Three Cybersecurity Elements in the National Defense Industrial Strategy

The Department of Defense (DoD) recently released their first-ever National Defense Industrial Strategy (NDIS), presenting the Pentagon’s plans for engagement, policy development, and investment in the Defense Industrial Base (DIB) over the next three to five years.

In pursuing its four overarching priorities of achieving resilient supply chains, workforce readiness, flexible acquisition and economic deterrence, the DoD views its strategy as the means to “catalyze generational change from the existing defense industrial base to a more robust, resilient, and dynamic modernized defense industrial ecosystem,” according to the media announcement.

In reviewing the NDIS, the following three cybersecurity elements stand out.

Protecting the DIB Against Cyber Attacks

In an effort to mitigate national security risks from cyber-attacks on the DIB, the DoD is going to collaborate with other federal executive branch departments to protect U.S. assets from these cyber-attacks. To that end, the DoD is seeking to educate industry on the threats of cyber-attacks and help organizations prepare to deter, mitigate, and withstand these threats by improving their defenses and lowering their risk profiles. Through its Project Spectrum, the DoD provides industry with various cybersecurity resources, tools and training at no cost to the recipient. The effort was established to bolster the cybersecurity readiness, resiliency, and compliance of DIB companies, especially small- and medium-sized manufacturers and other businesses, as well as the larger federal manufacturing supply chain and the larger U.S. industrial sector.

In addition to providing industrial cybersecurity resources and techniques to DIB companies, the DoD also plans to coordinate with its various interagency partners to support industry in identifying, protecting, detecting, responding, and recovering from cyberattacks.

Mitigating Cybersecurity Costs of DIB Market Entry

As part of the DoD’s plans to diversify and expand its supplier base with a view to achieving resilient supply chains, the department is seeking to lower the barriers to market entry into the defense industrial base by finding ways to “mitigate cybersecurity costs of entry to work in the defense industrial ecosystem” for interested companies. Maintaining effective and appropriate cybersecurity measures costs money and effort, of course, and the associated costs of compliance with DoD’s cybersecurity requirements can dissuade a potential new entrant into the DIB from moving forward.

In addition to cost concerns is the complexity of federal and DoD-specific cybersecurity compliance frameworks. To help navigate this landscape, the DoD plans to improve it communications and outreach to industry through public-private partnerships so that all companies are “aware of not only DIB cybersecurity regulations, policies, and requirements but also available DoD and industry cybersecurity services and support.”

Finally, the DoD plans to reduce cyber-compliance barriers to entry for small and medium-sized businesses by collaborating with DIB partners so that “commercial cybersecurity services and solutions can better address the needs of small businesses.”

The overhead cost of compliance with many federal cyber- standards has been a major concern of federal contractors across the industry, especially among small- and mid-size DoD contractors as the department seeks to implement its Cybersecurity Maturity Model Certification (CMMC) program, potentially in FY 2025.

Evolving Industrial Cybersecurity Policies and Support

With the stated goal of achieving a “decrease in cybersecurity incidents targeting DIB members,” the DoD plans work with industry to enhance and improve the overall industrial cybersecurity landscape, including “current regulations, policies, requirements, programs, services, pilots, communities of interest, public-private partnerships, and interagency efforts” to address current and evolving cyber challenges and threats. DoD says that the specifics contained in the overall effort will be guided by the DoD DIB Cybersecurity Strategy, so stay tuned.

Implications

These cybersecurity and other provisions in the new NDIS continue to put “a little meat on the bones” of one of the lines of effort that DoD laid out in their 2023 DoD Cyber Strategy, to defend U.S. critical infrastructure (including the DIB). While both the NDIS and Cyber Strategy paint broad strokes outlining their objectives, the details and how they will impact the DIB – for good or ill – will continue to trickle out and evolve as DoD advances various proposals. Possibly the most prominent example of this is CMMC, which DoD revised to its current 2.0 version more than two years after it was launched in 2019. a year and continues to develop.

This process appears to be part of the evolution underway within the DoD’s wider cybersecurity landscape that sees multiple inward- and outward-focused efforts proceeding in parallel, such as updates to the DoD’s Strategic Cybersecurity Program and other cybersecurity efforts recently mandated under the FY 2024 National Defense Authorization Act (NDAA), as well as in the FY 2023 NDAA and previous editions.

All these activities can be enough to confuse, overwhelm and frustrate the very companies which DoD relies upon for support and solutions. At the very least, it requires contractors to stay attuned to what the department is doing on multiple fronts and to stay engaged, nimble and diligent in their cybersecurity operations and compliance activities.