On October 4, 2016, a final rule implementing statutory requirements for Department of Defense (DoD) contractors and subcontractors to report cyber incidents that result in an actual or potentially adverse effect on a covered contractor information system or covered defense information residing therein, or on a contractor’s ability to provide operationally critical support.
The final rule responds to public comments to the interim final rule published on October 2, 2015, and updates DoD’s Defense Industrial Base (DIB) Cybersecurity (CS) Activities. The mandatory reporting requirements apply to all forms of agreements between DoD and DIB companies (contracts, grants, cooperative agreements, other transaction agreements, technology investments agreements, and any other type of legal instrument or agreement) and the revisions provided are part of DoD’s efforts to establish a single reporting mechanism for such cyber incidents on unclassified DoD contractor networks or information systems. Importantly, reporting under this rule does not abrogate the contractor’s responsibility for any other applicable cyber incident reporting requirement which the contractor may be subject to (e.g. FTC, state laws, etc.).
The final rule includes new definitions of covered contractor information system and covered defense information. Covered contractor information system means an unclassified information system that is owned or operated by or for a contractor and that processes, stores, or transmits covered defense information. Covered defense information means unclassified controlled technical information or other information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government wide policies, and is: (1) marked or otherwise identified in an agreement and provided to the contractor by or on behalf of the DoD in support of the performance of the agreement; or (2) collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the agreement.
A foundational element of the mandatory reporting requirements, as well as the voluntary DIB CS program, is the recognition that the information being shared between the parties includes extremely sensitive information that requires protection. The final rule is meant to permit the sharing of information, including cyber threat information, and thereby provide greater insights into the hostile activity targeting the DIB.
Organizations which do business with the Government, must familiarize themselves with this final rule as well as other regulations governing the information they process, store, or transmit.