The National Defense Authorization Act for Fiscal Year 2015 (“NDAA FY 15”) was passed by the House of Representatives on December 4, 2014, and is expected to pass in the Senate. Among NDAA FY 15’s cybersecurity and acquisition provisions are directions for the Secretary of Defense to establish rapid reporting requirements for “operationally critical contractors.”
Operationally Critical Contractors Rapid Reporting Regulations
Section 1632 of NDAA FY 15 requires the Secretary of Defense to establish within 90 days procedures to designate “operationally critical contractors” and the rapid reporting of cyber incidents affecting such contractors. An “operationally critical contractor” is defined as a contractor determined to be a “critical source of supply for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation.”
Designated and notified operationally critical contractors will be required to “rapidly” report each cyber incident on any of its networks or information systems. For purposes of rapid reporting, a cyber incident is broadly defined as “actions taken through the use of computer networks that result in an actual or potential adverse effect on an information system or the information residing therein.” Reports must include:
- The contractor’s assessment of the effect of the cyber incident on its ability to meet its contractual obligations to the Department of Defense (“DoD”);
- The technique or method utilized in the cyber incident;
- Samples of any malicious software used in the incident, if discovered and isolated; and
- A summary of the compromised information.
The Secretary’s procedures are also required to include mechanisms allowing DoD personnel to assist operationally critical contractors in detecting and mitigating penetrations.