The government will establish new “information security standards” that will require defense-related companies to prevent the leakage of confidential information. Yomiuri Shimbun has seen a draft of the standards. Bearing in mind cyberattacks from China and other countries, the administration will upgrade information management measures to the level of U.S. stringency. The government intends to revise the existing standards as early as November and aims to introduce new standards in fiscal 2021 through a preparation period.
If a blueprint of equipment installed on a fighter is leaked from a defense industry company to another country, it could pose a serious security threat. New information security standards will present information management measures in detail and enhance the audit system as well.
The government will make the new standards in line with the information security standards called “NIST SP800-171” that the U.S. Defense Department requires defense contractors to follow.
Specifically, the government will (1) designate an “official in charge” of information management, who will be the only person to have keys to file cabinets; (2) require a certificate of disposal when disposing of confidential information; and (3) change information access authority within 24 hours after a personnel transfer. Under the new standards, when preserving confidential information, it will be encrypted. The government will also introduce “multi-factor authentication” for access to confidential information, requiring a combination of multiple authentications including password.
The current standards require the Defense Ministry to cooperate in conducting audits of defense contractors. New standards will additionally require an external organization to conduct an inspection on a regular basis at least once a year.
Companies subject to the new standards are defense-related corporations handling confidential information that the Defense Ministry believes “should be preserved.” The new standards will not include penalties, but companies participating in procurement are required to establish a basic internal policy along with new standards. If the government judges a company’s policy is insufficient, it will be excluded from the procurement list.
In 2014, the Act on the Protection of Specially Designated Secrets came into force aimed at tightening the government’s information management. “Information security standards” were created in 2009, requiring defense-related companies to comply with them.