The Department of Defense would be required to establish a threat intelligence sharing program with the defense industrial base under the Senate Armed Services Committee’s version of the annual defense policy bill.
The committee’s version of the fiscal 2021 National Defense Authorization Act, released June 23, also includes other several other provisions designed to give the department increased insight into the cyber hygiene of its contractors.
For example, the legislation would direct the Secretary of Defense to establish a threat intelligence program “to share threat intelligence with, and obtain threat intelligence from, the defense industrial base.” This program would be required to include a mechanism for developing shared and real-time insight into the threat environment, as well as a “joint, collaborative, and co-located analytics.”
The program would also direct the DoD to invest in technology to advance automated threat detection and analysis capabilities for defense contractors.
The program proposed in the Senate NDAA stems from a similar recommendation made by the Cyberspace Solarium Commission’s final report, a congressionally mandated document that suggested a comprehensive overhaul of U.S. cyber strategy. That group recommended the DoD force contractors to participate in a threat intelligence sharing program.
“The program’s ideal end state is to leverage U.S. government intelligence collection to create a better understanding of adversaries’ intelligence collection requirements,” the report read. “This action would help DoD and the intelligence community anticipate where adversaries will seek to collect against DIB targets, and then communicate that information to DIB network owners and operators so that they can proactively defend against impending adversary activities.”
Under the Senate bill, participation in the program would be based on cybersecurity levels assigned to contractors under the Pentagon’s Cybersecurity Maturity Model Certification initiative, a new program pushing new cybersecurity requirements on contractors. To increase the participation in the program, the DoD would also have to “prioritize” available funding and support to help affect organizations participate.
The department would be required to produce a report on the program by March 2022.
The Senate bill also included language that would direct the DoD’s principal cyber adviser to develop a plan to deploy commercial-off-the-shelf sensors to DIB networks to monitor the cybersecurity of their public-facing websites by February 2021. In addition, the bill directs the department to assess the feasibility of threat hunting on DIB networks by December 2021.