Pentagon, GSA map out acquisition cybersecurity; tester finds issues remain
WASHINGTON (Reuters) - The U.S. Defense Department and General Services Administration on Wednesday mapped out six broad reforms to improve the cybersecurity of more than $500 billion in goods and services acquired by the U.S. federal government each year.
The guidelines come as the Pentagon's chief weapons tester warned that military missions remained at "moderate to high risk" since local network operators were not always able to defend networks against determined cyberattacks.
A report released by the tester on Wednesday said scans of the networks used by weapons still showed missing software "patches" and vulnerabilities that allowed teams of government "hackers" to penetrate and exploit networks.
In their guidelines, the Pentagon and GSA underscored the importance of beefing up cybersecurity and cited escalating cyber threats from U.S. adversaries, hackers and criminals, as well as unintentional vulnerabilities and counterfeit parts.
"The federal government and its contractors, subcontractors, and suppliers at all tiers of the supply chain are under constant attack, targeted by increasingly sophisticated and well-funded adversaries to steal, compromise, alter or destroy sensitive information," the report said.
In some cases, it said, foreign governments were targeting businesses "deep in the supply chain to gain a foothold and then 'swim upstream' to gain access to sensitive information and intellectual property."
To improve security across the board, the report recommended that government only place orders with companies that meet baseline cybersecurity requirements and said those requirements should be spelled out in the acquisition process.
It also called for increased training; development of common definitions in federal acquisition rules; and a government-wide strategy for dealing with cyber risks.
To guard against counterfeit parts, the government should only buy from original equipment manufacturers, their authorized resellers or other trusted sources, the report said.
Finally, it called for security standards to be baked into acquisition planning from the start and said key decision makers should be held accountable for managing cyber risks.
"The ultimate goal of the recommendations is to strengthen the federal government's cybersecurity by improving management of the people, processes, and technology affected by the federal acquisition system," said GSA Administrator Dan Tangherlini in a statement.
The report coincided with release of the 2014 report by the Pentagon's chief weapons tester, Michael Gilmore, who has long been critical of cybersecurity on major weapons systems.
Gilmore said overall compliance with computer network standards was improving, but 2013 testing showed that local network defenders were unable to protect against cyber attacks. The majority of cybersecurity problems that showed up in operational testing could have been resolved in early phases of development and testing, he wrote.
"Overall compliance with network standards continues to improve in almost every key area reflecting the continuing efforts across the (Department of Defense) to implement cybersecurity policies and procedures," the report said.
But even discovery of one password could lead to rapid exploitation of a weapon systems' networks, he said.
Key infrastructure components, including web servers and printers, remained focus areas for surveillance and possible exploitation by adversaries, it noted.
"Many of these fundamental problems go undiscovered until operational testing is conducted late in the acquisition cycle, or discovered during normal fielded operations," it said.
Gilmore said his office was working with the office of the Pentagon's chief weapons buyer to increase the scope and rigor of integrated testing to catch bugs sooner.
(Reporting by Andrea Shalal-Esa; Editing by Matt Driskill)