Following on from their 2018 report on weapon systems security and cyber vulnerabilities. The US Government Accountability Office (GAO) has conducted a further assessment to examine the extent to which the DoD has made progress in contracting cyber security requirements for weapon systems during product development. Examining the extent to which the DoD and military services have developed guidance for incorporating weapon systems cyber security requirements in contracts.
Focusing on contracting for weapon systems cybersecurity. Particularly how DOD acquisition programs establish and define cyber security requirements and communicates these requirements to contractors. DOD guidance is simple, “if it is not in the contract, do not expect to get it.”, if requirements are not articulated by the DoD as part of the procurement process then the contractor is not obliged to include them in the system being provided. Cyber security is an critical component of weapon system security it is therefore important that cyber security requirements are articulated as part of the defence contracting process. Requirements which are intended to protect complex weapon systems from cyber threats by preventing, detecting, and responding to attacks. Ultimately protecting front line fighting forces which rely on those systems.
The assessment found the DOD has made improvements in weapon systems cybersecurity. Identifying four areas of progress which include: greater access to cyber expertise, increased use of cyber assessments, better tailoring of security controls, and additional cybersecurity guidance. The GAO noted that the slow progress of implementing the Risk Management Framework (RMF) was a contributory factor in including cybersecurity requirements into contracts.
The DoD still has challenges to overcome to improve weapon system cyber security. There is limited guidance on how to include cyber security requirements in contracts.
“The acquisition programs we reviewed omitted cybersecurity requirements from contracts or did not clearly define cybersecurity requirements in their contracts. The government is less likely to get what it wants if it omits all or part of its cybersecurity requirements.”