On Monday, 7 July, the president signed into law the Intelligence Authorization Act for Fiscal Year (FY) 2014 (Pub. L. 113-126), which requires intelligence contractors with security clearances to promptly report network and information system penetrations and provide government investigators access to such systems. This new statutory cybersecurity reporting requirement for cleared intelligence contractors is largely consistent with a reporting requirement applicable to cleared U.S. Department of Defense (DoD) contractors under the National Defense Authorization Act (NDAA) for FY 2013.
On 24 June, the House passed the Senate version of the intelligence authorization bill (S. 1681) that was ultimately sent to the president for signature.1 Sec. 325 of S. 1681 requires the Director of National Intelligence (DNI) to establish procedures for contractor reporting of breaches and government access to conduct forensic analyses of the breached systems. Contractor reports must include a description of the technique or method used in the penetration, a sample of the malicious software involved, and a summary of the information that has been potentially compromised. Sec. 325(c)(1).
The text of Sec. 325 of S. 1681 is largely similar to Sec. 941 of the NDAA for FY 2013 (Pub. L. 112-239), which requires cleared defense contractors to report penetrations of networks and information systems and allow DoD personnel access to contractor equipment and information to conduct a forensic analysis of the reported penetrations. See Hogan Lovells’ previous review of Sec. 941.
There are key differences, however, between Sec. 325 and Sec. 941:
- Sec. 941 (c)(2)(C) provides for the “reasonable protection of trade secrets, commercial or financial information, and information that can be used to identify a specific person.” Sec. 325 (c)(2)(C) uses the same language, but limits the coverage slightly by adding the phrase “other than the name of the suspected perpetrator of the penetration” at the end.
- Sec. 941 (c)(3) limits dissemination of the contractor-provided information to within the DoD, unless the contractor approves broader dissemination. In contrast, Sec. 325(c)(3)(B)-(C) provides for dissemination of the information outside the intelligence community without contractor approval in two instances:
(3) LIMITATION ON DISSEMINATION OF CERTAIN INFORMATION — The procedures established pursuant to subsection (a) shall prohibit the dissemination outside the intelligence community of information obtained or derived through such procedures that is not created by or for the intelligence community except —
- with the approval of the contractor providing such information;
- to the congressional intelligence committees or the Subcommittees on Defense of the Committees on Appropriations of the House of Representatives and the Senate for such committees and such subcommittees to perform oversight; or
- to law enforcement agencies to investigate a penetration reported under this section.
- Sec. 325 acknowledges the potential reporting overlap for companies that are both cleared intelligence contractors and cleared defense contractors, and provides the following text on coordinated reporting:
(e) COORDINATION WITH THE SECRETARY OF DEFENSE TO PREVENT
DUPLICATE REPORTING — Not later than 180 days after the date of the enactment of this act, the Director of National Intelligence and the Secretary of Defense shall establish procedures to permit a contractor that is a cleared intelligence contractor and a cleared defense contractor under section 941 of the National Defense Authorization Act for Fiscal Year 2013 (Public Law 112–239; 10 U.S.C. 2224 note) to submit a single report that satisfies the requirements of this section and such section 941 for an incident of penetration of network or information system.
- Sec. 325(g) includes a savings clause that makes it clear that the law is not intended to limit the government’s preexisting rights to access contractor-owned or contractor-operated information systems. There is no such text in Sec. 941:
Like the statutory direction for the DNI under S. 1681, the NDAA required the Secretary of Defense to develop reporting procedures for cleared defense contractors. To date, DoD still has not issued the procedures under Sec. 941 even though the statute mandated the establishment of the procedures within 90 days of enactment of the NDAA (Sec. 941 (d)(1) “[n]ot later than 90 days after the date of the enactment of this Act — (A) the Secretary of Defense shall establish the procedures required under subsection (a).”) An ad hoc committee that has been developing the procedures since January 2013 is supposed to report back to the Director of the Defense Acquisition Regulations Council director, but DoD has continually pushed out the date for the report. See Open DFARS Cases as of July 11, 2014, Case 2013-D018 Status (“01/31/2013 DARC Director tasked Ad Hoc Cmte. to draft interim DFARS rule. Report due 02/20/2013. Report due extended to 08/13/2014.”)
Although the agency coordination to prevent duplicate reporting under Sec. 325(e) is helpful to contractors with both intelligence community and DoD work, the language of the new law unfortunately contains the same unresolved issues found in the NDAA. Under Sec. 325(c)(2)(A)-(B), just like Sec. 941 (c)(2)(A)-(B)) of the NDAA, contractors need only provide the government with sufficient access to conduct a forensic analysis of the data breach — but there is no explanation of what that entails, leaving open the possibility of the government obtaining contractor business data or personally identifiable information of contractor employees, or taking physical possession of contractor computers and other system hardware.
It is also unclear how the procedures will define a "penetration," whether investigations will be disclosed, and whether the reporting requirements will extend to unclassified networks. The statutory language in both Sec. 325 and Sec. 941 is not explicitly limited to breaches of classified information systems but applies to any “covered system” defined as “a network or information system of a cleared [defense or intelligence] contractor that contains or processes information created by or for [the Department of Defense or an element of the intelligence community] with respect to which such contractor is required to apply enhanced protection.” Sec. 941(e)(2); Sec. 325 (e)(2).
Also, neither statute specifies how soon after a breach contractors will be required to report the problem, but the procedures may ultimately be similar to the existing DFARS rule governing the safeguarding of unclassified controlled technical information (UCTI). (See Hogan Lovells’ previous blog post on the DFARS rule). The DFARS UCTI rule includes reporting procedures for breaches of contractor information systems and requires reporting within 72 hours. Contractors must also retain incident information for 90 days to allow DoD time to decide whether to request more information or decline to pursue further.2
In light of this new statutory requirement, cleared intelligence contractors (as well as cleared defense contractors who also have intelligence community work) should review and update their security breach detection, response, and reporting plans. Furthermore, contractors who intend to handle classified information as part of their federal contracting business should recognize that they may become subject to one or both of the reporting requirements under the FY 2014 Intelligence Authorization Act and the FY 2013 NDAA once the reporting procedures are released.
As the federal government analyzes the cyber threat information received via these cleared contractor reports and identifies patterns of cyber threats, the government may share its conclusions with other industries through the regulatory consultations already underway with critical infrastructure industry participants. The U.S. government has strongly promoted cyberintelligence sharing between the private and public sector through both executive action and legislation and other means.3