On August 26, 2015, the Department of Defense issued an interim rule requiring government contractors and subcontractors to report cybersecurity breaches of their information technology systems. DoD has directed that the requirements take effect immediately, before the usual public comment period, because of the urgent need to protect “covered defense information,” a term that includes non-classified information that requires special handling, such as controlled technical information, export control data, and operations security information.
As a result, defense contractors and subcontractors now must report all cyber incidents that impact or could impact their information systems and/or defense information stored on those systems. Reports to the DoD must be filed within 72 hours of a cybersecurity breach or possible breach.
Previously, contractors were required to report cyber incidents that affected controlled technical information but not other types of cyber events. The new definition of covered defense information includes a wider range of data types. Reports of cyber attacks concerning classified information systems will still follow the rules in the National Industrial Security Program Operating Manual.
While the rule goes into effect immediately, the DoD is still seeking and will consider public comments on the new rule.
The rule is expected to affect about 10,000 contractors, many of which are small businesses that may require specialized assistance in order to adequately detect and report cyber events.
In addition to prescribing IT security breach reporting requirements, the new rule also establishes new DoD policies and procedures for contracting for cloud computing services. The rule includes new DFAR contract language for cloud computing service purchases.