Found this interesting story on GovInfoSecurity today discussing the appointment of Daniel Prieto as the first director of cybersecurity and technology in DoD’s Office of the Chief Information Officer. Part of his duties will include managing the Defense Industrial Base (DIB) information assurance program.
Good for him but the thing that caught my eye was in the second half of the article discussing how over the next few years all government contracts could include clauses that force DoD contractors to turn over any cyber threat data they may have. Here’s the reverent snip-it:
The voluntary participation with the DIB program will soon end as the Defense Department will require its contractors to share cyberthreat information. Carey says DoD has been working on changing the Defense Federal Acquisition Regulations for the past half-decade to require participation by defense contractors.
“That’s a long processes but one that’s ready to pop in the next six months,” Carey says. “So, new contracts written after a certain amount of time will have a clause that says, ‘Oh, by the way, you will do this, not only if you want to,’ which is where we really need to go.”
I haven’t looked into this issue too much yet and it’s really unclear what this transition means. If you’re an top-notch company that spends significant funding monitoring your own network and as a result discover a lot of great threat intel, will you be forced to turn it over to the government for free? Or what if a company has a very limited capability and can’t really make any meaningful contributions? Do they get fined for not sharing anything useful? And how about sensitive information (e.g., PII) that a company may collect over the course of their monitoring and investigations? Will the government want companies to filter this data out? And what if they miss something? Could the company end up being sued because of unknowingly disclosing personal data?
The devil is in the details and it will be interesting to see how things play out over the next few years. Given the stagnation and politicization of bills like CISPA, I don’t see anything happening soon as noted in the article.
Today’s post pic is from DocStoc.com. See ya!