Given the failure to enact comprehensive cybersecurity legislation last year, Congress included several targeted statutory provisions setting federal defense policy on a range of cybersecurity issues in the National Defense Authorization Act (NDAA) enacted into law on January 2, 2013.
While concerns over data security have become ubiquitous across industries, the risks associated with data breaches remain a critical concern in the defense industry given the national security information possessed by the Nation's defense industrial base and cleared defense contractor community. In light of the risks to national security, Congress included a series of cybersecurity-related provisions in the NDAA's policy sections, some of which may impact the defense contracting community.
From the perspective of the private sector, the requirement for mandatory reporting by "cleared defense contractors," in Section 941, is perhaps the most important of these new cybersecurity provisions, and raises the most serious compliance questions. Section 941 requires that, within 90 days from enactment, the Secretary of Defense "shall establish procedures that require each cleared defense contractor to report" to the appropriate designated official "when a network or information system of such contractor that meet [the criteria established certain Defense officials] is successfully penetrated."
The associated Conference Report states that Congress expects DoD to consult with industry and build on the existing voluntary information sharing provisions within the defense industrial base. Concerning the scope of reportable information specified in DoD's procedures, the Conference Report states the procedures should generally "exclude access to information that is not essential to understanding and preventing penetrations potentially resulting in the loss of DoD information."
With new leadership on both House and Senate panels with primary oversight responsibility for homeland security, and with the leaders of the House Intelligence Committee interested in reviving their cybersecurity proposal from last year, Congress' path forward on cybersecurity legislation in 2013 is not yet clear.
In the interim, it is widely expected that the President will issue an Executive Order addressing certain aspects related to cybersecurity. Most significantly, the President's Executive Order has the potential to clarify the interagency relationship between the various departments and agencies touched by cybersecurity. While the timing of any Presidential action is not known, the next point at which the President could achieve maximum publicity for an Executive Order would be at or near his State of the Union address, which is expected in late January 2013.