Pentagon plans secure cloud pilot to defend small businesses from hackers

WASHINGTON — Next year, the Pentagon’s Office of Small Business Programs (OSBP) will launch a pilot project to create creating a secure, cloud-based enclave for small contractors, who often struggle to meet DoD’s extensive cybersecurity requirements.

“We’re building [a] secure cloud that we’ll offer as a platform and environment for all small business” that work with the Department of Defense, said Derrick Davis, director of industrial cybersecurity for SBP. While still very much a work-in-progress, the plan is to include a virtual desktop, secure communications and other tools for use by smaller firms, Davis told the GovExec Cybersecurity Futures Forum on Wednesday afternoon.

The as-yet unnamed pilot will be run out of OSBP’s Project Spectrum. Created in the defense policy bill for 2019 [PDF], Spectrum provides online resources to educate contractors and a marketplace for government-vetted cybersecurity tools, but it hasn’t built such a comprehensive suite of services before. The plan is start small, initially recruiting firms that have prior experience working with DoD — “all you in this room know that you need a doctorate degree just to navigate the defense contractor process,” Davis said wryly — but still need cybersecurity help.

One model that SBP is looking at is the Army’s two-year, $26 million pilot project, NCODE, which is also creating a secure cloud to host small businesses.

“That’s a great program that they have, we’ve reviewed it within our office, we’re going to partner with those guys,” Davis told the GovExec conference. “I’m headed to the Pentagon after this to actually speak with the Army CIO, Mr. [Leo] Garciga, about NCODE.”

Driving both initiatives is the realization that while big prime contractors can build extensive in-house cybersecurity teams, small businesses generally lack the resources to hire cyber experts or even buy the latest security software.

“Especially just starting out, your laptop that you use to run your small business, it’s also your [personal] laptop that you use to manage your family’s finances,” Davis said. “You may even help have your kid do their homework on your laptop.”

But even tiny mom-and-pop shops working with the Defense Department can end up handling sensitive information or technology, or providing some obscure but critical component for a high-priority weapons system. So, besides the inevitable spammers and scammers that go after everyday internet users, small firms contracting with the Pentagon might be targeted by so-called “Advanced Persistent Threats,” Davis warned: Nation-states using sophisticated techniques and technologies to suck up vast amounts of defense-related data and look for unlocked backdoors into sensitive networks.

“If we’re going to force companies to get compliant with CMMC [Cybersecurity Maturity Model Certification], we should also, on the flip side, offer assistance, and that’s what we’re trying to do,” Davis said. “But … when we do something, everybody wants it to be perfect. The problem is, as you know, it takes time.”

“Have patience and grace with us,” he told the GovExec audience. “We’re just trying to help.”