In September 2018, the Department of Defense published an update to its 2015 Cyber Security Strategy. The changes made in the previous strategy focuses on the cyber threats that exist from other countries. The update echoes the White House’s National Cyber Security Strategy, which was also release in Septemebr. In the 2018 Department of Defense Cyber Security Strategy, it’s stated that “China is eroding U.S. military overmatch and the Nation’s economic vitality by persistently exfiltrating sensitive information from U.S. public and private sector institutions.” This statement sets the tone for the rest of the publication, which addresses cyber threats the way that the DoD handles other types of threats to the nation.
Summary of the 2018 Cyber Security Strategy
“The Department will work with its interagency and private sector partners to reduce the risk that malicious cyber activity targeting U.S. critical infrastructure could have catastrophic or cascading consequences.”
This goal of the 2018 Cyber Security Strategy emphasizes greater collaboration and transparency to create a landscape with better overall cyber security. It also reflects an environment where public and private sector organizations work with dozens or even hundreds of service providers and other third-parties. Information sharing is an important measure to rapidly respond to emerging cyber threats, limiting the damage that’s possible from a zero-day exploit or large-scale attacks targeting critical infrastructure.
A vulnerability in a partnering business can have the same devastating impact as a security hole in the contractor or federal agency. One of the biggest priorities is defending systems and data connected to the DoD, whether that’s at other government agencies or with DoD contractors. Cooperation between these parties also supports another goal of the 2018 Cyber Security Strategy – improving integration of systems to better assist with military operations and related plans.
The Objectives of the 2018 Cyber Security Strategy
There are five distinct objectives outlined in this publication. Each of these topic areas plays a different role in supporting the overall goals of the DoD.
- “Ensuring the Joint Force can achieve its missions in a contested cyberspace environment.” Cyber attacks can hinder military operations, from slowing down development to actively interfering with communications.
- “Strengthening the Joint Force by conducting cyberspace operations that enhance U.S. military advantages.” Cyber warfare can make a significant difference in operations and provide new ways to handle conflict. Countering ongoing cyber attacks can disrupt foreign actors and make it more difficult to steal information that’s vital to the security of the United States.
- “Defending U.S. critical infrastructure from malicious cyber activity that alone, or as part of a campaign, could cause a significant cyber incident.” Cybercriminals can disrupt information systems that are critical in many areas. Without protection, these attacks can lead to many negative consequences. This strategy embraces a concept called “Defending Forward,” which is a proactive approach to cyber security that seeks to stop attacks before they have the opportunity to cause damage to information systems.
- “Securing DoD information and systems against malicious cyber activity, including DoD information on non-DoD-owned networks.” DoD data is of great interest to many state actors, as well as private hackers. This valuable information must be protected to avoid unauthorized access.
- “Expanding DoD cyber cooperation with interagency, industry, and international partners.” Improved transparency, information sharing and integration can help agencies harden their defenses against attackers.
How Objectives 4 and 5 Relate to Private DoD Contractors
The two objectives of greatest relevance to private DoD contractors are four and five. They reflect the following statement in the 2018 Cyber Security Strategy publication: “We will hold DoD personnel and our private sector partners accountable for their cybersecurity practices and choices.”
The good news is that DoD contractors already complying with the Defense Federal Acquisition Regulation Supplement in publication NIST 800-171 have these objectives covered. DFARS regulations cover everything related to Controlled Unclassified Information and keeping it protected through cybersecurity measures, procedures and policies.
Objective number five may require some changes, depending on the DoD contractor’s current information systems and the policies that they have in place. Complying with these regulations helps all parties in the DoD ecosystem as attack methods continue to grow in complexity and frequency over time.
Working With an Experienced Compliance Partner
DoD contractors that have insufficient cybersecurity measures in place will find themselves failing to secure new contracts or being able to properly protect sensitive data that resides on their information systems.
As new cyber security strategies get published to address the latest changes in the IT landscape, contractors need an experienced partner on hand to provide the necessary resources to stay up to date. They may have all of their in-house IT staff dedicated to fulfilling the contracts that they have with the DoD and other federal agencies. If they pulled those staff members off of those jobs, it could impact the ability to secure more work in the future.
An IT support company fills in the gaps and brings subject matter knowledge of all relevant regulations, including the latest cyber security strategies. DoD contractors can keep their information systems and data complying with the latest updates to avoid fines and penalties. They also provide a better experience overall for the agencies that they end up working with.
If you’re a DoD Contractos and need help complying with the Department of Defense, see our DFARS/NIST SP 800-171 Compliance Solution. If you would like more information about your options for DFARS Compliance in accordance with NIST SP 800-171, see our Compliance Guide.