DoD efforts to shore up security extends to vendors, partners, and suppliers
As the Department of Defense continues its efforts to improve security provisions and practices for handling its information — especially with respect to sensitive but unclassified data — it is expanding its focus beyond its own networks and Internet connected environments to address security policies and standards for the vendors and other third parties that store or transmit military information. The specific policies and expectations for members of the “Defense Industrial Base,” as such third parties are collectively called, were publicized in Memorandum 52015.13, issued on January 29. The memo spells out specific activities and areas of policy or procedural guidance that the DoD intends to implement, and assigns oversight responsibilities for these activities to specific roles within the DoD management hierarchy. The simple intention appears to be to ensure that potential threats are not able to use the systems or infrastructure of the DoD’s information supply chain to gain access to military information.The release of the memo should put DoD vendors on notice that they may need to create, revise, or expand existing policies and capabilities to meet DoD’s expectations, and also suggests that additional guidance will be provided in terms of recommended policies, controls, or best practices that vendors and partners can put in place.