The Pentagon’s top weapons buyer has issued new language applying to future contracts that’s intended to put companies on notice that they must elevate cybersecurity protection.
“We are coming out with standard contract language that all the services will use,” Ellen Lord, the under secretary of defense for acquisition and sustainment, said in an interview. “We’ve just sent out our first formal communication” that says “we are going to do it and providing standard language that can be tailored as needed.”
The beefed-up contracting language follows a move by Defense Secretary Jim Mattis last month to establish a task force that will recommend ways to protect critical technologies from theft by China, Russia and other adversaries.
It would place a company’s cybersecurity practices alongside matters such as the quality and cost of proposals, as well as performance reviews, when considering contract proposals. “Working with our partners in the defense industry and research enterprise, we must ensure the integrity of our classified information, controlled unclassified information and key data,” Mattis said in an Oct 24 memo.
The Pentagon failed to make cybersecurity for its multibillion-dollar weapons systems a major focus until recently despite years of warnings, Congress’s watchdog agency said last month.
For many years until about 2014, the Pentagon “focused cybersecurity efforts on protecting networks and traditional IT systems, such as accounting systems, rather than weapons,” the Government Accountability Office said in a report entitled: “DOD Just Beginning to Grapple with Scale of Vulnerabilities.”
Lord’s initiative was first flagged in September by Deputy Defense Secretary Pat Shanahan, who said that top defense industry leaders have a “responsibility to manage the supply chain, and that’s where we have real gaps” in security.
“We want to be consistent,” Lord said of talks she’s had with weapons buyers for the military services. “It’s an area that’s absolutely critical for the department,” she said. For now, the new language applies only to future contracts but, Lord added, “we are studying what we can do retrospectively.” – Bloomberg