The Yomiuri Shimbun The government is planning to require domestic defense-related companies to bolster protection and management of confidential information to prevent leaks of sensitive data and better guard against cyber-attacks from nations such as China.
According to a draft of the plan, the requirements for information management would be made as strict as those set by the United States.
The government plans to rewrite the standards by around November and implement them in fiscal 2021, which would give companies time to make the necessary preparations.
If information such as blueprints for equipment installed on a fighter aircraft was leaked from a domestic manufacturer of defense equipment to another nation, it could lead to a major security crisis for Japan.
The draft of the new requirements is notable in that it spells out in detail the methods for protecting such information and also strengthens the inspection system overseeing these companies. The plan would bring Japan’s standards into line with NIST SP 800-171, the information security controls the U.S. Defense Department applies to contractors.
Specifically, the plan includes requirements for companies to:
■ Designate a “manager” responsible for handling information, and for only this manager to have the key to lockers and other facilities storing documents containing such information.
■ Retain documents, including photos, verifying that any required destruction of classified information has been completed.
■ Change information access privileges within 24 hours of a personnel change.
The plan also stipulates that stored confidential information is to be encrypted, and the introduction of multifactor authentication — the use of several verification methods including passwords — for access to such information.
Current standards obligate companies to cooperate with the Defense Ministry regarding inspections. The new plan would beef up this system by pushing for regular inspections to be conducted at least once a year by outside organizations or other entities.
The new requirements will apply to defense contractors that handle confidential information the ministry has determined “should be protected.”
The plan does not mention any penalties for violating the new standards. But companies that participate in the procurement process must establish an internal basic policy that follows the new requirements. If the steps are deemed insufficient, then they will be excluded from the government list of suppliers.
In 2014, the Law on the Protection of Specially Designated Secrets, which was intended to tighten the management of the nation’s confidential information, came into force. But the information-security standards that defense-related companies are currently obligated to follow were drawn up in 2009.Speech