The Defense Department and General Services Administration (GSA) in late January published a set of guidelines for improving cyber security as part the acquisition process.
The report, Improving Cybersecurity and Resilience through Acquisition, outlines six recommended strategic reforms:
- Institute baseline cyber security requirements as a condition of contract award for appropriate acquisitions;
- Include cyber security in acquisition training;
- Develop common cyber security definitions for federal acquisition;
- Institute a federal acquisition cyber risk management strategy;
- Include a requirement to purchase from original equipment manufacturers, their authorized resellers, or other trusted sources; and
- Increase government accountability for cyber risk management.
“Ensuring we have fully implemented the recommendations of this report will be instrumental in addressing the growing cyber risks we fact, says Frank Kendall, under secretary of defense for Acquisition, Technology and Logistics.
The report was researched and written over four months with subject matter experts from across the federal government and submitted to the president, reports our sister publication
Defense Daily. It is part of the Defense Department’s contributions to President Barack Obama’s Executive Order last February on cyber security and an accompanying Presidential Policy Directive on strengthening critical infrastructure security. Both directives are aimed at closing the cyber security gaps between government and private firms that control vital infrastructure, such as utilities and banking.
The recommendations will become available this month for comment in the Federal Register.
The recommendation addressing cyber controls built into systems prior to acquisition refers to what contractors call “embedded cyber security.”
“The value of embedded cyber means that it allows our customers to cyber harden their platforms up front by building in good systems engineering, good architectural approaches and designing cyber in from the very start,” Mike Papay, vice president and chief information security officer at Northrop Grumman [NOC], said last spring.
Papay has described Northrop Grumman’s approach to embedded cyber security as “all of the above,” meaning that the company addresses vulnerabilities from the infrastructure’s perimeter down to its networks, applications and data. This includes creating a secure code and other defenses from the beginning of a project’s development.
Papay used the Navy’s tactical afloat network, Consolidated Afloat Network and Enterprise System (CANES), as an example of a system to which Northrop Grumman has applied the embedded cyber security concept.
DoD Test Report Finds Cyber Vulnerabilities
The release of the acquisition process recommendations coincided with the publishing of an annual report by the DoD’s Director of Operational Test and Evaluation that identified 400 cyber security vulnerabilities across 33 systems.
“All of the problem discoveries could have and should have been identified prior to operational testing, Michael Gilmore, director of DoD OT&E, writes in the FY ’13 report. The report says that problems identified this late are classified as Case 1, which suggests that managers most likely focused too much on budget and schedule instead of test results.
Gilmore notes that the report did not determine whether vulnerabilities had been found in developmental testing and were ignored, or if they had only appeared in operational testing. DOT&E and Kendall’s office are collaborating on a revise cyber security policy given that a lot of vulnerabilities are being found late in program acquisition cycles, Gilmore writes.
“However, the fact that so many vulnerabilities are being found late in a program’s acquisition cycle is one of the main reasons why DOT&E and USD(AT&L) [Undersecretary of Defense for Acquisition, Technology and Logistics] are collaborating on a revised cybersecurity policy,” he wrote.
The report says that almost half of the 400 vulnerabilities were classified as the highest category of risk for debilitating system, with the three most common issues at this level being out-of-date or unpatched software, configurations that included known code vulnerabilities, and the use of default passwords in fielded systems.
The report did not specify which 33 systems had undergone cyber security assessments, but several of the systems described as Case or Category 1 demonstrated significant cyber flaws. For example, the Navy’s CANES network, which connects ships, submarines and shore sites, showed 29 of the highest risk cyber vulnerabilities and 172 lower vulnerabilities. Only four of 32 baseline applications had been tested.