A contractor's first line of defense: common sense

A string of highly sophisticated cyberattacks has caused an increase of concern by multiple governments around the world. What is the greatest cause for concern is the fact that most, if not all, of these attacks have been highly customized to specifically target systems of defense contractors. On the heels of these attacks, the Defense Department is looking to assure protective measures of defense contractors. In an ongoing effort to thwart the substantial impact of cyberattacks on information protection, a draft rule was developed and published in the June 29, 2011, Federal Register. 

The rule would require the defense contractor community to address new requirements for protecting unclassified information from cyberattack. The new requirements require multiple layers of security and ban access to the DOD data from public computers (often found in Internet cafés and business centers). In addition, they require defense contractors to implement a number of security recommendations from the National Institute of Standards and Technology when the contractor is working with For-Official-Use-Only records or when the data is considered mission critical. 

One new component of the rule that I totally agree with requires defense contractors to report to DOD within 72 hours of the discovery of any cyber incident that involves DOD information on, or transiting through, the contractor’s unclassified information systems. It has been my experience that the longer the time period between the breach, the greater the overall impact and the increase in the degree of difficulty of the investigation.

One trade group said that these new requirements "have a significant effect on the contractor community.” What? These requirements are basic and represent a common-sense approach to securing the digital assets of an organization. How poor is security in the defense contractor community if the DOD has to mandate these common-sense requirements?