The Defense Department has created a cross-functional task force designed to enhance data security for critical defense technologies.
The task force was created via a memo from Defense Secretary James Mattis, dated Oct. 24, which first came to light earlier this month. The group, officially dubbed the Protecting Critical Technology Task Force is designed not just to prevent the loss of classified and controlled unclassified information, but also the data-exfiltration of closely guarded secrets by foreign adversaries.
“This is not a ‘quick-fix’ task force,” Joseph Buccino, a spokesperson for the Pentagon, told Fifth Domain. “The loss of technology and data critical to our national security is a long-term problem.”
Mattis says in the memo that is committed to protecting the DOD’s critical technology, and that is estimated that every year American industry loses more than $600 billion to theft and expropriation. “Far worse, the loss of classified and controlled unclassified information is putting the Department's investments at risk and eroding the lethality and survivability of our forces,” the memo states.
“Each year, American businesses lose hundreds of billions of dollars while our military superiority is challenged,” Deputy Secretary of Defense Patrick Shanahan said in a statement, according to Fifth Domain. “Together with our partners in industry, we will use every tool at our disposal to end the loss of intellectual property, technology and data critical to our national security.”
The PCTTF will report to Shanahan and Gen. Paul Selva, the vice chairman of the Joint Chiefs of Staff, and Air Force Maj. Gen. Thomas Murphy will lead the task force until a new director is appointed, MeriTalk reports.
How the DOD Will Move to Protect Critical Technology Information
The task force will be staffed by about 25 dedicated members from the secretaries of the armed forces, the chairman of the Joint Chiefs of Staff and numerous agencies across the Pentagon that include the Defense Intelligence Agency, the Defense Cyber Crime Center and Army Counterintelligence.
“The need for concrete action is critical,” Mattis says in the memo. “To this end, the PCTTF will start with two sprints: 30 and 90 days, to address a number of basic problems. While the sprints are underway, the PCTTF will also address broader systemic issues, and to this end, leverage the previous work done by the Maintaining DoD Technology Advantage Cross Functional Team, which is now dissolved.”
It is unclear what those “basic” data protection problems are.
It’s unclear exactly how the new task force’s work will differ from the cross functional team it’s replacing. Those teams were mandated by Congress in 2017 to help solve various cross-cutting organizational problems across the Defense Department. According to the Government Accountability Office, they have been slow to meet lawmakers’ original intent.
John Slye, an analyst with Deltek, says in a research note that the task force’s focus on protecting both classified and controlled unclassified information “has implications for companies that do work for federal agencies, which have been taking various steps over the last few years to increase the security of federal information that resides on or passes through contractor systems.”
Most of those efforts affect acquisition rules but also point to technology policy and governance. For example, in 2016, the National Archives and Records Administration released a “Controlled Unclassified Information” final rule that established standardized practices for the handling of CUI in nonfederal computer systems. The rule applies to executive branch agencies as well as nonexecutive branch entities “through incorporation into agreements,” such as contracts, Slye notes.
Additionally, a 2017 update to the Defense Acquisition Regulations System clause 204.73 directed contractors to implement standards outlined in the National Institutes for Standards and Technology’s Special Publication 800-171, “Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations” by Dec. 31, 2017.
Slye notes that the change was intended to “provide a uniform set of requirements that contractors can implement with their existing systems.” DOD, NARA and NIST held a workshop on the topic in October that “covered security requirements around CUI in a FAR clause that is coming in 2019 that will give agencies a mechanism to extend current NARA CUI rules from just agencies to include contractors,” Slye says.
“This coming FAR clause is more extensive than the current DFARS Clause 252.204-7012 for ‘covered defense information’ (CDI) that stops short of covering parts of CUI included under NARA rules,” he says. “Although the rule changes for CUI are not intended to require additional contractor expense, compliance may require some system enhancements and possibly external support. This could prove burdensome for small businesses.”