The Pentagon has delayed for almost two years a requirement that as many as 10,000 companies show that they have systems to protect sensitive but unclassified information from cyberattacks before signing new defense contracts.
"We got feedback from industry that they did not think they could fully comply Day One" with the demand that contractors document a fully operating access-authentication system down to the subcontractor level, Claire Grady, director of defense procurement and acquisition policy, said in an interview. "We want people headed in the right direction," but "we probably overestimated what the state of the industry was."
Congress mandated new cybersecurity rules as part of the Pentagon's budget authorization in 2013 after repeated warnings from officials about hacking threats and successful incursions at companies including Lockheed Martin Corp., the biggest U.S. defense contractor.
An interim version of the rule, in effect since August, requires defense companies that get new contracts to report penetrations of their networks within 72 hours of discovery if those systems hold critical defense information. They also must report intrusions if the hacking degrades the contractor's capability to provide critical support to the military or has the potential to do so.
"The goal is to get people to report as quickly as possible" without fear of penalty, Grady said.
While that provision remains in effect, the requirement for contractors to document that they and their suppliers have systems to protect sensitive information was delayed until Dec. 31, 2017.
Hundreds of companies have indicated they are already in full compliance with guidance from the National Institute of Standards and Technology on safeguarding unclassified but controlled information, said Grady, who called it "basic cyber hygiene."
"But not everyone is at the same place, so we want to make sure we were moving people toward where they need to be and not creating impediments," Grady said.
Chinese-backed hackers have infiltrated the computer networks of airline, shipping and information technology companies responsible for transporting personnel and weapons for the U.S. military, according to a 2014 Senate Armed Services Committee review.
The Pentagon also said foreign hackers stole 24,000 U.S. military files from a defense contractor it hasn't identified in a single incident in March 2011. In May 2011, Lockheed Martin suffered what it called a "tenacious" attack on its computer networks, though the company said no employee, program or customer data was lost.
Against this backdrop, the Pentagon in August put into effect the interim rule on rapidly reporting network penetrations, citing "the urgent need to protect covered defense information and gain awareness of the full scope of cyber incidents being committed against defense contractors."
One of the challenges that led to extending other provisions of the regulation is meeting the standards institute's rule requiring multifactor authentication for network access, Grady's spokesman, Air Force Maj. Eric Badger, said in an email.
Two-factor authentication, for example, means requiring two steps to log onto a computer or email account. It typically involves entering a password and then typing in a one-time code sent to the user's phone, or entering both a password and a fingerprint.
Prime contractors said they needed additional time to work with subcontractors in their supply chain to ensure that they can meet all the requirements, Grady said.
The U.S. Chamber of Commerce, the nation's largest business lobbying organization, said the new rule has 109 security requirements, dozens of which would be "unrealistic and costly" for companies to implement quickly. The group pleaded for relief in a Nov. 20 letter to the Pentagon.
"Companies cannot simply flip a switch and automatically adhere to the new controls, as the interim rule apparently presumes," Ann Beauchesne, a senior vice president for the organization, said in the letter. "The expense of complying with multiple new rules will be difficult for large firms and especially for small and midsize businesses."
Companies shouldn't use the additional time as an excuse to avoid better securing their networks and devices, said Anup Ghosh, founder and chief executive officer of cybersecurity company Invincea Inc.
"Everyone wants more time, and when the next deadline comes out they'll say the same thing again," Ghosh said in an interview. "You can talk to a lot of small businesses that will tell you they can't meet these deadlines. We need to address this because this is a real national security threat."
There's "absolutely no reason" for companies to put off using multifactor authentication for email, Ghosh said. However, he said it's impractical, if not impossible, for companies to verify the security of their entire supply chains.
While Grady said the new regulation has no specified penalties for a failure to report network intrusions or to do so in a timely manner, Ghosh said he's concerned companies might be punished for reporting breaches by the Pentagon refusing to award them future contracts.
A better approach would be for the Pentagon to require companies to have software on their networks that reports attacks and other suspicious activity to Defense Department officials, which can than be analyzed, Ghosh said.