Defense contractors with access to classified information will soon be required to quickly notify Defense Department (DOD) officials if the company’s computer network or information system is successfully penetrated in a cyber-attack. Those contractors will also be obligated to provide the Pentagon with access to their breached computer systems for investigation purposes, and also hand over any forensic analysis the company undertook following the cyber-attack.
Section 941 of the National Defense Authorization Act for Fiscal Year 2013 directs the Secretary of Defense to establish such reporting procedures. A draft is expected to be released in September, which may include a public notice and comment period. Just how the DOD will implement the new “rapid reporting” and other requirements, and how several key items will be defined, remains to be seen.
Defense Contractors to Whom Section 941 Applies
The rapid reporting requirements will apply to “cleared defense contractors,” which are those private companies that have been granted clearance by the DOD to access, receive or store classified information for the purpose of bidding for a contract or conducting activities in support of any DOD program. It will apply to “covered networks,” meaning the network or information system of a cleared defense contractor that contains or processes information created by or for the DOD with respect to which such contractor is required to apply enhanced protection.
What Section 941 Will Require
Each cleared defense contractor will need to “rapidly report” to a designated Pentagon official “each successful penetration” of the covered network or information systems of such contractor. The report shall include a description of the technique or method used in such penetration; a sample of the malicious software, if discovered and isolated by the contractor, involved in the penetration; and a summary of the information created by or for the DOD that may have been compromised.
Access for Pentagon Personnel to Compromised Systems and Information
In addition to the rapid reporting requirement, the procedures will provide mechanisms for DOD personnel to gain access to hacked equipment and information for a forensic analysis of the penetration, as well as any analysis already conducted by the contractor. The DOD’s access to the contractor’s computers is to be limited to determining what, if any, DOD information was actually taken (or in cyber parlance, “exfiltrated”). Section 941 calls for the reasonable protection of trade secrets, commercial or financial information, and information that can be used to identify a specific person. Non-DOD information derived through these procedures is prohibited from being disclosed outside the DOD, unless the contractor otherwise approves.
Open Questions about Section 941
As with many regulations, the angels will be in the details. Section 941 did not specify several key items, such as how rapidly the contractor must report the breach to the DOD. Also yet to be determined is how a “penetration” will be defined (and thus trigger the reporting requirement, etc.) and whether the incident will be required to be publicly disclosed or, conversely, whether it will be required not to be publicly disclosed for national security reasons (a particular concern to defense contractors which are public companies and may be subject to SEC disclosure guidelines/requirements). Also left open is whether a penetrating cyber-attack on a network or information system containing only unclassified information will be considered a reportable event.
Similarly unclear is the extent of access to networks/information systems the contractor must provide the DOD to allow a forensic analysis of the penetration and data breach. Whether that means the government will be allowed to access contractor business data or personal information of contractor employees or for how long the government will be given access (including taking physical possession of contractor computers and other network hardware) is yet to be determined. How these situations are handled could mean the difference between a contractor being able to continue operating or having to close its doors, either temporarily or permanently.
Section 941: Part of a Broader Defense/Intelligence Cyber Security Regulatory Scheme
The new reporting mandates in Section 941 are intended to be compatible with other cyber protections and reporting requirements being developed by the DOD and intelligence agencies for a broader range of contractors.
Protection of Unclassified DOD Controlled Technical Information
Late last year, the DOD issued a final rule amending the Defense Federal Acquisition Regulations (DFARS) to add a new provision for safeguarding unclassified controlled technical information. It requires contractors with unclassified “controlled technical information” resident on or passing through their information systems to use a minimum set of cyber security controls to protect the information. In addition, as with Section 941, contractors bound by DFARS are required to notify the DOD of successful cyber-attacks on information system on which the unclassified controlled technical information is located. Notably, these new requirements also apply to subcontractors and vendors.
New Intelligence Contractor Cyber Security Reporting Requirements
On July 7, 2014, the President signed into law the Intelligence Authorization Act for Fiscal Year 2014 (Pub. L. 113-126). Section 325 of this statute is similar to the DOD’s Section 941, but applies to cleared intelligence contractors (those with security clearances). They, like their defense contractor counterparts, will be required to rapidly report and provide government investigators access following successful cyber-attacks on their systems. The Director of National Intelligence will be responsible for establishing the procedures to be followed by the affected intelligence contractors.
Companies that work with the U.S. government, and particularly defense contractors, have been prime targets for cyber-attacks for many years. Significant resource allocation for cyber security is simply part of the cost of doing business with the government.
Government is reacting to the cyber threat, in part, by doing what it does – passing new laws and enacting new regulations. Consequently, the cost of doing government business going forward will mean devoting more resources to tracking and complying with an expanding scheme of cyber security regulations.
The government’s attention to cyber security is not diminishing. Thus far in 2014, nearly every cabinet-level federal agency has issued policy statements, frameworks, directives, regulations or other guidance concerning various aspects of cyber security. Maintaining regulatory compliance will be an essential part of getting and keeping contracts, both in the public and private sectors.