Congress Addresses Cybersecurity in National Defense Authorization Act by J.C. Boggs and Alexander K. Haas


Given the failure to enact comprehensive cybersecurity legislation last year, Congress included several targeted statutory provisions setting federal defense policy on a range of cybersecurity issues in the National Defense Authorization Act (NDAA) enacted into law on January 2, 2013.

While concerns over data security have become ubiquitous across industries, the risks associated with data breaches remain a critical concern in the defense industry given the national security information possessed by the Nation's defense industrial base and cleared defense contractor community. In light of the risks to national security, Congress included a series of cybersecurity-related provisions in the NDAA's policy sections, some of which may impact the defense contracting community.

From the perspective of the private sector, the requirement for mandatory reporting by "cleared defense contractors," in Section 941, is perhaps the most important of these new cybersecurity provisions, and raises the most serious compliance questions. Section 941 requires that, within 90 days from enactment, the Secretary of Defense "shall establish procedures that require each cleared defense contractor to report" to the appropriate designated official "when a network or information system of such contractor that meet [the criteria established certain Defense officials] is successfully penetrated."

The associated Conference Report states that Congress expects DoD to consult with industry and build on the existing voluntary information sharing provisions within the defense industrial base. Concerning the scope of reportable information specified in DoD's procedures, the Conference Report states the procedures should generally "exclude access to information that is not essential to understanding and preventing penetrations potentially resulting in the loss of DoD information."

With new leadership on both House and Senate panels with primary oversight responsibility for homeland security, and with the leaders of the House Intelligence Committee interested in reviving their cybersecurity proposal from last year, Congress' path forward on cybersecurity legislation in 2013 is not yet clear.

In the interim, it is widely expected that the President will issue an Executive Order addressing certain aspects related to cybersecurity. Most significantly, the President's Executive Order has the potential to clarify the interagency relationship between the various departments and agencies touched by cybersecurity. While the timing of any Presidential action is not known, the next point at which the President could achieve maximum publicity for an Executive Order would be at or near his State of the Union address, which is expected in late January 2013.

Written by:

Published In:

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.