When it became law on July 7, 2014, the 2014 Intelligence Authorization Act (“IAA”) gave the Director of National Intelligence (“DNI”) 90 calendar days to issue new regulations addressing the requirement that “cleared intelligence contractors” report any “successful penetration” of their networks and information systems.  With the DNI on the clock, what can these contractors expect?

For one thing, following a penetration of a covered network or information system, the DNI regulations will require that a cleared intelligence contractor report the following information to a designated element of the Intelligence Community (“IC”):

  • A description of the technique or method used in such penetration;
  • A sample of the malicious software, if discovered and isolated by the contractor, involved in such penetration; and
  • A summary of information created by or for an element of the IC that has been potentially compromised.

The DNI regulations will specify the turn-around time for these reports (by comparison, under regulations for Department of Defense contracts, a report would be required within 72 hours).

Some requirements may be more onerous.  For example, the DNI regulations will implement an IAA requirement that intelligence community contractors give IC personnel access to equipment or information in the event of a “successful penetration” of a covered network so that the IC personnel can conduct a forensic analysis of the breach.  The regulations should prohibit the IC from disseminating the information from such a forensic analysis without the contractor’s consent.  Still, whether the IC will be barred from using the information for other purposes, such as for responsibility or past performance determinations, is unclear.

For more detailed information concerning the rapid reporting requirements under the IAA, please see our recent blog post addressing this topic.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Susan B. Cassidy Susan B. Cassidy

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors…

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors on compliance with FAR and DFARS requirements, with a special expertise in supply chain and cybersecurity requirements. She has an active investigations practice and advises contractors when faced with cyber incidents involving government information. Susan relies on her expertise and experience with the Defense Department and the Intelligence Community to help her clients navigate the complex regulatory intersection of cybersecurity, national security, and government contracts. She is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. In 2023, Chambers USA quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Her clients range from new entrants into the federal procurement market to well established defense contractors and she provides compliance advices across a broad spectrum of procurement issues. Susan consistently remains at the forefront of legislative and regulatory changes in the procurement area, and in 2018, the National Law Review selected her as a “Go-to Thought Leader” on the topic of Cybersecurity for Government Contractors.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

  • Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 7012, and NIST SP 800-171 requirements,
  • Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 and limitations on sourcing from China
  • Federal Acquisition Security Council (FASC) regulations and product exclusions,
  • Controlled unclassified information (CUI) obligations, and
  • M&A government cybersecurity due diligence.

Susan has an active internal investigations practice that assists clients when allegations of non-compliance arise with procurement requirements, such as in the following areas:

  • Procurement fraud and FAR mandatory disclosure requirements,
  • Cyber incidents and data spills involving sensitive government information,
  • Allegations of violations of national security requirements, and
  • Compliance with MIL-SPEC requirements, the Qualified Products List, and other sourcing obligations.

In addition to her counseling and investigatory practice, Susan has considerable litigation experience and has represented clients in bid protests, prime-subcontractor disputes, Administrative Procedure Act cases, and product liability litigation before federal courts, state courts, and administrative agencies.

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Prior to joining Covington, Susan served as in-house senior counsel at Northrop Grumman Corporation and Motorola Incorporated.