DOD Finalizes Contractor Cyber Attack Notice Rule

The Department of Defense has implemented another measure to protect its supply chain from hacking. On October 4, 2016 the U.S. Department of Defense issued a long-awaited finalized rule that imposes a mandatory 72-hour reporting requirement for DOD defense contractors and subcontractors to disclose cyber attacks to the Pentagon.

Effective November 3, 2016, contractors must report within 72 hours incidents that could have an adverse effect on their covered information systems or on any stored “covered defense information,” or that limit the contractor’s ability to provide the DOD with operationally critical support. The notification must include the incident’s impact, the technique involved in the attack, and the compromised information. The finalized rule updated and revised the previously issued interim rule from October 2015 to increase clarity about its application.

Under the final rule, the requirement applies to any agreement between the DOD and Defense Industrial Base companies, including “contracts, grants, cooperative agreements, other transaction agreements, technology investment agreements, and any other type of legal instrument or agreement.” Critically, the requirements flow down the supply chain, applying equally to subcontractors involved with covered information systems or who provide operationally critical support. While the DOD has not yet clarified the term “operationally critical support,” the DOD is planning to develop guidance to help contractors determine if they provide such support. The DOD did revise the definition of covered defense information to reflect the term “controlled unclassified information” used by other federal regulations.

The final rule also expands “eligibility criteria to permit greater participation” in a voluntary Defense Industrial Base (“DIB”) cyberthreat information sharing program. As part of the DIB information-sharing network, the DOD’s cybercrime center sends participants cyberthreat information and permits participants to share classified and unclassified cyber information about threats to help the group counter cyberthreats.

This finalized cyberthreat reporting requirements likely will mean many government contractors (and those in the supply chain) will need to revisit their Incident Response Plans to facilitate the rapid reporting requirement. This may be particularly important for subcontractors who may not have been following the draft version of these rules closely. Such companies may also need to expand their incident response protocols beyond confirmed compromises of protected information to cover all incidents that may impact systems or operations.