The defense industry agrees with the Pentagon’s mandate for new cyber security measures aimed at protecting sensitive technical information but the path forward is unclear and industry has more questions than answers, an official with a major industry association told Defense Daily on Nov. 25.
The new information security regulations, issued last week, call for defense firms, big and small, to report cyber breaches related to unclassified controlled technical information within three days of discovery but there is no process spelled out for how to report these incidents, Christian Marrone, vice president for National Security and Acquisition Policy at the Aerospace Industries Association (AIA), said.
The amendment to the Defense Federal Acquisition Regulation Supplement (DFARS) also mandates that all defense contractors adequately secure unclassified controlled technical data under new contracts. The new rules went into effect on Nov. 18.
“We also don’t want our proprietary information to end up in the hands of someone else,” Marrone said. “We spent a lot of money developing that information. So we endorse the idea. It all comes down to, ‘how do we implement it?’”
There are not a lot of details in the amendment to the DFARS, Marrone said. After “our initial review, there are a lot of questions.”
In addition to how incidents are to be reported, industry wants to know how the information will be used—such as for attribution and debarment--and if there are liability issues, Marrone said.
“There are all these open-ended questions that you just don’t know,” Marrone said. “There appears to be no safeguards for the information.” He added that “right now we don’t have answers” to these questions because “it’s not readily apparent by what was put out.”
AIA will convene its Cyber Security Steering Committee of industry members to further refine the questions that need to be asked of the Defense Department. Once industry completes its “due diligence,” which is expected to move quickly, “We’re looking forward to working with the department to hopefully work through a number of these issues,” Marrone said.
Marrone said the goal is to have the same “desired outcome that the department” has and “we’ll work with them to achieve it. But what we’ve found through experience is the more you try to define these things, the more difficult they are to actually implement and I think this could be one of those key areas.”
Industry provided comments in 2011 on what was then a proposed rule for improving cyber security measures for unclassified sensitive data. Since then, industry hasn’t had an opportunity to discuss the matter with the Pentagon, Marrone said.
“There’s a fair amount of work that has to be done before we hope they would start implementing this,” Marrone said. “So everyone is clear and understands the processes, how the information is going to be utilized, and those types of things. Right now you don’t get that from the rule.”