* In September, Deputy Defense Secretary Patrick Shanahan commented that the Pentagon intends to hold industry accountable for improved cybersecurity, and in that regard "we're in a new world."
The department's focus on increasing contractor accountability for cybersecurity compliance could lead to ethical and compliance problems as industry participants work to meet the evolving, sometimes uncertain contractual and technical standards, and their means of enforcement.
While these issues develop, however, contractors should address cybersecurity concerns in their ethics and compliance programs, as a means to change the culture of the organization to meet these "new world" requirements, and to ensure that a cybersecurity problem doesn't create additional ethical or legal problems.
The Pentagon's current approach for establishing and maintaining contractor compliance with cybersecurity standards is through the contract clause at Defense Federal Acquisition Regulation Supplement 252.204-7012, which as of Dec. 31, 2017, required covered contractors to implement the National Institute of Standards and Technology Special Publication (SP) 800-171, "Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations." Importantly, contractors "self-attest" to meeting those requirements, which is often a difficult assessment.
As the Defense Department warns in its guidance accompanying these requirements, however, "[u]ltimately, it is the contractor's responsibility to determine whether it is has implemented the NIST SP 800-171 (as well as any other security measures necessary to provide adequate security for covered defense information)."
More recently, in joint written testimony before the House Armed Services Committee, department leadership announced a pilot acquisition program dubbed "Deliver Uncompromised" that will increase the focus on and scope of contractor cybersecurity obligations. The program "aims to establish security as a fourth pillar in acquisition, on par with cost, schedule and performance" to highlight contractors' obligation to enhance their cybersecurity capability. The pilot program will be implemented in the coming year.
Those views were confirmed when the Pentagon released its "Summary Department of Defense Cyber Strategy" in September. In setting its top-level strategy for defending civilian assets in the defense industrial base, the department promises to "set and enforce standards for...