On October 2, 2015, the DoD published a final interim rule, 80 Fed. Reg. 59581, to revise the DoD – Defense Industrial Base (DIB) cybersecurity information sharing program regulations, thus providing yet another alteration to a series of changes made this year to the growing regulations concerning cybersecurity. The rule is intended to harmonize with other DoD security rules and further streamline the monitoring and reporting process for cyber incidents – to establish a single reporting mechanism for cyber incidents. The changes are mandated by the 2013 National Defense Authorization Act and apply to all covered DoD contractors and subcontractors.
The rule implements a mandatory cyber incident reporting requirement that will apply to all forms of contracts and other agreements between DoD and DIB entities. All such contracts and agreements must include (through incorporation by reference or express inclusion) the reporting requirements set forth in the rule. The rule requires “rapid reporting” of any cyber incidents “that result in an actual or potentially adverse effect on a covered contractor information system or covered defense information residing therein, or on a contractor’s ability to provide operationally critical support” within 72 hours of the incident. This requirement is focused on cyber incidents implicating “technical information controlled under the International Traffic in Arms Regulations or the Export Administration Regulations or otherwise controlled by DOD and operational security information that relates to DoD activities.” However, such focus does not abrogate a contractor’s reporting responsibility for other types of controlled unclassified information (CUI), such as personally identifiable information (PII) or financial information, set forth in other cyber incident reporting requirements.
The rule also modifies eligibility criteria to permit greater participation in the DoD-DIB cybersecurity information sharing program, which allows participants to share government furnished information and other cyber threat information from the government and other program participants. The notice provides that companies participating in the program will not receive any competitive advantage, and non-participation will not be punished.
Importantly, under the rule, contractors will incur costs associated with implementing and executing the requirements for cyber incident reporting. These costs include “identifying and analyzing cyber incidents and their impact on covered defense information, or a contractor's ability to provide operationally critical support, as well as obtaining DoD-approved medium assurance certificates to ensure authentication and identification when reporting cyber incidents to DoD.” Additionally, the rule builds on the government’s requirements for safeguarding unclassified controlled technical information, which has been recently updated to require contractors to adhere to the applicable National Institute of Standards and Technology (NIST) security controls.
The rule is effective as of October 2, 2015 for all new contracts with the DoD; however, the comment period is open until December 1, 2015.
This Legislative Update has been provided by Terence Murphy and Christopher T. Page of the Government Contracts and Construction Practice Group, Kaufman & Canoles, P.C., who can be reached at (757) 624-3139 or firstname.lastname@example.org and (757) 259-3847 or email@example.com for more information