The National Defense Authorization Act for Fiscal Year 2015 (“NDAA FY 15”) was passed by the House of Representatives on December 4, 2014, and is expected to pass in the Senate. Among NDAA FY 15’s cybersecurity and acquisition provisions are directions for the Secretary of Defense to establish rapid reporting requirements for “operationally critical contractors.”
Operationally Critical Contractors Rapid Reporting Regulations
Section 1632 of NDAA FY 15 requires the Secretary of Defense to establish within 90 days procedures to designate “operationally critical contractors” and the rapid reporting of cyber incidents affecting such contractors. An “operationally critical contractor” is defined as a contractor determined to be a “critical source of supply for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation.”
Designated and notified operationally critical contractors will be required to “rapidly” report each cyber incident on any of its networks or information systems. For purposes of rapid reporting, a cyber incident is broadly defined as “actions taken through the use of computer networks that result in an actual or potential adverse effect on an information system or the information residing therein.” Reports must include:
- The contractor’s assessment of the effect of the cyber incident on its ability to meet its contractual obligations to the Department of Defense (“DoD”);
- The technique or method utilized in the cyber incident;
- Samples of any malicious software used in the incident, if discovered and isolated; and
- A summary of the compromised information.
The Secretary’s procedures are also required to include mechanisms allowing DoD personnel to assist operationally critical contractors in detecting and mitigating penetrations.
Relation to Other Rapid Reporting Requirements
The creation of procedures for rapid reporting for operationally critical contractors adds yet another layer of data breach reporting requirements for DoD contractors. DoD and the Intelligence Community (“IC”) have already been directed to promulgate regulations requiring contractors cleared to access, receive, or store classified information in support of any DoD or IC program to report successful penetrations of their networks and/or information systems. Although these regulations were also subject to a 90 day window, both rulemakings have been extended multiple times.
Additionally, DoD contractors are subject to the Unclassified Controlled Technical Information (“UCTI”) DFARS clause, which mandates that DoD contractors report cyber incidents, including unauthorized access to information, inadvertent release of information, and/or any other loss or compromise, within 72 hours of discovery.
There exist key differences among the myriad reporting rules. For example, the rules encompass different networks and systems. The UCTI rule applies to all information systems on which UCTI may be “resident on” or “transiting through,” while the DoD and IC requirements will apply to networks or information systems that “contain or possess” covered information. These provisions are focused only networks or information systems holding DoD or the IC’s information. The NDAA requirements appear broader because they apply to all “critical contractors,” envisioning application to “any network or information system” of such a contractor.
Similarly, the reporting requirements differ with regard to what information must be reported and when. The UCTI rule requires contractors to report thirteen specific items within 72 hours. The DoD and IC rapid reporting requirements will require a report of the method used to penetrate the system, samples of malicious software, and the information compromised. The operationally critical contractor rules are similar, but will add an assessment of the contractor’s ability to meet its contractual requirements. The reporting timeframe for the DoD, IC, and operationally critical contractor rules have not been proposed.
Impact on Contractors
It remains to be seen whether DoD will reconcile these different cyber incident reporting requirements. Without harmonization, a contractor could, in theory, be subject to multiple reporting requirements for one breach. For example, a “critical contractor” could be subject to still undefined requirements under the DoD rapid reporting rule, the regulations that result from NDAA section 1632, and the DFARS UCTI rule. And, what constitutes a breach, what and how quickly it needs to be reported, to whom it should be reported, and what information needs to be maintained all remain possible sources of conflicts among these rules. Finally, the requirements for contractors to cooperate with agencies with regard to these breaches means that multiple agencies may be seeking access to contractors’ information systems. Contractors should be following these developments to ensure: (1) they understand their obligations under these new and sometimes conflicting rules; (2) they are adequately monitoring the proper networks and/or information systems; (3) they have processes in place to meet the reporting timeframe of each applicable rule; (4) they understand the scope of information that needs to be provided in their reports; (5) they are preserving the required information for government review; and (6) they are flowing applicable requirements to their suppliers and subcontractors.