Government regulations around cyber security requirements throughout the defense industrial supply chain need to be more clearly defined and small and medium-sized contractors may be unaware of these regulations and or lack the resources to implement them, says a new report by the consulting firm Deloitte.

“Significant importance is being given to cybersecurity because of a robust regulatory system,” Deloitte says in the paper, Third Party Risk Management: Cybersecurity in the Defense Industrial Base (DIB). “However, these regulations will need to be clearly defined to avoid straining defense contractor in their adoption and implementation, and to help unidentified risks. Defense contractors and their suppliers in the United States face various challenges when it comes to adhering to cybersecurity regulations.”

The report points out that the Defense Department has taken steps this year to require the Defense Contract Management Agency (DCMA) to ensure that cyber security requirements flow down to tier-one suppliers  and that the agency also reviews the procedures of prime contractors to assess compliance of their tier-one suppliers with relevant Defense Federal Acquisition Regulations (DFARS) and National Institute of Standards and Technology regulations.

The report says the DCMA should be ensuring “flow-down” to tier-five suppliers of prime contractors.

Deloitte also highlights an audit earlier this year by the DoD Inspector General of cyber security controls of seven Missile Defense Agency contractors that found inconsistent implementation and processes to protect classified and unclassified technical information.

“The DoD’s increased enforcement of DFARS flow-down requirements is evidenced by the DoDIG report, which was critical of a DoD agency for not aggressively ensuring all its suppliers complied” with relevant regulations, Deloitte says.

The report urges defense prime contractors and original equipment manufacturers to create a cybersecurity framework to protect them and their suppliers’ supply chain security. Some of the components of a governance process could include establishment of a risk framework and risk profiling process for suppliers, identifying suppliers and how they get their data and how they remediate problems, and deciding which suppliers to assess and how often.

The report also says that in addition to applying the NIST standards to themselves routinely, they should make sure all their subcontractors are aware of these standards and even provide training and education.

Deloitte also suggests non-regulatory measures that prime contractors can take to strengthen the cyber security of their supply chains, including digitizing and automating supply chain functions, adopting blockchain technology, and using artificial intelligence and machine learning capabilities to understand cyber threats more quickly so that threat response is quicker.