As part of the Department of Defense’s Better Buying Power initiative, Undersecretary of Defense for Acquisition, Test, and Logistics Frank Kendall is adding increased cybersecurity requirements for new weapon systems acquisitions.
Kendall pointed to the vulnerability of digital systems vital to defending the nation. In January testimony to Congress, Kendall highlighted the $4.5 billion in cyber related spending in the 2016 defense budget request. Software problems have been common in high tech weapon systems such as the F-35. The supply chain is potentially a large area for cybersecurity vulnerabilities to enter into military systems. Counterfeit microchips might easily contain unknown vulnerabilities that allow unfriendly actors access to military systems or weapons.
In a 2014 joint Government Accountability Office (GAO) and Department of Defense report, the government acknowledged that many of the impediments to improved cybersecurity in acquisitions are self-inflicted. Acquisition regulations often place conflicting requirements on buyers when balancing cost versus security. As the dependence on digital systems increases – even ones not connected to the Internet, the procurement process needs to consider cybersecurity vulnerabilities in decision-making. Implementation of the recommendations of the 2014 report in the next set of defense acquisition guidelines will be a strong step toward improving the cybersecurity of military weapon and support systems. The recommendations include:
1. Instituting baseline cybersecurity requirements as a condition of contract award
2. Cybersecurity in acquisition officer training
3. Develop common cybersecurity definitions for federal acquisition
4. Include requirements to purchase from original equipment/component manufacturers or authorized resellers. (Trusted supply chain)
5. Increase government accountability for cyber risk management
It will be interesting to see what the new DoD cyber risk acquisition rules turn out to be.
Pentagon to Focus More on Hack-Proofing Weapons.
Software Testing Problems Continue to Plague F-35 Joint Strike Fighter Program.
Proof that Military Chips from China Are Infected?
Improving Cybersecurity and Resilience Through Acquisition.