On April 9, the Department of Defense (“DOD”) issued a memorandum containing new directives to guide its procurement of new goods and services. The memorandum, the third in the Pentagon’s Better Buying Power initiative (“Better Buying Power 3.0”), includes specific directives aimed at promoting cybersecurity in the DOD’s acquisition process. Better Buying Power 3.0 could enhance both the DOD’s and, indirectly, private industry’s, cybersecurity profiles.
The DOD launched its Better Buying Power initiative in 2010 in order to reform its acquisition process, long criticized as unwieldy and inefficient. Better Buying Power 3.0, like its predecessors, includes numerous specific directives for the procurement process. In a departure from previous iterations and from the memorandum’s own prior working draft, however, the April 9 memorandum also mandates changes to the DOD’s organizational responsibilities to monitor cybersecurity throughout the product lifecycle and protect unclassified controlled technical information (“CTI”) in new DOD contracts.
Most directly, the memorandum instructs the Assistant Secretaries of Defense for Acquisition and for Research and Engineering to develop a new enclosure under DOD Instruction 5000.02, which governs the Defense Acquisition System. The new enclosure would “address all aspects of the program manager’s and others’ responsibilities for cybersecurity throughout the product lifecycle.” In comments announcing the new memorandum, Undersecretary of Defense for Acquisitions, Logistics, and Technology, Frank Kendall, cited the example of the F-35 program, which has already seen three generations of new technology in its development phase alone. In 2013, Under Secretary Kendall informed Congress that state-supported hackers had stolen design data from the project. The memorandum sets a July 2015 deadline for delivering a draft of the new enclosure.
Better Buying Power 3.0 also promises to assess the procedures by which DOD procurement officers will include new CTI protections in new contracts. In 2013, the DOD amended the Defense Federal Acquisition Regulation Supplement, which supplements the generally applicable Federal Acquisition Regulations with DOD-specific contracting policies, to require defense contractors to identify risks to CTI under their control. Since then, the National Institute of Standards and Technology ("NIST") promulgated a framework for gauging and managing cybersecurity risks more generally, and the DOD adopted the same framework. Thus, the new assessment is likely to further promote the NIST framework as the de facto standard for federal cybersecurity controls.