Even large companies aren’t doing as well as they think they are, the assistant acquisition chief said Monday.
Small companies are struggling to meet the Pentagon’s newish network security rules, and even larger contractors aren’t doing as well as they think they are, a recent department study has found.
“For the most part, the big companies do very well,” Kevin Fahey, assistant defense secretary for acquisition, told reporters at the Pentagon on Monday. “But in no case do they meet everything that they thought they met.”
For one thing, big companies tend to give their smaller subcontractors a lot of data they don’t need, which then becomes vulnerable to foreign hackers.
“The biggest part of our training and the problem is that our adversaries don’t try to come in through the big companies, they come in through the fifth-, sixth-tier,” Fahey said. “If you’re flowing down information they don’t need, then that’s bad. That’s where we’re seeing our biggest problem.”
In 2016, hackers stole sensitive data about the F-35 Joint Strike Fighter from an Australian subcontractor. That and similar cases prompted the Pentagon to issue new rules for handling such information. By Jan. 1, 2018, companies were supposed to have a plan for meeting these new standards.
“The way that it has been working in the past is: you claim you do it, and we never checked,” Fahey said. “You self-certify and if you’re not certified, you say here’s your get-well plan. Now we’re checking.”
“I have not heard of anyone not getting a contract, but the probability [of not getting one] is there,” said Jason Timm, the Aerospace Industries Association’s assistant vice president for national security policy.
Areas in which companies are having trouble meeting the standards include multi-factor authentication and FIPS-validated encryption, Timm said.
And of course, even full compliance doesn’t mean a company’s networks are safe from thieves.
“You have a better sense of your security, but that doesn’t mean you are secure,” Timm said. “You can contractually be compliant, but that doesn’t mean you are secure.”