Data breaches that have troubled the Department of Defense supply chain have captured the attention of lawmakers on Capitol Hill.
In a wide-ranging confirmation hearing Oct. 29 for DoD CIO Dana Deasy, Sen. Joe Manchin, D-W.V., pressed on how the DoD can shore up the cybersecurity shortfalls of subprime contractors. Manchin said he wants to impose “very, very severe" financial penalties on prime contractors who don’t oversee the cybersecurity of their subprime components.
Manchin asked Deasy if he supports financial penalties, but Deasy said that monetary punishment wasn’t something he’s considered so far. However, the Pentagon’s top IT official did agree that there needed to be an “intervention.”
Prime contractors shouldn’t be allowed to self-assess, Deasy said.
Deasy’s answer wasn’t enough for Manchin, who firmly asserted that top-tier contractors need to be held accountable for the cybersecurity of subprimes included in contracts.
“We’ve got serious problems there,” Manchin said. “Someone’s got to be held accountable for this all the way down the food chain. And that’s where you’re going to have to step in."
Manchin said he and his colleagues are “talking about” legislation that will hold prime contractors responsible for their subprime contractors “all the way down the line.”
Deasy acknowledged that the DoD did need to make changes in the future. The DoD is taking some new steps to shore up cybersecurity weaknesses of its supply chain. The Office of the Undersecretary of defense for acquisition and sustainment is undertaking a new evaluation framework for its contractors, called the cybersecurity maturity model certification (CMMC).
That effort is being led by Katie Arrington, special assistant to the assistant secretary of defense for acquisition for cyber within the office of the undersecretary of defense for acquisition and sustainment. The new model is meant to help small businesses, though it has drawn some pushback from industry.
“This would have severe unintended consequences on small businesses that do not have the resources and sophistication to obtain a high CMMC level, producing market entry barriers and limiting competition," the Professional Services Council said in a Sept. 25 letter to DoD after a draft release of the plan last month.
Manchin said reevaluating the system is “commonsense for the security of our nation.”
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.