During markup of the 2016 National Defense Authorization Act (“NDAA FY 2016”) on April 27, House Armed Services Committee Chairman Mac Thornberry (R-TX) proposed an amendment that would provide liability protection to certain Department of Defense (“DoD”) contractors for properly reporting cyber incidents on their networks and information systems.
This amendment relates back to two Legislative efforts to impose data breach notification requirements on DoD contractors:
- NDAA FY 2013 Section 941, which requires “cleared contractors” private entities granted clearance by DoD to “access, receive, or store classified information” for contractual purposes to report “successful penetrations” of their networks or information systems.
- NDAA FY 2015 Section 1632 (10 U.S.C. § 391), which requires DoD-designated “operationally critical contractors” those contractors determined to be critical sources of supply or support essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation to “rapidly” report each cyber incident on any of its networks or information systems.