Intelligence Community

A major piece of IT acquisition reform legislation called the Federal Information Technology Acquisition Reform Act (“FITARA”), on which we have previously reported, was included in version of the National Defense Authorization Act for Fiscal Year 2015 (“NDAA FY 15”) passed by the House on December 4, 2014, along with other significant IT reform provisions related to open systems requirements for the Department of Defense (“DoD”).

The FITARA portion of the bill includes provisions that would require the federal government to:

  • empower Chief Information Officers (“CIOs”) and prevent the CIO from delegating the duty of reviewing IT contracts before the agency enters into the contract;
  • provide a publicly available list for each major information technology investment, both new and existing, that lists information specified in forthcoming investment evaluation guidance;
  • engage in a detailed review of high-risk information technology investments to identify problems;
  • inventory all information technology;
  • implement a federal data center consolidation initiative, which will include publicized goals regarding cost savings and optimization improvements to be achieved as a result of the initiative, and must be performed consistent with federal guidelines on cloud computing and cybersecurity such as FedRAMP and NIST guidelines;
  • expand the use of specialized IT acquisition experts;
  • develop a federal strategic sourcing initiative to be developed by GSA, which will allow for the use of governmentwide user license agreements.

Additional provisions require the use of open and modular strategies by the DoD, including the following requirements
Continue Reading Federal Information Technology Reform Act Included in the House-Passed NDAA FY 15

The National Defense Authorization Act for Fiscal Year 2015 (“NDAA FY 15”) was passed by the House of Representatives on December 4, 2014, and is expected to pass in the Senate.  Among NDAA FY 15’s cybersecurity and acquisition provisions are directions for the Secretary of Defense to establish rapid reporting requirements for “operationally critical contractors.”

Operationally Critical Contractors Rapid Reporting Regulations

Section 1632 of NDAA FY 15 requires the Secretary of Defense to establish within 90 days procedures to designate “operationally critical contractors” and the rapid reporting of cyber incidents affecting such contractors.  An “operationally critical contractor” is defined as a contractor determined to be a “critical source of supply for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation.”

Designated and notified operationally critical contractors will be required to “rapidly” report each cyber incident on any of its networks or information systems.   For purposes of rapid reporting, a cyber incident is broadly defined as “actions taken through the use of computer networks that result in an actual or potential adverse effect on an information system or the information residing therein.”  Reports must include:

  • The contractor’s assessment of the effect of the cyber incident on its ability to meet its contractual obligations to the Department of Defense (“DoD”);
  • The technique or method utilized in the cyber incident;
  • Samples of any malicious software used in the incident, if discovered and isolated; and
  • A summary of the compromised information.

The Secretary’s procedures are also required to include mechanisms allowing DoD personnel to assist operationally critical contractors in detecting and mitigating penetrations.Continue Reading DoD to Impose Yet Another Form of Rapid Reporting Requirements

The Nuclear Regulatory Commission (“NRC”) appears poised to be the next agency to promulgate cybersecurity breach notification requirements.  The NRC has stated that it is moving forward with draft breach notification rules it released in July 2014.  Under the draft rules, anyone licensed by NRC to operate a nuclear power plant would be required to report cybersecurity events to the NRC Headquarters Operations Center via its Emergency Notification System.  The draft rules set forth four types of notifications for cybersecurity breaches based on the imminence or severity of the event:  one-hour notifications; four-hour notifications; eight-hour notifications; and twenty-four hour recordable events, explained below.

One-hour Notification − Must be made within one hour of discovering a cyber attack that “adversely impacted safety-related or important-to-safety function, security functions, or emergency preparedness functions . . . or compromises support systems and equipment that results in adverse impacts to safety, security, or emergency preparedness functions.”

Four-hour Notification − Must be made within four hours of:

  • Discovering a cyber attack that “could have caused an adverse impact” to safety- and security-related functions;
  • Discovering a suspected or actual cyber attack that was initiated by personnel with physical or electronic access to computers, communications systems, and networks; and/or
  • Notification by a local, state, or federal agency of an event related to the implementation of the licensee’s cyber security program.

There is no requirement to make four-hour notification if a one-hour notification is made for the same event.Continue Reading Nuclear Regulatory Commission Moving Forward on Data Breach Notification Rules

When it became law on July 7, 2014, the 2014 Intelligence Authorization Act (“IAA”) gave the Director of National Intelligence (“DNI”) 90 calendar days to issue new regulations addressing the requirement that “cleared intelligence contractors” report any “successful penetration” of their networks and information systems.  With the DNI on the clock, what can these contractors expect?

For one thing, following a penetration of a covered network or information system, the DNI regulations will require that a cleared intelligence contractor report the following information to a designated element of the Intelligence Community (“IC”):