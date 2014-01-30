WASHINGTON Jan 29 The U.S. Defense Department
and General Services Administration on Wednesday mapped out six
broad reforms to improve the cybersecurity of more than $500
billion in goods and services acquired by the U.S. federal
government each year.
The guidelines come as the Pentagon's chief weapons tester
warned that military missions remained at "moderate to high
risk" since local network operators were not always able to
defend networks against determined cyberattacks.
A report released by the tester on Wednesday said scans of
the networks used by weapons still showed missing software
"patches" and vulnerabilities that allowed teams of government
"hackers" to penetrate and exploit networks.
In their guidelines, the Pentagon and GSA underscored the
importance of beefing up cybersecurity and cited escalating
cyber threats from U.S. adversaries, hackers and criminals, as
well as unintentional vulnerabilities and counterfeit parts.
"The federal government and its contractors, subcontractors,
and suppliers at all tiers of the supply chain are under
constant attack, targeted by increasingly sophisticated and
well-funded adversaries to steal, compromise, alter or destroy
sensitive information," the report said.
In some cases, it said, foreign governments were targeting
businesses "deep in the supply chain to gain a foothold and then
'swim upstream' to gain access to sensitive information and
intellectual property."
To improve security across the board, the report recommended
that government only place orders with companies that meet
baseline cybersecurity requirements and said those requirements
should be spelled out in the acquisition process.
It also called for increased training; development of common
definitions in federal acquisition rules; and a government-wide
strategy for dealing with cyber risks.
To guard against counterfeit parts, the government should
only buy from original equipment manufacturers, their authorized
resellers or other trusted sources, the report said.
Finally, it called for security standards to be baked into
acquisition planning from the start and said key decision makers
should be held accountable for managing cyber risks.
"The ultimate goal of the recommendations is to strengthen
the federal government's cybersecurity by improving management
of the people, processes, and technology affected by the federal
acquisition system," said GSA Administrator Dan Tangherlini in a
statement.
The report coincided with release of the 2014 report by the
Pentagon's chief weapons tester, Michael Gilmore, who has long
been critical of cybersecurity on major weapons systems.
Gilmore said overall compliance with computer network
standards was improving, but 2013 testing showed that local
network defenders were unable to protect against cyber attacks.
The majority of cybersecurity problems that showed up in
operational testing could have been resolved in early phases of
development and testing, he wrote.
"Overall compliance with network standards continues to
improve in almost every key area reflecting the continuing
efforts across the (Department of Defense) to implement
cybersecurity policies and procedures," the report said.
But even discovery of one password could lead to rapid
exploitation of a weapon systems' networks, he said.
Key infrastructure components, including web servers and
printers, remained focus areas for surveillance and possible
exploitation by adversaries, it noted.
"Many of these fundamental problems go undiscovered until
operational testing is conducted late in the acquisition cycle,
or discovered during normal fielded operations," it said.
Gilmore said his office was working with the office of the
Pentagon's chief weapons buyer to increase the scope and rigor
of integrated testing to catch bugs sooner.