The Department of Defense has published an interim rule in the Federal Register requiring government contractors and subcontractors to report a larger number of data breach incidents than had been previously required.
The rule specifically covers cyber incidents that have an “actual or potentially adverse effect” on a covered contractor information system, on covered defense information residing therein, or on a contractor’s ability to provide operationally critical support. “Covered defense information” encompasses certain unclassified information that is still of a sensitive nature, including controlled technical information and operations security information. According to the rule, the DOD must be notified within 72 hours of a breach or possible cyber attack.
Before, contractors simply had to report cyber incidents affecting controlled technical information – but not those affecting other forms of data.
The rule also augments DOD policies and procedures affecting the employment of cloud computing services. It provides contract language to include when contracting for such services.
The rule is intended to streamline the reporting process for DOD contractors and minimize duplicative reporting processes. It comes in the wake of the discovery earlier this year of two massive security breaches at the Office of Personnel Management. Due to its pressing nature, the rule is set to take effect immediately, although there will be a public comment period until October 26, 2015.