DoD slow to implement new rules on cybersecurity breaches
June 1, 2015
It's now been almost two years since the Defense Department issued a final rule requiring contractors to inform the government when their systems have been involved in cybersecurity breaches and that government technical data has been stolen. But as can sometimes happen in a vast bureaucracy, the rule has been slow to take hold.
That's according to some new metrics the Office of the Secretary of Defense released last week that don't even try to measure whether contractors are reporting security breaches. Instead, they merely ask whether the military services and agencies have updated their contract language to require companies to abide by the new rule. After two years of preparation, almost a quarter of the contracts that should include the new language still don't.
DoD's office of Defense Procurement and Acquisition Policy first started compiling the compliance data and publicly reporting it earlier this year. The second quarterly scorecard DoD published last week gives the first indication of progress, or lack thereof. The Navy wins the award for most improvement: it included the new clause in 87 percent of its relevant contracts in the second quarter of 2015, compared to 46 percent in the quarter before. The Army and Air Force came in at 41 percent and 42 percent, respectively. Other Defense agencies, which encompass organizations like the Missile Defense Agency and the Defense Information Systems Agency also improved, bringing their collective score from 26 percent to 63 percent since the public scorecard reporting began.