Last month, the Department of Defense (DoD) again updated the cybersecurity rule that governs defense contractors who may transmit, store, or process "covered defense information" on their systems. The rule, which was first implemented in August 2015, contains two basic components: (1) a requirement that contractors ensure "adequate security" on covered systems; and (2) a requirement that contractors report any cyber incidents that may have affected covered systems. The recent amendments include several significant changes. First, the definition of "covered defense information" is now harmonized with the "controlled unclassified information" (CUI) registry maintained by the National Archives, which also recently released a rule broadly prescribing the steps federal agencies must take to safeguard CUI. (Eventually, non-DoD contractors will also be governed by a cybersecurity rule that flows from the CUI registry.) In addition to the changes to the definition of covered defense information, the revised DoD rule also exempts Commercial Off the Shelf (COTS) procurements from the rule, providing some relief to commercial contractors (although non-COTS commercial procurements are still subject to the rule). The amendments also helpfully clarify where fundamental research is not subject to the rule. Less helpfully, the amendments put new limits on which cloud service providers can be used by DoD contractors. Finally, the amendments make a number of procedural changes to how contractors are to flow down the rule to subcontractors or request to vary from its adequate security requirements (which are based on NIST SP 800-171). Additional amendments to the DoD rule are expected, particularly before December 31, 2017, when all DoD contractors must be fully compliant with NIST SP 800-171 if they handle any covered defense information). Further information is available in our November 2016 Advisory.