The Department of Defense (DoD) recently issued its Final Rule outlining the mandatory cyber incident reporting requirements for DoD contractors and subcontractors, as well as other members of the Defense Industrial Base (DIB) (entities with grants, cooperative agreements, other transaction agreements, technology investment agreements, and any other type of legal instrument or agreement) doing business with the DoD. The new Rule takes effect on November 3.
DoD contractors and others covered by the Rule must report incidents resulting in an “actual or potentially adverse effect” on a covered information system operated by the contractor, or a covered defense information within a contractor’s system. Covered entities are required to provide DoD with information only to the extent that it is “necessary to conduct a forensic analysis.” Of course, it remains to be seen how this provision will be interpreted and applied. The Final Rule retains the requirement for reporting cyber incidents within 72 hours of their occurrence, despite commentary from some contractors that this requirement might prove too onerous. When a breach involving classified systems or information occurs, reporting must comply with both the new Rule and the National Industrial Security Program Operating Manual (NISPOM).
The Final Rule represents the beginning of implementation of the requirements for rapid reporting of cyber incidents, as first outlined in the National Defense Authorization Act (NDAA) for Fiscal Year 2013. The goal of the Final Rule is to synthesize and coordinate all cyber incident reporting agreements for entities with any type of agreement with the DoD. This is in contrast to the current DFARS rules regarding cyber reporting, which only apply to procurement contracts.
One of DoD’s goals for the new framework is for it to encourage members of the DIB to participate in the Department’s Defense Industrial Base Cyber Security (DIB CS) information sharing program. The DIB CS program is a voluntary partnership between the public and private sectors under which participants from the federal government and the DIB share unclassified cyber threat information that can be used to improve the cybersecurity posture of all participants. The intent is to provide both DoD and the DIB have a better understanding of adversary actions and the impact on DoD information and warfighting capabilities.
The Final Rule is not retroactive. To the extent contract specifications conflict with requirements in the Rule, existing contract language will take precedence over the Rule’s requirements. The Rule will govern language in contracts going forward, but it gives the contracting agency the option to modify language in current contracts to fully adopt the new requirements. Further, the Rule does not account for increased costs incurred by commercial contractors engaged in fixed price agreements with the DoD, except to the extent that it recognizes the $175 fee for contractors to acquire a medium assurance certificate, which will not be reimbursed. Contractors will be required to account for this risk in their price proposals.
Prime contractors are required to flow down the Rule’s requirements to subcontractors providing “operationally critical support,” or for which subcontract performance involves a “covered contractor information service,” but it fails to define specifically what constitutes a subcontractor for the purposes of this provision, despite industry concern and requests for clarification.
As is often the case with new regulations in burgeoning areas such as cyber incidents, many of the specifics of the new rule will be hammered out during the initial stages of its implementation, as specific, real world situations arise. Jackson Kelly will continue to monitor these developments.
Carrie Willett is responsible for the contents of this Article.
© 2016 Jackson Kelly PLLC