DoD published an interim rule this week requiring contractors and subcontractors to report cyber incidents that result in an actual or potentially adverse effect on a covered contractor information system or covered defense information residing therein, or on a contractor's ability to provide operationally critical support. It also allows DoD personnel access to equipment and information to assess the impact of reported penetrations. This rule implements a provision in the 2015 National Defense Authorization Act (NDAA) and you can read the full text by clicking here.
What are operationally critical contractors", "covered contractor information systems" and "covered defense information"? We need a few definitions.
Compromise means disclosure of information to unauthorized persons, or a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred.
Cyber incident means actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.
Covered contractor information system means an information system that is owned, or operated by or for, a contractor that processes, stores, or transmits covered defense information.
Covered defense information means unclassified information that is provided to the contractor by or on behalf of DoD in connection with performance of the contract or collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract and is controlled technical information, operations security information, export control information, or any other information marked or otherwise identified in the contract.
There is significantly more to this interim rule than covered here. If you think you might be a covered contractor (or subcontractor) you need to become familiar with it and if necessary, contact your ACO (Administrative Contracting Officer) for assistance in understanding and complying with the new rules including the specifics for reporting cyber incidents.That's the ACO's job. Don't hesitate to call them. If you do not know your ACO, use the DCMA search app to find the name.