On Tuesday, October 4, 2016, the Department of Defense (DoD) issued a long-awaited final rule implementing statutory requirements (10 U.S.C. §§ 391, 393) as part of 32 C.F.R part 236 regarding the reporting, by defense contractors, of certain cyber incidents relating to the contractor’s electronic systems. These reporting requirements are above and beyond what contractors are required to report under the myriad of potentially applicable data breach notification laws and regulations (including those imposed by the FTC and 47 states) or any other express contractual reporting or cyber incident response requirements. The final rule does not abrogate any such other mandatory reporting obligations.
The final rule responds to and addresses numerous industry comments on an October 2, 2015 interim rule on the same subject matter and takes effect as of November 3, 2016. Specifically, the final rule requires contractors and subcontractors to report cyber incidents which result in the actual or potentially adverse effect on a “covered contractor information system” or “covered defense information residing therein,” or on the contractor’s ability to provide “operationally critical support.” The final rule does not change the content or timing of the incident reports, which must be made within 72 hours of the contractor’s awareness of the breach.
The final rule applies broadly in terms of the systems and information covered. For the purpose of the final rule, a “covered contractor information system” is defined as an “unclassified information system that tis owned or operated by or for a contractor and that possess, stores, or transmits covered defense information.” In turn, “covered defense information” is defined as “unclassified controlled technical information or other information (as described in the Controlled Unclassified Information (CUI) Registry) that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government wide policies, and is (1) [m]arked or otherwise identified in an agreement and provided to the contractor by or on behalf of the DoD in support of the performance of the agreement; or (2) is [c]ollected, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the agreement.” These definitions serve to expand the scope of the final rule to subcontractors which maintain such systems or information and which must now report incidents to the prime contractor for reporting to the government. (The final rule does not provide further guidance on what constitutes “operationally critical support.”) Although the rule does not modify existing contracts by operation of law, it expressly states that it provides DoD with the “option to modify . . . preexisting agreements where deemed appropriate.”
Finally, the final rule expands the Defense Industrial Base Cybersecurity (DIB CS) information sharing program. Although the DIB CS program is not mandatory, it is designed to facilitate information sharing between DoD and program participants on cyber threat issues.
DoD contractors and subcontracts should familiarize themselves with this rule and the reporting obligations thereunder, to the extent that they maintain covered systems or information. To the extent that the rule is applicable to a DoD contractor or subcontractor, it must be prepared to identify and report cyber incidents within 72 hours of discovery of that incident.