DOD Updates Cybersecurity Reporting Rule for Contractors

Oct. 4 — Defense contractors and subcontractors have a new definition of “covered defense information” to contend with as they follow mandatory reporting requirements for cybersecurity incidents, under a final rulepublished Oct. 4 (81 Fed. Reg 68,312, 10/4/2016).

The new definition, announced in a final rule for the Defense Department’s Defense Industrial Base (DIB) Cybersecurity (CS) Activities, includes information that is either identified as part of an agreement with DOD or “collected, developed, received, transmitted, used, or stored by or on behalf of” a contractor in performing its duties under a contract.

“That’s basically the keystone to the whole clause, because it tells you what kind of information the compromise of or the penetration requires a cyber incident report,” Robert Huffman, a partner with Akin Gump Strauss Hauer & Feld LLP’s government contracts practice in Washington, who is also an adjunct professor at the Georgetown University Law Center, told Bloomberg BNA.

The rule is designed to establish a single reporting mechanism for cybersecurity incidents on unclassified DOD contractor networks or information systems. Together, the information sharing can bolster cybersecurity for contractors by providing greater insight into hostile incursions into DIB networks.

Companies that do business with the government may be subject to multiple cybersecurity reporting requirements from various agencies, including the Securities and Exchange Commission, Department of Homeland Security and Federal Trade Commission, Huffman said. The DOD is trying to create uniform standards over the contracts and agreements it controls.

The new CDI definition offers a clue as to what the DOD’s update to its Defense Federal Acquisition Regulation Supplement (DFARS) regarding cybersecurity may look like, Huffman said. A new DFARS final rule is expected in the coming months.

“This presages that they’re going to change the CDI definition” in the final DFARS rule, Huffman said. “When they do come out with that final rule, it will likely have this definition,” he said.

Source: DOD Updates Cybersecurity Reporting Rule for Contractors