentagon tackled this issue, its thinking rapidly evolved. Beginning with a MITRE study titled, "Delivered Uncompromised," there was a call to make security a fourth pillar of acquisitions separate but equal to the pillars of cost, schedule and performance.
However, this approach fails because unlike the tradeoffs that can balance the three traditional pillars, no one advocates trading security for lower cost, a faster schedule or better performance. Instead, defense leaders see security as the foundation below the pillars.