Defense Department Proposes Security as a New Fourth Pillar in Acquisition Decisions

IT Security

United States Air Force photo

The threat to the U.S. defense sector by foreign actors is well documented, and it just got a shot in the arm in recent Department of Defense Joint Testimony on “Military Technology Transfer: Threats, Impacts, and Solutions for the Department of Defense” before the House Armed Services Committee. The testimony minced no words, “The Department of Defense is facing an unprecedented threat to its technological and industrial base.”

The Department of Defense is now preparing to put its money where its mouth is, creating a fourth pillar in the acquisition framework. The pilot program “Deliver Uncompromised” would place security on par with cost, schedule and performance as a driver for defense acquisitions.

Both Congress and the DoD are urging government contractors to move from a checklist-based approach to security to a holistic view, with special emphasis on ‘crown jewel’ technologies – the kind that pose the most risk if compromised.

In last week’s congressional testimony, DoD leadership highlighted how the defense sector was unprepared for the non-traditional collection efforts used. China is singled out as using every arrow in the technology acquisition quiver to acquire the advanced technologies being developed within the United States. Artificial intelligence, autonomous vehicles, cybersecurity, and unmanned aerial vehicles have all been compromised due to China’s aggressive commercial and traditional espionage efforts.

The recent Department of Justice arrest of a Chinese national for “conspiring to illegal export U.S. origin goods used in anti-submarine warfare” to China’s People’s Liberation Army (PLA) was a timely exclamation point to the warnings shared with congress that same day.

Earlier in June , it was revealed that China had successfully penetrated a defense contractor and stolen 600+ gigabytes of sensitive data related to the Navy’s Sea Dragon project.  Coupled with China’s successful recruitment of three human intelligence (HUMINT) sources in the last year, the United States isn’t being paranoid. The threat is real.

Facility Security Officers (FSO)’s are well schooled at administering the National Industrial Security Program Operating Manual (NISPOM) in the protection of the classified data shared between their company and the United States Government. They’re also generally conscientious in preparing annual counterintelligence briefings for cleared staff. These briefings are not adequately focused on the protection of intellectual property, unclassified non-government data, and foreign partnerships/investments of their own or partner companies.

Making Security Policy Relevant to Today’s Threats

Codifying the initiative began with the Defense Security Service in April 2017. DSS began the effort to move to a “more holistic approach to industrial security.” DSS asked companies to expand beyond the NISPOM, including “controlled unclassified information,” technical data (intellectual property), and personal identifiable information (PII). The intent of the adjusted focus is to “ensure contracted capabilities, technologies, and services are delivered uncompromised.” It appears their vision has taken hold.

“Delivered Uncompromised” is proposed as a pilot program within  the FY2018 National Defense Appropriations Act, section 1696 – it calls for the following actions to take place no later than June 1, 2019.

Selection. —The Secretary shall select not more than 10 acquisition or sustainment programs of the Department of Defense to participate in the pilot program under subsection (a), of which—

(1) not fewer than one program shall be related to nuclear weapons;

(2) not fewer than one program shall be related to nuclear command, control, and communications;

(3) not fewer than one program shall be related to continuity of government;

(4) not fewer than one program shall be related to ballistic missile defense;

(5) not fewer than one program shall be related to other command and control systems; and

(6) not fewer than one program shall be related to space systems.

(c) Report. —Not later than March 1, 2018, the Secretary shall submit to the congressional defense committees a report that includes—

(1) details on how the Secretary will establish the pilot program under subsection (a) to ensure all source information is appropriately, singularly, and exclusively shared for the purpose of ensuring the security or integrity of the supply chain of covered programs;

(2) details of any personnel, funding, or statutory constraints in carrying out the pilot program; and

(3) the identification of any legislative action or administrative action required to provide the Secretary with specific additional authorities required to fully implement the pilot program.

Christopher Burgess (@burgessct) is an author and speaker on the topic of security strategy. Christopher, served 30+ years within the Central Intelligence Agency. He lived and worked in South Asia, Southeast Asia, the Middle East, Central Europe, and Latin America. Upon his retirement, the CIA awarded him the Career Distinguished Intelligence Medal, the highest level of career recognition. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century” (Syngress, March 2008).

More in IT Security