On Monday, our colleague Caleb Skeath posted on Inside Privacy an engaging article that discusses the new Office of Management and Budget policy setting forth minimum standards for federal agencies in preparing for and responding to breaches of personally identifiable information (PII) and the expected contractual changes that agencies will impose on contractors whose systems
During markup of the 2016 National Defense Authorization Act (“NDAA FY 2016”) on April 27, House Armed Services Committee Chairman Mac Thornberry (R-TX) proposed an amendment that would provide liability protection to certain Department of Defense (“DoD”) contractors for properly reporting cyber incidents on their networks and information systems.
This amendment relates back to two Legislative efforts to impose data breach notification requirements on DoD contractors:
- NDAA FY 2013 Section 941, which requires “cleared contractors” private entities granted clearance by DoD to “access, receive, or store classified information” for contractual purposes to report “successful penetrations” of their networks or information systems.
- NDAA FY 2015 Section 1632 (10 U.S.C. § 391), which requires DoD-designated “operationally critical contractors” those contractors determined to be critical sources of supply or support essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation to “rapidly” report each cyber incident on any of its networks or information systems.
The National Defense Authorization Act for Fiscal Year 2015 (“NDAA FY 15”) was passed by the House of Representatives on December 4, 2014, and is expected to pass in the Senate. Among NDAA FY 15’s cybersecurity and acquisition provisions are directions for the Secretary of Defense to establish rapid reporting requirements for “operationally critical contractors.”
Operationally Critical Contractors Rapid Reporting Regulations
Section 1632 of NDAA FY 15 requires the Secretary of Defense to establish within 90 days procedures to designate “operationally critical contractors” and the rapid reporting of cyber incidents affecting such contractors. An “operationally critical contractor” is defined as a contractor determined to be a “critical source of supply for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation.”
Designated and notified operationally critical contractors will be required to “rapidly” report each cyber incident on any of its networks or information systems. For purposes of rapid reporting, a cyber incident is broadly defined as “actions taken through the use of computer networks that result in an actual or potential adverse effect on an information system or the information residing therein.” Reports must include:
- The contractor’s assessment of the effect of the cyber incident on its ability to meet its contractual obligations to the Department of Defense (“DoD”);
- The technique or method utilized in the cyber incident;
- Samples of any malicious software used in the incident, if discovered and isolated; and
- A summary of the compromised information.
The Secretary’s procedures are also required to include mechanisms allowing DoD personnel to assist operationally critical contractors in detecting and mitigating penetrations.…
The Nuclear Regulatory Commission (“NRC”) appears poised to be the next agency to promulgate cybersecurity breach notification requirements. The NRC has stated that it is moving forward with draft breach notification rules it released in July 2014. Under the draft rules, anyone licensed by NRC to operate a nuclear power plant would be required to report cybersecurity events to the NRC Headquarters Operations Center via its Emergency Notification System. The draft rules set forth four types of notifications for cybersecurity breaches based on the imminence or severity of the event: one-hour notifications; four-hour notifications; eight-hour notifications; and twenty-four hour recordable events, explained below.
One-hour Notification − Must be made within one hour of discovering a cyber attack that “adversely impacted safety-related or important-to-safety function, security functions, or emergency preparedness functions . . . or compromises support systems and equipment that results in adverse impacts to safety, security, or emergency preparedness functions.”
Four-hour Notification − Must be made within four hours of:
- Discovering a cyber attack that “could have caused an adverse impact” to safety- and security-related functions;
- Discovering a suspected or actual cyber attack that was initiated by personnel with physical or electronic access to computers, communications systems, and networks; and/or
- Notification by a local, state, or federal agency of an event related to the implementation of the licensee’s cyber security program.
There is no requirement to make four-hour notification if a one-hour notification is made for the same event.…
The Department of Defense (“DOD”) has once again delayed the promulgation of regulations requiring DOD contractors to rapidly report data breaches and allowing DOD to access the contractor’s equipment to conduct a forensic analysis. The National Defense Authorization Act for Fiscal Year 2013 originally required an ad hoc committee to provide a report to the …