New DOD Task Force Formed to Protect Critical Technology

Published: November 07, 2018

Cybersecurity

A new Department of Defense task force aims to protect critical DOD technologies and information from theft and other losses.

U.S. Secretary of Defense James Mattis has created the Protecting Critical Technology Task Force (PCTTF) to determine ways the DOD can protect its critical technologies and sensitive information from theft and other threats that negatively impact the mission.

Cross-Functional Organization

The new cross-functional task force will report to the Deputy Secretary of Defense and the Vice Chairman of the Joint Chiefs of Staff, currently Patrick Shanahan and Gen. Joseph Dunford respectively. U.S. Air Force Major General Thomas Murphy will serve as the PCTTF Director until the DEPSECDEF can select a permanent Director and Deputy Director.

The PCTTF will draw staff from a wide cross-section of Department of Defense organizations, including staff from the heads of each of the military departments, the Marine Corps and the Joint Staff as well as staff from the CIO’s office, multiple intelligence offices, and the areas of research and engineering, acquisition and cost and program evaluation. (See the memo for a complete list.) The DEPSECDEF will assign resources to the task force and the DOD enterprise will share all necessary data, regardless of classification.

Basic and Systemic Issues

The PCTTF will start working with two sprints – 30 and 90 days – to address several “basic problems” while simultaneously addressing “broader systemic issues . . . leverag[ing] previous work done by the Maintaining DOD Technology Advantage Cross Functional Team, which is now dissolved.”

Protecting Information and the Mission

In the memorandum issued in late October, Mattis said, “Working with our partners in the defense industry and research enterprise, we must ensure the integrity of our classified information, controlled unclassified information and key data. … Far worse, the loss of classified and controlled unclassified information is putting the Department's investments at risk and eroding the lethality and survivability of our forces.”

Implications

The focus on protecting both classified and controlled unclassified information (CUI) has implications for companies that do work for federal agencies, which have been taking various steps over the last few years to increase the security of federal information that resides on or passes through contractor systems. Most of the efforts affect acquisition rules but also point to technology policy and governance.

Back in 2016, the National Archives and Records Administration (NARA) released a “Controlled Unclassified Information” final rule that established standardized practices for the handling of CUI in non-federal computer systems. The rule applies to executive branch agencies as well as non-executive branch entities “through incorporation into agreements,” such as contracts.

A 2017 update to the Defense Acquisition Regulations System (DFARS) Clause 204.73 directed contractors to implement standards outlined in National Institutes for Standards and Technology (NIST) Special Publication 800-171, “Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations” by December 31, 2017. The intent was to provide a uniform set of requirements that contractors can implement with their existing systems.

In an effort to help both agencies and industry to adapt to the changing rules NIST, DOD and NARA hosted a “Controlled Unclassified Information Security Requirements” Workshop earlier in October that covered the DFARS Safeguarding Covered Defense Information and Cyber Incident Reporting Clause, and NIST Special Publications 800-171 and 800-171A. The workshop covered security requirements around CUI in a FAR clause that is coming in 2019 that will give agencies a mechanism to extend current NARA CUI rules from just agencies to include contractors. This coming FAR clause is more extensive than the current DFARS Clause 252.204-7012 for “covered defense information” (CDI) that stops short of covering parts of CUI included under NARA rules.

Although the rule changes for CUI are not intended to require additional contractor expense, compliance may require some system enhancements and possibly external support. This could prove burdensome for small businesses. Further, the requirements around CUI are evolving beyond a compliance measure to become a requirement for doing work for federal agencies. CUI compliance will be a requirement, a competitive advantage and a barrier to entry.