In a move that has been a long time coming—literally, since it was first mandated in 2013 and again in 2015—the Pentagon has finally issued its new Rule on how defense contractors will report suspected cybercrimes.
No longer allowing contractors to wait until a breach has occurred and the extent of the damage investigated, this Rule requires contractors to report any and all suspicious activity if there’s even a chance that harm could come from it. This “potential for harm” reporting is intended to thwart cyberattacks before they occur and minimize the time between an actual hacking event and the reporting.
The Department of Defense has relied on contractors almost since it was established, as they serve to fill important roles without the need to hire superfluous manpower. If a business is already providing a service, whether it’s sewing uniforms for the military or providing highly-trained intelligence security systems, it makes sense to hire them instead of trying to reinvent the wheel.
The use of defense contractors is similar in nature to a corporation hiring third-party vendors to fulfill some of its needs rather than hiring and training additional members of the workforce. Unfortunately, third-party vendors—and logically by the same definition, contractors—have proven to be the weakest link in preventing corporate data breaches. The infamous Target breach has been traced back to a small company that serviced the retail chain’s refrigeration units and AC systems. With businesses in nearly every sector of industry hiring third-party vendors to cover everything from billing and payroll to data entry and even janitorial services, cybersecurity experts are warning companies to take a closer look at who they work with and to take immediate action when a threat is uncovered.
The same is true for the government. After the Office of Personnel Management breach that comprised at least four million employees’ identities and may have affected another 22 million people, the government is taking a hard look at how threats are detected, reported, and addressed. These newly released guidelines will ideally serve as a streamlined effort in data breach reporting, even if an event hasn’t fully been uncovered.
Unfortunately, what isn’t so straightforward is how the government will oversee the compliance with these guidelines, or outline any “punishment” for violating the mandates. It will largely be up to defense contractors to police themselves, which is why the focus is initially on helping them know when to report and whom to report it to. One of the major obstacles will be in aligning the standards that contractors already adhere to as places of business with the standards they must now meet as government contractors.