Last week Sen. Inhofe (R,OK) introduced S 1790,
the National Defense Authorization Act (NDAA) for Fiscal Year 2020. The bill
was reported
favorably by the Senate Armed Services Committee which Inhofe chairs. The
Senate is scheduled to take up the bill this week. The bill includes an entire
sub-title that addresses cyber operations; including one section that addresses
the development of a set of cybersecurity standards for the defense industrial
base.
Defense Industrial Base Cybersecurity
Section 1634 requires DOD to “develop a consistent,
comprehensive framework to enhance cybersecurity for the United States defense
industrial base” {§1634(a)}.
The framework would be developed by February 1st, 2020. The framework
would include {§1634(b)}:
• Identification of unified cybersecurity standards,
regulations, metrics, ratings, third-party certifications, or requirements to
be imposed on the defense industrial base for the purpose of assessing the cybersecurity
of individual contractors.
• The roles and responsibilities of various activities
within the Department of Defense, across the entire acquisition process,
beginning with market research, including responsibility determination, solicitation,
and award, and continuing with contractor management and oversight on matters
relating to cybersecurity.
• The responsibilities of the prime contractors, and
all subcontractors in the supply chain, for implementing the required
cybersecurity standards, regulations, metrics, ratings, third-party certifications,
and requirements identified under paragraph (1).
• A plan to provide implementation guidance, education,
manuals, and, as necessary, direct technical support or assistance to such
contractors on matters relating to cybersecurity.
• Methods and programs for defining and managing
controlled unclassified information, and for limiting the presence of
unnecessary sensitive information on contractor networks.
• Quantitative metrics for assessing the effectiveness
of the overall framework over time, with respect to the exfiltration of
controlled unclassified information from the defense industrial base.
While the language in the bill does not specify whether the cybersecurity
concerns cover both the information technology and control system technology
used in the industrial base, the Committee Report does address the matter. It
notes (pg 306):
“The committee is concerned that
contractors within the defense industrial base are an inviting target for our
adversaries, who have been conducting cyberattacks to steal critical military
technologies.”
Control System Cybersecurity
The Report does address control system cybersecurity
research being conducted by DOD. On pages 325-6 the Committee “commends the
Department of Defense for its efforts to address the cybersecurity of
installation industrial control systems (ICSs).” It goes on to discuss a
National Security Agency research program, Integrated Adaptive Cyber Defense (IACD).
It notes that “IACD technologies include
sensing and automated orchestration and interoperability among cybersecurity
tools and systems to defend both operational technology (such as ICSs) and
information technology”. There is additional discussion of this technology
under the “Software defined networking and network and cybersecurity orchestration”
heading on pages 333-4.
Cybersecurity Research
The Report notes (pgs 97-8) that the Committee is recommending
funding Defense-wide cybersecurity research (line item # PE 62668D8Z) at $25.1
million, an increase of $10.0 million above the Administration’s request.
Moving Forward
This bill will start to be considered on the floor of the
Senate sometime this week (a number of nominations have to be completed first).
Amendments have already started to be proposed to this bill, over 200 were
submitted on Thursday alone. How many of those (and yet to be submitted)
amendments will make it to the floor of the Senate remains to be seen.
Posts
No comments:
Post a Comment