On March 26, 2019, the Senate Armed Services Subcommittee on Cybersecurity held a hearing to receive testimony assessing how the Department of Defense’s (“DOD”) cybersecurity policies and regulations have affected the Defense Industrial Base (“DIB”).

To gain a better understanding of the DIB’s cybersecurity concerns, the Subcommittee invited William LaPlante, Senior Vice President and General Manager of MITRE’s National Security Sector; John Luddy, Vice President for National Security Policy at the Aerospace Industries Association; Christopher Peters, Chief Executive Officer of the Lucrum Group; and Michael MacKay, the Chief Technology Officer of Progeny Systems Corporation.

In their opening remarks, the Chairman of the Subcommittee, Senator Mike Rounds (R-SD), and Ranking Member Joe Manchin (D-WV) acknowledged industry concerns about the DOD’s lack of clarity and disparate implementation of cybersecurity regulations, such as guidance relating to DFARS 252.204-7012 (“DFARS Cyber Rule” or “Rule”) and National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171.

Senator Rounds stated that he “expects [DOD] to come up with measured policies to make improvements in [cybersecurity]” and he “hope[s] DOD takes seriously the concerns of the DIB.”  He further noted that DOD “cannot simply apply increasingly stringent cybersecurity requirements on its contractors” and that “doing so without subsidy or assistance is unlikely to particularly improve cybersecurity [for] the DIB” and would likely drive the most innovative small businesses out of the supply chain.  Senator Rounds called for putting a program in place to ensure the best possible protections for contractors regardless of size and referred to the “Achilles heel” of this issue as the desire to use a large number of small contractors while still needing to protect sensitive government information.  Later in the hearing, Senator Manchin expressed great concern over the cyber incidents experienced by DOD contractors and urged the witnesses to “tell [the Subcommittee] what you need . . . [the Subcommittee] is here to fix it and you’re here to tell us what’s broken.”

Summarized below are key points discussed during the hearing:

  • Clear, Scalable, and Consistent Cybersecurity Policy:  Witnesses representing the DIB agreed that the future of the defense industry is dependent on robust cybersecurity and, to that end, expressed the need for DOD to clarify critical aspects of existing policy.  For instance, the identification and definition  of Controlled Unclassified Information and its subset, Covered Defense Information (“CDI”) was highlighted as an area of concern.  DIB witnesses testified that the current definition of CDI in the DFARS Cyber Rule has become very broad.  They suggested that DOD collaborate with the DIB to identify critical information so contractors are not protecting mundane data, but focusing on securing truly sensitive information.  John Luddy noted that “with limited resources, if [contractors] try to protect everything that is currently considered CDI, we may under-protect the really important things.”
  • Unified DOD Approach:  All of the witnesses emphasized the need for DOD to take a unified approach to cybersecurity that helps to minimize the burden on industry.  The industry witnesses were clear that, together with large prime contractors, DOD can help support the middle and lower-tier suppliers to be cyber secure, but clear guidance and programs must first be in place. Currently, DOD has taken an “ad hoc, service-by-service” approach as it works towards developing actionable regulations that has resulted in segmented and overlapping contractor infrastructure, and increased costs.  The DIB witnesses commended recent memoranda issued by Ellen Lord, the Under Secretary of Defense for Acquisition and Sustainment, that clarified requirements for contracts overseen by the Defense Contract Management Agency, but they also noted that the memoranda “raised issues that need to be collaboratively assessed.”  The witnesses made plain the need for more opportunities to contribute to future standards and guidance by DOD.
  • Measuring and Certifying Cybersecurity Compliance:  The DIB witnesses highlighted the numerous NIST SP 800-171 controls and the need to develop an approach using “real, objective metrics” that helps industry measure their cybersecurity performance against those controls.  Defense contractors have been frustrated with the lack of clear metrics for compliance, which has resulted in the perception of DOD’s uneven enforcement of standards.  The witnesses urged DOD to adopt a standard interpretation of NIST SP 800-171 as a useful baseline and starting point.  They would prefer that DOD “set the bar high and set it once to hold all [companies] accountable, not only to spare companies from the cost, but also the need to adjudicate between different and potentially conflicting direction.”
  • Information Sharing:  The witnesses also drew attention to the need for greater information sharing.  One idea raised by the DIB witnesses included the formation of a centralized DOD threat sharing initiative that distributes relevant and timely data to the DIB to bolster cybersecurity efforts.  The representatives acknowledged the tension between information sharing that is aimed at identifying and addressing threats and information that is competitive or business sensitive.  But, there was a consensus that progress on information sharing has been made within the DIB and that further improvements would be welcome.

Throughout the hearing, members of the Subcommittee and representatives from the DIB seemed to agree that greater collaboration with DOD on contractor cybersecurity issues and supply chain issues would be necessary to address systemic concerns.  While there was a broad focus on DFARS requirements and NIST SP 800-171, a number of related issues were raised with the goal of helping businesses prioritize investments and meet DOD’s cybersecurity standards.  As the cybersecurity efforts by DOD and the DIB continue, there was consensus during the hearing for a considered approach to partitioning cybersecurity responsibility among DOD, prime contractors, and their subcontractors so that no single entity shoulders the entire burden.

This post also appears on Covington’s Inside Privacy and Inside Government Contracts blogs.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Susan B. Cassidy Susan B. Cassidy

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors…

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors on compliance with FAR and DFARS requirements, with a special expertise in supply chain, cybersecurity and FedRAMP requirements. She has an active investigations practice and advises contractors when faced with cyber incidents involving government information, as well as representing contractors facing allegations of cyber fraud under the False Claims Act. Susan relies on her expertise and experience with the Defense Department and the Intelligence Community to help her clients navigate the complex regulatory intersection of cybersecurity, national security, and government contracts. She is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. In 2023, Chambers USA quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Her clients range from new entrants into the federal procurement market to well established defense contractors and she provides compliance advices across a broad spectrum of procurement issues. Susan consistently remains at the forefront of legislative and regulatory changes in the procurement area, and in 2018, the National Law Review selected her as a “Go-to Thought Leader” on the topic of Cybersecurity for Government Contractors.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

  • Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 7012, and NIST SP 800-171 requirements,
  • Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 and limitations on sourcing from China
  • Federal Acquisition Security Council (FASC) regulations and product exclusions,
  • Controlled unclassified information (CUI) obligations, and
  • M&A government cybersecurity due diligence.

Susan has an active internal investigations practice that assists clients when allegations of non-compliance arise with procurement requirements, such as in the following areas:

  • Procurement fraud and FAR mandatory disclosure requirements,
  • Cyber incidents and data spills involving sensitive government information,
  • Allegations of violations of national security requirements, and
  • Compliance with MIL-SPEC requirements, the Qualified Products List, and other sourcing obligations.

In addition to her counseling and investigatory practice, Susan has considerable litigation experience and has represented clients in bid protests, prime-subcontractor disputes, Administrative Procedure Act cases, and product liability litigation before federal courts, state courts, and administrative agencies.

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Prior to joining Covington, Susan served as in-house senior counsel at Northrop Grumman Corporation and Motorola Incorporated.