Assessing the 2024 Defense Industrial Base Cybersecurity Strategy

5/17/2024
Policy Points

iStock illustration

Over the last several months, companies within the defense industrial base have been met with a plethora of cybersecurity proposals and regulations from varying agencies across the government. This includes the Defense Department’s certification and attestation requirements under the Cybersecurity Maturity Model Certification 2.0 rule, the National Institute of Standards and Technology’s third revision of the NIST SP 800-171 cybersecurity standards and the Cybersecurity and Infrastructure Security Agency’s cyber incident reporting requirements under the “Cyber Incident Reporting for Critical Infrastructure Act,” among many others.

With so much focus by the federal government on cybersecurity regulations, it can be easy to lose sight of the forest through the trees. It has been a challenge for industry to analyze hundreds of pages of rulemaking proposals with overlapping deadlines and provide thoughtful and well-intentioned feedback. Industry has also felt like many of the agencies have been viewing their piece of the puzzle in a silo, and it is not always clear whether there is coordination through the interagency on these efforts. With many of these regulatory proposals, there has also been little industry engagement outside the standardized rule commenting process after a proposed rule has already been developed, written and released.

To help define the cybersecurity “forest” and plot its growth over the next several years, the Defense Department recently released the 2024 Defense Industrial Base Cybersecurity Strategy. The strategy nests under the 2022 National Defense Strategy, the 2023 National Cybersecurity Strategy and the 2023 DoD Cyber Strategy and aligns with the 2023 DoD National Defense Industrial Strategy and the National Institute of Standards and Technology Cybersecurity Framework. This strategy “serves as the department’s strategic plan to enhance the cybersecurity and cyber resiliency of the [defense industrial base] through an overarching vision and mission covering Fiscal Year 2024 through FY 2027.”

Through the Defense Industrial Base Cybersecurity Strategy, the department outlines four primary goals, the first of which is strengthening the department’s governance structure for defense industrial base cybersecurity. A focused objective within this goal is to increase visibility and strengthen the regulations governing subcontractors, which the department notes is a challenge. Although the department calls this a “shared responsibility,” it will be important not to simply place the full burden on prime contractors to prove subcontractor compliance.

A very welcome focus of the first goal is to strengthen internal and interagency collaboration on cross-cutting cybersecurity issues. When federal agencies fail to work together on cybersecurity regulations, it often leaves industry with overlapping and sometimes conflicting requirements. Sometimes this needlessly funnels valuable and finite resources into paperwork, not strengthening cybersecurity protections.

Second, the department is working to enhance the cybersecurity posture of the defense industrial base by evaluating the effectiveness of current programs, improving information sharing, identifying vulnerabilities and utilizing department capabilities to recover from malicious cyber activity. The department has also identified the need to evaluate the effectiveness of cybersecurity regulations, policies and requirements, which will include targeted programs, pilots and services to identify and iterate improvements.

When evaluating Defense Department cybersecurity programs, it will also be useful for the department to include the evaluation of external cybersecurity programs that impact the industrial base from other federal agencies. Having the full view of the ecosystem will better enable the department to identify potential gaps and areas that could be streamlined when there is overlap with other requirements.

In line with a significant pillar of the 2023 National Defense Industrial Strategy, the Defense Industrial Base Cybersecurity Strategy seeks to prioritize the cyber resiliency of critical industrial base production capabilities and critical suppliers and facilities. The department will rely on the segmentation of industry to focus limited resources where they have the most significant impact, and it will be integral to collaborate with industry to identify areas with the greatest need.

As such, this strategy will rely on the collaboration of the Defense Industrial Base Government Coordinating Council and its counterpart, the industry-led Defense Industrial Base Sector Coordinating Council, that work to share threat information, assess and mitigate vulnerabilities and monitor the security and resiliency of the industrial base.

The fourth and final goal of the strategy is to improve cybersecurity collaboration with the industrial base, which will include pilot programs in cybersecurity, wargaming, routine engagement with industry working groups, cybersecurity training pathways and cross-cutting education and awareness campaigns provided by multiple federal agencies. The industrial base is a very diverse ecosystem and includes startups, small and medium-sized businesses, nontraditionals and traditional primes, among others.

Engaging with industry through such a wide-ranging toolset will enable the department to recognize the varying capabilities and needs of various types of industrial base companies.

Overall, the 2024 Defense Industrial Base Cybersecurity Strategy has many positive aspects, including evaluating the effectiveness of current cybersecurity programs and increasing collaboration across the interagency and with industry. However, as with the 2023 National Defense Industrial Strategy, the success of the Defense Industrial Base Cybersecurity Strategy will depend upon its actual implementation.

At the end of the day, working as true strategic partners will better enable both industry and the department to meet the shared goal and responsibility of protecting our nation’s sensitive defense information in support of our warfighters. ND

Michael Seeds is NDIA’s senior director for Strategy and Policy.

Topics: Defense Department, Cyber, Cybersecurity

Comments (0)

Retype the CAPTCHA code from the image
Change the CAPTCHA codeSpeak the CAPTCHA code
 
Please enter the text displayed in the image.