The National Defense Authorization Act for Fiscal Year 2015 (“NDAA FY 15”) was passed by the House of Representatives on December 4, 2014, and is expected to pass in the Senate.  Among NDAA FY 15’s cybersecurity and acquisition provisions are directions for the Secretary of Defense to establish rapid reporting requirements for “operationally critical contractors.”

Operationally Critical Contractors Rapid Reporting Regulations

Section 1632 of NDAA FY 15 requires the Secretary of Defense to establish within 90 days procedures to designate “operationally critical contractors” and the rapid reporting of cyber incidents affecting such contractors.  An “operationally critical contractor” is defined as a contractor determined to be a “critical source of supply for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation.”

Designated and notified operationally critical contractors will be required to “rapidly” report each cyber incident on any of its networks or information systems.   For purposes of rapid reporting, a cyber incident is broadly defined as “actions taken through the use of computer networks that result in an actual or potential adverse effect on an information system or the information residing therein.”  Reports must include:

  • The contractor’s assessment of the effect of the cyber incident on its ability to meet its contractual obligations to the Department of Defense (“DoD”);
  • The technique or method utilized in the cyber incident;
  • Samples of any malicious software used in the incident, if discovered and isolated; and
  • A summary of the compromised information.

The Secretary’s procedures are also required to include mechanisms allowing DoD personnel to assist operationally critical contractors in detecting and mitigating penetrations.

Relation to Other Rapid Reporting Requirements

The creation of procedures for rapid reporting for operationally critical contractors adds yet another layer of data breach reporting requirements for DoD contractors.  DoD and the Intelligence Community (“IC”) have already been directed to promulgate regulations requiring contractors cleared to access, receive, or store classified information in support of any DoD or IC program to report successful penetrations of their networks and/or information systems.  Although these regulations were also subject to a 90 day window, both rulemakings have been extended multiple times.

Additionally, DoD contractors are subject to the Unclassified Controlled Technical Information (“UCTI”) DFARS clause, which mandates that DoD contractors report cyber incidents, including unauthorized access to information, inadvertent release of information, and/or any other loss or compromise, within 72 hours of discovery.

There exist key differences among the myriad reporting rules.  For example, the rules encompass different networks and systems.  The UCTI rule applies to all information systems on which UCTI may be “resident on” or “transiting through,” while the DoD and IC requirements will apply to networks or information systems that “contain or possess” covered information.  These provisions are focused only networks or information systems holding DoD or the IC’s information.  The NDAA requirements appear broader because they apply to all “critical contractors,” envisioning application to “any network or information system” of such a contractor.

Similarly, the reporting requirements differ with regard to what information must be reported and when.  The UCTI rule requires contractors to report thirteen specific items within 72 hours.  The DoD and IC rapid reporting requirements will require a report of the method used to penetrate the system, samples of malicious software, and the information compromised.  The operationally critical contractor rules are similar, but will add an assessment of the contractor’s ability to meet its contractual requirements.   The reporting timeframe for the DoD, IC, and operationally critical contractor rules have not been proposed.

Impact on Contractors

It remains to be seen whether DoD will reconcile these different cyber incident reporting requirements.  Without harmonization, a contractor could, in theory, be subject to multiple reporting requirements for one breach.  For example,  a “critical contractor” could be subject to still undefined requirements under the DoD rapid reporting  rule, the regulations that result from NDAA section 1632, and the DFARS UCTI rule.  And, what constitutes a breach, what and how quickly it needs to be reported, to whom it should be reported, and what information needs to be maintained all remain possible sources of conflicts among these rules.  Finally, the requirements for contractors to cooperate with agencies with regard to these breaches means that multiple agencies may be seeking access to contractors’ information systems.  Contractors should be following these developments to ensure: (1) they understand their obligations under these new and sometimes conflicting rules; (2) they are adequately monitoring the proper networks and/or information systems; (3) they have processes in place to meet the reporting timeframe of each applicable rule; (4) they understand the scope of information that needs to be provided in their reports; (5) they are preserving the required information for government review; and (6) they are flowing applicable requirements to their suppliers and subcontractors.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Susan B. Cassidy Susan B. Cassidy

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors…

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors on compliance with FAR and DFARS requirements, with a special expertise in supply chain, cybersecurity and FedRAMP requirements. She has an active investigations practice and advises contractors when faced with cyber incidents involving government information. Susan relies on her expertise and experience with the Defense Department and the Intelligence Community to help her clients navigate the complex regulatory intersection of cybersecurity, national security, and government contracts. She is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. In 2023, Chambers USA quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Her clients range from new entrants into the federal procurement market to well established defense contractors and she provides compliance advices across a broad spectrum of procurement issues. Susan consistently remains at the forefront of legislative and regulatory changes in the procurement area, and in 2018, the National Law Review selected her as a “Go-to Thought Leader” on the topic of Cybersecurity for Government Contractors.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

  • Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 7012, and NIST SP 800-171 requirements,
  • Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 and limitations on sourcing from China
  • Federal Acquisition Security Council (FASC) regulations and product exclusions,
  • Controlled unclassified information (CUI) obligations, and
  • M&A government cybersecurity due diligence.

Susan has an active internal investigations practice that assists clients when allegations of non-compliance arise with procurement requirements, such as in the following areas:

  • Procurement fraud and FAR mandatory disclosure requirements,
  • Cyber incidents and data spills involving sensitive government information,
  • Allegations of violations of national security requirements, and
  • Compliance with MIL-SPEC requirements, the Qualified Products List, and other sourcing obligations.

In addition to her counseling and investigatory practice, Susan has considerable litigation experience and has represented clients in bid protests, prime-subcontractor disputes, Administrative Procedure Act cases, and product liability litigation before federal courts, state courts, and administrative agencies.

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Prior to joining Covington, Susan served as in-house senior counsel at Northrop Grumman Corporation and Motorola Incorporated.