DoD Updates Cyber Incident Reporting Rule
On October 4, 2016, a final rule was published in the Federal Register which implements statutory requirements for Department of Defense (DoD) contractors and subcontractors to report cyber incidents that result in an actual or potentially adverse effect on a covered contractor information system or covered defense information residing therein, or on a contractor’s ability to provide operationally critical support.
The final rule responds to public comments to the interim final rule published on October 2, 2015, and updates DoD’s Defense Industrial Base (DIB) Cybersecurity (CS) Activities. The mandatory reporting requirements apply to all forms of agreements between DoD and DIB companies (contracts, grants, cooperative agreements, other transaction agreements, technology investments agreements, and any other type of legal instrument or agreement) and the revisions provided are part of DoD’s efforts to establish a single reporting mechanism for such cyber incidents on unclassified DoD contractor networks or information systems. Importantly, reporting under this rule does not abrogate the contractor’s responsibility for any other applicable cyber incident reporting requirement which the contractor may be subject to (e.g. FTC, state laws, etc.).