The Defense Department expects to have a plan in place for certifying industry partners for cyber compliance by the end of 2019, a senior acquisition official said Feb. 13.

Kevin Fahey, assistant secretary of defense for acquisition

The goal is to achieve some sort of system similar to a credit score, that would indicate a supplier’s level of cybersecurity readiness in relation to DoD requirements, Kevin Fahey, assistant secretary of defense for acquisition, said at the National Defense Industrial Association’s Section 809 Panel 3 event in Washington, D.C.

“We have to get to the point where it’s like an ISO-9000” series of international quality management systems standards, Fahey said, adding, “We absolutely believe that we’ve got to come to an agreement of what is the standard.”

The Pentagon plans to work with industry to determine the best path forward, and to ensure all parties are “on the same sheet of music,” he said.

Fahey declined to provide an implementation timeline, but said the current idea was to establish a third-party certification system that would allow the department to assess whether a company is properly certified. The challenge will entail getting the hundreds of thousands of potential suppliers implemented into the future system, from small shops to major contractors.

Still, Fahey committed to having a plan in place “this year,” and said the Pentagon is exploring a pathfinder program to help set up a “cyber scoreboard” as an initial effort.

“In the Department of Defense, we’re behind,” he noted. “They already do this in the banking industry; they already do this in the health industry.”