Law360 reported that many experts are concerned that “companies who share cybersecurity incident information with a DOD contractor will be considered a third-party beneficiary of the DOD, with the ability to sue if confidential information is leaked or stolen, but that offers little solace to those who have their information stolen.” The October 20, 2016 report entitled “DOD Cyber Rule May Create As Many Problems As It Solves” included this explanation:
The final “network penetration” rule, unveiled on Thursday and set to go into effect at the end of 2017, tweaks the Defense Federal Acquisition Regulation Supplement to require U.S. Department of Defense contractors to report to the DOD whenever their networks containing “covered defense information” are breached, part of a broader recent push to improve cybersecurity.
The article includes these comments from Michael Scheimer (at Hogan Lovells):
…the final rule clarifies that contracts for “fundamental research” aren’t considered to involve covered defense information, and also clarifies that it does not cover contracts for commercial off-the-shelf, or COTS, items, both of which are improvements over the interim rules,
Given the daily cyber headlines it is critical that DOD be properly protected, and the rule appear to require more adjustments.