On October 4, 2016, the U.S. Department of Defense (“DoD”) finalized its rule implementing the mandatory cyber incident reporting requirements for defense contractors under 10 U.S.C. §§ 391 and 393 (the “Rule”). The Rule applies to DoD contractors and subcontractors that are targets of any cyber incident with a potential adverse impact on information systems and “covered defense information” on those systems.

The Rule leaves unchanged the requirement for reporting cyber incidents to DoD within 72 hours. The Rule, however, expends the requirement to impose a reporting obligation on all subcontractors “that are providing operationally critical support or for which subcontract performance will involve a covered contractor information system.” These subcontractors must report cyber incidents to any higher-tier subcontractor and to the prime contractor. A contractor’s report must contain the assessed impact of the cyber incident, a description of the technique or method used in the incident, a sample of any malicious software involved in the incident and a summary of the compromised information. Defense contractors also must provide the DoD with access to affected information or equipment to enable the DoD to conduct forensic analysis of the impact on DoD information. These requirements apply to all forms of agreements between the DoD and defense companies.

The Rule also modifies eligibility criteria for the voluntary Defense Industrial Base Cybersecurity (“DIB CS”) information sharing program to expand participation in the program. The DIB CS program is designed to facilitate sharing of cyber threat information between DoD and DIB CS participants and improve cybersecurity programs. The program is outside the scope of the mandatory cyber incident reporting requirements.

The Rule will take effect on November 3, 2016.