In this Q&A, CREATe CEO Pamela Passman asks questions of Robert Metzger about the latest trends and challenges in protecting sensitive Department of Defense information. Metzger recently reviewed and commented on CREATe’s latest whitepaper: Navigating the Rising Tide of Cybersecurity Regulation.
Metzger is a shareholder at law firm Rogers Joseph O’Donnell PC, and a member of the firm’s Government Contracts Practice Group and head of the Washington, D.C., office. He is regarded as a leading expert in emerging issues related to cybersecurity and supply chain risk management.
Passman: “Bob, thanks very much for sharing your insights with us today. To start, why is the protection of technical information so important?”
Metzger: “Many companies today — surprisingly including key defense suppliers — do not grasp the extent to which our defense posture has suffered from unauthorized extraction of technical information. This is a persistent and evolving threat. The same threat puts at risk valuable company proprietary information and trade secrets.”
Passman: “What steps are being taken by the Department of Defense (DOD) to mitigate cybersecurity risks among government contractors?”
Metzger: “Contractors working for the DOD are obligated to improve the protection of technical information through a number of regulations – and as your whitepaper mentions, the requirements are on the rise. New contracts also feature a safeguarding clause that uses cyber measures specially created for commercial companies; it also imposes a direct and immediate security obligation on defense contractors. It states:
‘The Contractor shall provide adequate security for all covered defense information [CDI] on all covered contractor information systems that support the performance of work under this contract.’”
Passman: “How are contractors responding to these requirements?”
Metzger: “Some in the defense industrial base were uncertain how to comply with the new requirements. They also needed time to assess the state of their existing cyber measures and to identify and then implement improvements to satisfy the broad range of controls in the information security guidelines. Regardless, contractors will be obligated to implement security requirements “as soon as practical,” and definitely before the deadline of December 31, 2017.”
Passman: “At CREATe.org, we find that many multinationals have systems in place for information protection – however their third party partners may have less mature practices. Is this the case in government contracting as well?”
Metzger: “Yes, this is also the case in the DOD value chain. The DoD’s largest contractors are likely to have systems protecting covered defense information that meet or exceed the requirements in the information security standards (SP 800-171) established by the National Institutes of Standards and Technology (NIST). As to medium-sized and smaller businesses, the risks increase. Adversaries recognize that valuable, technical information is accessible not just through “tier 1” contractors, where we can expect relatively good cyber measures, but also down the supply chain. The greatest compliance challenge is found at the level of smaller partners in the value chain.”
Passman: “How are small- and medium-sized contractors approaching cyber obligation rules?”
Metzger: “Anecdotal evidence suggests that medium-sized companies are approaching the rules cautiously. Smaller companies seem to be taking a ‘wait and see’ approach and looking for solutions that will be affordable and cause little business disruption.
The challenge, of course, is that some companies may consider the burden and cost of compliance too high and as such, will leave the defense industry. This is not in DoD’s interest — and could deprive higher tier contractors of essential and trusted specialty suppliers.”
Passman: “How do you think the DOD can help these smaller businesses to meet compliance requirements?”
Metzger: “I believe the DOD should encourage its largest contractors to assist and mentor their supply chain partners. Also, DoD needs to make funding available to assist its industrial base in compliance with new cyber protection demands. Added protection comes at a cost to those who implement it and thus at a price to DoD. At a more technical level, DoD needs to work with NIST to develop ways that authorize smaller businesses to employ third-party, cloud-based resources to handle the access, authentication and security requirements imposed when these companies receive covered defense information. New initiatives are needed, from DoD, to facilitate cyber compliance by smaller companies, enabling them to protect sensitive DoD information without costly obligations to reconfigure enterprise-wide information systems.”
Passman: “Bob, thanks very much again for your insights.”
Robert Metzger is a shareholder at law firm Rogers Joseph O’Donnell PC, where he’s a member of the Government Contracts Practice Group and head of the Washington, D.C., office.