|
 The guidelines come as the Pentagon's chief weapons tester warned
that military missions remained at "moderate to high risk" since
local network operators were not always able to defend networks
against determined cyberattacks.
A report released by the tester on Wednesday said scans of the
networks used by weapons still showed missing software "patches" and
vulnerabilities that allowed teams of government "hackers" to
penetrate and exploit networks.
In their guidelines, the Pentagon and GSA underscored the importance
of beefing up cybersecurity and cited escalating cyber threats from
U.S. adversaries, hackers and criminals, as well as unintentional
vulnerabilities and counterfeit parts.
"The federal government and its contractors, subcontractors, and
suppliers at all tiers of the supply chain are under constant
attack, targeted by increasingly sophisticated and well-funded
adversaries to steal, compromise, alter or destroy sensitive
information," the report said.
In some cases, it said, foreign governments were targeting
businesses "deep in the supply chain to gain a foothold and then
'swim upstream' to gain access to sensitive information and
intellectual property."
To improve security across the board, the report recommended that
government only place orders with companies that meet baseline
cybersecurity requirements and said those requirements should be
spelled out in the acquisition process.
It also called for increased training; development of common
definitions in federal acquisition rules; and a government-wide
strategy for dealing with cyber risks.
To guard against counterfeit parts, the government should only buy
from original equipment manufacturers, their authorized resellers or
other trusted sources, the report said.
Finally, it called for security standards to be baked into
acquisition planning from the start and said key decision-makers
should be held accountable for managing cyber risks.
"The ultimate goal of the recommendations is to strengthen the
federal government's cybersecurity by improving management of the
people, processes, and technology affected by the federal
acquisition system," said GSA Administrator Dan Tangherlini in a
statement.
[to top of second column] |
The report coincided with release of the 2014 report by the
Pentagon's chief weapons tester, Michael Gilmore, who has long been
critical of cybersecurity on major weapons systems.
Gilmore said overall compliance with computer network standards was
improving, but 2013 testing showed that local network defenders were
unable to protect against cyber attacks. The majority of
cybersecurity problems that showed up in operational testing could
have been resolved in early phases of development and testing, he
wrote.
"Overall compliance with network standards continues to improve in
almost every key area reflecting the continuing efforts across the
(Department of Defense) to implement cybersecurity policies and
procedures," the report said.
But even discovery of one password could lead to rapid exploitation
of a weapon systems' networks, Gilmore said.
Key infrastructure components, including Web servers and printers,
remained focus areas for surveillance and possible exploitation by
adversaries, the report noted.
"Many of these fundamental problems go undiscovered until
operational testing is conducted late in the acquisition cycle, or
discovered during normal fielded operations," it said.
Gilmore said his office was working with the office of the
Pentagon's chief weapons buyer to increase the scope and rigor of
integrated testing to catch bugs sooner.
(Reporting by Andrea Shalal-Esa; editing by Matt Driskill)
[© 2014 Thomson Reuters. All rights
reserved.] Copyright 2014 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed. |
