"Operationally Critical Contractors" Are Required to "Rapidly" Report All Data Breaches

HIGHLIGHTS:

  • The U.S. secretary of defense must publish new procedures 90 days after the bill is signed.
  • These new procedures will create a separate category for "operationally critical contractors" who support DoD transportation and logistics.
  • These contractors will be required to "rapidly" report cyber incursions to DoD.

Congress passed the Carl Levin and Howard P. "Buck" McKeon National Defense Authorization Act for Fiscal Year 2015 (NDAA or Act) on Dec. 12, 2014. The NDAA for 2015 creates a new cyber breach reporting requirement affecting Department of Defense (DoD) contractors supporting transportation and logistics in connection with contingency operations.

Section 877 of the Act requires the secretary of defense to establish procedures for reporting cyber incidents experienced by "operationally critical contractors" within 90 days of the Act becoming law. The new procedures must contain an explanation of how DoD will identify operationally critical contractors and how it will notify them of their designation. The NDAA for 2015 defines an operationally critical contractor as a "critical source of supply for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation." This new class of contractors will therefore include companies, such as commercial airlines or rail or motor carriers, that transport DoD personnel, equipment or supplies, including fuel.

Rapid Reporting of Data Breaches Is Required

Once identified by DoD, an operationally critical contractor must "rapidly" report all cyber incidents affecting its networks or systems. The 2015 NDAA does not further define the term "rapidly." The breach report must include all of the following:

  • an assessment of the effect of the cyber incident on the contractor's ability to meet its contractual requirements
  • the techniques or methods used in the cyber incident
  • a sample of any malicious software to the extent identified
  • a summary of the information compromised by the cyber incident

DoD's new procedures must also contain mechanisms for DoD to assist operationally critical contractors, if requested, to detect and mitigate cyber incursions.

The 2015 NDAA cyber provisions balance DoD's need to know about cyber incursions with protection of contractors' proprietary and sensitive information. The provisions require DoD to implement "reasonable" protections for trade secrets, commercial or financial information, and information that can be used to identify a specific person. In addition, the provisions limit dissemination of information contained in the cyber incident reports to:

  • entities with missions that could be affected by the information
  • entities involved in the diagnosis, detection, or mitigation of cyber incidents
  • entities conducting counterintelligence or law enforcement investigations
  • entities engaged in national security operations

Finally, the Act limits DoD's access to contractor equipment or information to that which is necessary to determine whether and what information created by or for DoD was successfully exfiltrated.

DoD Relies on Contractors for Transportation and Logistics Support

A Senate Armed Services Committee (SASC) Report released earlier this year prompted the new provisions. DoD is heavily reliant on contractors for transportation and logistics support. The 2015 NDAA Committee Report cites the U.S. Cyber Command's estimate that more than 80 percent of DoD logistics are transported by private companies and that private airlines provide more than 90 percent of DoD's passenger movements and one-third of its bulk cargo movements. These companies therefore constitute attractive cyber targets for foreign government and other persistent threats. Yet, despite the importance of the private sector to DoD's ability to mobilize, the SASC Report found that the U.S. Transportation Command (TRANSCOM) was not aware of the vast majority of successful intrusions into its contractors' networks. The new provisions described above are therefore directed at addressing the revealing of those threats and improving the way in which DoD receives, assesses, and disseminates information about successful intrusions into the networks of its mobilization and logistics support contractors.

Private Transportation Companies Need to Follow DoD's Progress on the New Procedures

It is not clear from the Act's language whether DoD will choose to issue the new procedures as an interim final rule, or first propose them and allow for comment from industry. In either case, it is clear that private transportation companies such as airlines or rail or motor carriers supporting DoD may soon find themselves subject to cyber breach reporting and response requirements. These companies should monitor DoD's progress on the new procedures, as well as other DoD cybersecurity requirements, in order to be prepared to comply with the new regulations when they are issued. In that connection, DoD published regulations earlier this year which set forth cybersecurity protections for unclassified controlled technical information (UCTI). Among other requirements, those regulations (Defense Federal Acquisition Regulation Supplement 252.204-7012) contained a 72-hour reporting period. The UCTI regulations may provide a preview into what the logistics/transportation cybersecurity controls will contain.

Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem. Moreover, the laws of each jurisdiction are different and are constantly changing. If you have specific questions regarding a particular fact situation, we urge you to consult competent legal counsel.