Oct 72016

DOD Finalizes Contractor Cyber Attack Notice Rule

Colleen Theresa Brown and Michaelene E. Hanley
, , , ,

The Department of Defense has implemented another measure to protect its supply chain from hacking. On October 4, 2016 the U.S. Department of Defense issued a long-awaited finalized rule that imposes a mandatory 72-hour reporting requirement for DOD defense contractors and subcontractors to disclose cyber attacks to the Pentagon.

Effective November 3, 2016, contractors must report within 72 hours incidents that could have an adverse effect on their covered information systems or on any stored “covered defense information,” or that limit the contractor’s ability to provide the DOD with operationally critical support. The notification must include the incident’s impact, the technique involved in the attack, and the compromised information. The finalized rule updated and revised the previously issued interim rule from October 2015 to increase clarity about its application.

Under the final rule, the requirement applies to any agreement between the DOD and Defense Industrial Base companies, including “contracts, grants, cooperative agreements, other transaction agreements, technology investment agreements, and any other type of legal instrument or agreement.” Critically, the requirements flow down the supply chain, applying equally to subcontractors involved with covered information systems or who provide operationally critical support. While the DOD has not yet clarified the term “operationally critical support,” the DOD is planning to develop guidance to help contractors determine if they provide such support. The DOD did revise the definition of covered defense information to reflect the term “controlled unclassified information” used by other federal regulations.

The final rule also expands “eligibility criteria to permit greater participation” in a voluntary Defense Industrial Base (“DIB”) cyberthreat information sharing program. As part of the DIB information-sharing network, the DOD’s cybercrime center sends participants cyberthreat information and permits participants to share classified and unclassified cyber information about threats to help the group counter cyberthreats.

This finalized cyberthreat reporting requirements likely will mean many government contractors (and those in the supply chain) will need to revisit their Incident Response Plans to facilitate the rapid reporting requirement. This may be particularly important for subcontractors who may not have been following the draft version of these rules closely. Such companies may also need to expand their incident response protocols beyond confirmed compromises of protected information to cover all incidents that may impact systems or operations.

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Michaelene E. Hanley

mhanley@sidley.com

You might also like
Biden Administration Announces National Cybersecurity Strategy

On March 1, 2023, the Biden administration announced its long-awaited National Cybersecurity Strategy. The strategy is part of the administration’s efforts to bolster and modernize public and private responses to cybersecurity threats.

FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing

On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule).  The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.

New FTC Guidance for Mobile Health Apps

Healthcare providers, health plans, and technology companies that use mobile health apps to access, collect, share, use, or maintain information related to an individual’s health should take note of the recently issued Federal Trade Commission (FTC) Mobile Health App Interactive Tool. The purpose of the tool is to help mobile health developers determine the federal regulatory, privacy, and security laws and regulations that may apply to the use of a consumer’s health information, such as information related to diagnosis, treatment, fitness, wellness, or addiction. While the tool should not be considered legal advice and cannot guarantee compliance with legal requirements, it can help healthcare providers, health plans, and technology companies issue-spot to manage risk in this heavily regulated space.