• New Defense Rule Changes Reporting of Cyber Incidents
  • November 10, 2015 | Author: Dawn Lee Merkle
  • Law Firm: Willcox & Savage, P.C. - Norfolk Office
  • If you have a contract with the Department of Defense (DoD) or are a subcontractor or vendor on a DoD contract, you need to review the new rule regarding safeguarding covered defense information and reporting cyber incidents. On August 26, 2015, through the publication of an interim rule, the DoD expanded what information must be protected as well as the security and reporting requirements.

    Under the interim rule, effectively immediately, DoD contractors and subcontractors with information systems that process, store, or transmit “covered defense information” must provide specified network security to protect “covered defense information” from unauthorized access and disclosure. Prior to the interim rule, the DoD’s safeguarding and reporting requirements related only to contractors that had contracts or subcontracts requiring the safeguarding of “unclassified controlled technical information.”

    The new rule introduces the term “covered defense information” of which controlled technical information is only a subset. The new term also includes information in the following categories: “critical information” (specific facts identified through the Operations Security process), “export control” (information that if exported could adversely affect “national security and nonproliferation objectives”), and “any other information” that is so identified in the contract and requires safeguarding pursuant to law, regulations, or government-wide policies.

    The duty to report cyber incidents has also been revised and expanded to encompass “covered defense information.” The revisions extend the reporting requirements to covered subcontractors, requiring the subcontractors to report cyber incidents directly to the government as well as the prime contractor. A contractor or subcontractor that discovers a cyber incident must conduct a review for evidence of compromise of the information. The DoD acknowledges that the reporting requirements may require an IT expert. To be able to report a cyber incident in accordance with the new rule, a contractor or subcontractor must have a medium assurance certificate, which must be purchased through approved vendors.

    The security measures required for contractor information systems are delineated between those that are part of an IT service or system operated on behalf of the government and all other contractor information systems. If the system is operated on behalf of the Government, the contractor must comply with a clause on cloud computing services and with the specific contract requirements for other IT services.

    If the system is not operated on behalf of the government, the contractor must follow the security requirements in the National Institute of Standards and Technology SP 800-171, which is specifically designed for nonfederal information systems. According to the DoD, this change is meant to ease the burden on the contractor for compliance as well as increase the protections of government information. The contractor may ask to use alternative measures, which must be approved in writing prior to contract award, or may explain why the requirements are not applicable.

    DoD is soliciting comments for the final rule through October 26, 2015, and is particularly interested in public comments on “[w]hether this collection of information is necessary for the proper performance of the DFARS and will have practical utility” and ways to minimize the burden. The DoD expects this rule may have significant economic impact on small entities.