Cybersecurity Could Make or Break Defense Contractors’ Chances of Future Awards

Michael Joseph Montalbano

Cost, schedule, and performance, the three pillars of defense procurement, may soon be accompanied by a fourth pillar: cybersecurity. As the nature of warfare evolves away from pure kinetic capabilities to the asymmetric, cyber realm, the Department of Defense (“DoD”) has had to grapple with the reality that its defense contractors are prime targets for infiltration. Indeed, in the February 2018 Worldwide Threat Assessment, Director of National Intelligence Daniel Coats specifically identifies defense contractors and IT communications firms as the primary focal points of China—one of the United States’ primary cyber adversaries. As a result of this new reality, DoD has begun the process of revamping the defense procurement system to place greater emphasis on cybersecurity. In response to these moves by DoD, contractors should take a fresh look at their current operations to identify their own cyber vulnerabilities as well as the vulnerabilities of their subcontractors, suppliers, and other partners. Without adequate preparation, contractors risk finding themselves at a significant disadvantage during future contract bids.

Last month, the defense industry finally got a glimpse into possible changes DoD is considering to the defense procurement system. A new report titled Deliver Uncompromised outlines the steps DoD should take to identify, detect, mitigate, and protect the military’s supply chain against cyberattacks. One of the chief recommendations of the report is to elevate cybersecurity to an evaluation factor on par with cost, schedule, and performance. Such a move would help shift cybersecurity from its current status as a cost center to a profit center as contract awards would be based, in part, on a bidder’s ability to demonstrate that it can both complete the underlying mission, and protect mission sensitive information from cyberattacks. Such a change would likely reduce total costs for the Government in the long term because the upfront investment of taking proactive measures to prevent cyberattacks is dwarfed by the costs of taking reactive measures, let alone the cost of a mission failure should a cyberattack succeed.

Although DoD has not determined how it will evaluate cybersecurity should it adopt the report’s recommendations, one possible avenue is through the use of a Security Integrity Score (“SIS”), which would act like a “Moody’s” rating but for cybersecurity. The report recommends that DoD and the industry partner create an independent, not-for-profit organization, which would evaluate bidders on an equal and unified basis and issue an SIS to each bidder based on the bidder’s track record and ability to protect mission sensitive information from cyberattacks. The SIS would be introduced gradually into the procurement process—first for major defense acquisition programs, and then later to the rest of DoD’s procurements. This will provide time for DoD, defense contractors, and the independent rating agency to assess the criteria underlying the SIS, and adjust them to make the SIS more predictive of actual success in the cybersecurity realm.

It is important to note that although DoD has not officially accepted the recommendations of the Delivered Uncompromised report, contractors should not wait until official changes are made to the procurement system. Although DFARS 252.204-7012 requires all of DoD’s contractors to have “adequate security” to protect sensitive information, DoD is clearly contemplating a more rigorous cybersecurity process for future procurements. Contractors can, and should, take steps to prepare for these changes such as:

  1. audit their software supply chain to identify potential security vulnerabilities;
  2. implement minimally persistent information sharing systems to reduce the number of opportunities where sensitive information could be acquired by unauthorized parties;
  3. coordinate with subcontractors and teaming partners to ensure any vulnerabilities in their cybersecurity systems do not become their own;
  4. make sure their current security protocols meet the National Institute of Standards and Technology cybersecurity framework; and
  5. identify redundancies that can be built into their systems so the contractors can complete the mission even if a cyberattack is initially successful.

For proactive contractors, such changes can represent significant opportunities to expand their offerings to the Government as well as their business. For reactive contractors, they might just find their business prospects compromised.