The National Defense Authorization Act for Fiscal Year 2015 (“NDAA FY 15”) was passed by the House of Representatives on December 4, 2014, and is expected to pass in the Senate.  Among NDAA FY 15’s cybersecurity and acquisition provisions are directions for the Secretary of Defense to establish rapid reporting requirements for “operationally critical contractors.”

Operationally Critical Contractors Rapid Reporting Regulations

Section 1632 of NDAA FY 15 requires the Secretary of Defense to establish within 90 days procedures to designate “operationally critical contractors” and the rapid reporting of cyber incidents affecting such contractors.  An “operationally critical contractor” is defined as a contractor determined to be a “critical source of supply for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation.”

Designated and notified operationally critical contractors will be required to “rapidly” report each cyber incident on any of its networks or information systems.   For purposes of rapid reporting, a cyber incident is broadly defined as “actions taken through the use of computer networks that result in an actual or potential adverse effect on an information system or the information residing therein.”  Reports must include:

  • The contractor’s assessment of the effect of the cyber incident on its ability to meet its contractual obligations to the Department of Defense (“DoD”);
  • The technique or method utilized in the cyber incident;
  • Samples of any malicious software used in the incident, if discovered and isolated; and
  • A summary of the compromised information.

The Secretary’s procedures are also required to include mechanisms allowing DoD personnel to assist operationally critical contractors in detecting and mitigating penetrations.

Relation to Other Rapid Reporting Requirements

The creation of procedures for rapid reporting for operationally critical contractors adds yet another layer of data breach reporting requirements for DoD contractors.  DoD and the Intelligence Community (“IC”) have already been directed to promulgate regulations requiring contractors cleared to access, receive, or store classified information in support of any DoD or IC program to report successful penetrations of their networks and/or information systems.  Although these regulations were also subject to a 90 day window, both rulemakings have been extended multiple times.

Additionally, DoD contractors are subject to the Unclassified Controlled Technical Information (“UCTI”) DFARS clause, which mandates that DoD contractors report cyber incidents, including unauthorized access to information, inadvertent release of information, and/or any other loss or compromise, within 72 hours of discovery.

There exist key differences among the myriad reporting rules.  For example, the rules encompass different networks and systems.  The UCTI rule applies to all information systems on which UCTI may be “resident on” or “transiting through,” while the DoD and IC requirements will apply to networks or information systems that “contain or possess” covered information.  These provisions are focused only networks or information systems holding DoD or the IC’s information.  The NDAA requirements appear broader because they apply to all “critical contractors,” envisioning application to “any network or information system” of such a contractor.

Similarly, the reporting requirements differ with regard to what information must be reported and when.  The UCTI rule requires contractors to report thirteen specific items within 72 hours.  The DoD and IC rapid reporting requirements will require a report of the method used to penetrate the system, samples of malicious software, and the information compromised.  The operationally critical contractor rules are similar, but will add an assessment of the contractor’s ability to meet its contractual requirements.   The reporting timeframe for the DoD, IC, and operationally critical contractor rules have not been proposed.

Impact on Contractors

It remains to be seen whether DoD will reconcile these different cyber incident reporting requirements.  Without harmonization, a contractor could, in theory, be subject to multiple reporting requirements for one breach.  For example,  a “critical contractor” could be subject to still undefined requirements under the DoD rapid reporting  rule, the regulations that result from NDAA section 1632, and the DFARS UCTI rule.  And, what constitutes a breach, what and how quickly it needs to be reported, to whom it should be reported, and what information needs to be maintained all remain possible sources of conflicts among these rules.  Finally, the requirements for contractors to cooperate with agencies with regard to these breaches means that multiple agencies may be seeking access to contractors’ information systems.  Contractors should be following these developments to ensure: (1) they understand their obligations under these new and sometimes conflicting rules; (2) they are adequately monitoring the proper networks and/or information systems; (3) they have processes in place to meet the reporting timeframe of each applicable rule; (4) they understand the scope of information that needs to be provided in their reports; (5) they are preserving the required information for government review; and (6) they are flowing applicable requirements to their suppliers and subcontractors.

Tags: Cyber Incident, Cybersecurity, Data Breach, DFARS, DoD, IAA, IC, Intelligence Authorization Act, Intelligence Community, National Defense Authorization Act, NDAA, Operationally Critical Contractor, Rapid Reporting, UCTI, Unclassified Controlled Technical Information
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Susan B. Cassidy Susan B. Cassidy

Susan Cassidy co-chairs Covington’s Aerospace and Defense Industry Group, and has been advising government contractors for more than 35 years on the requirements imposed on companies contracting with the U.S. Government.

Susan’s practice focuses on the intersection of cybersecurity, national security, and supply…

Susan Cassidy co-chairs Covington’s Aerospace and Defense Industry Group, and has been advising government contractors for more than 35 years on the requirements imposed on companies contracting with the U.S. Government.

Susan’s practice focuses on the intersection of cybersecurity, national security, and supply chain risk management for companies that sell products and services to the U.S. Government. Susan advises contractors at all phases of the procurement cycle, and regularly:

advises clients on compliance obligations imposed by the FAR, DFARS, and other agency regulatory requirements;
leads internal and government False Claims Act (FCA) investigations addressing allegations of violations of government cybersecurity, national security, supply chain, quality, and MIL-SPEC requirements; and
advises clients who have suffered a cyber breach where U.S. government information may have been impacted.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 252.204-7012, FedRAMP, controlled unclassified information (CUI), and NIST SP 800-171 requirements;
Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 semiconductor product and service restrictions, and limitations on sourcing a variety of products from China; and
Federal Acquisition Security Council (FASC) regulations and product exclusions.

 

Susan previously served as senior in-house counsel for two major defense contractors (Northrop Grumman Corporation and Motorola Incorporated) and is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. Chambers USA has quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Susan’s pro-bono work extends to assisting veterans in a variety of matters, as well as providing advice to elderly clients on their wills and other end-of-life planning documents.

Read more about Susan B. CassidyEmail
Show more Show less