Breaching Bad: New Cyber Security Regs for Defense Contractors

by Snell & Wilmer
Contact

Defense contractors with access to classified information will soon be required to quickly notify Defense Department (DOD) officials if the company’s computer network or information system is successfully penetrated in a cyber-attack. Those contractors will also be obligated to provide the Pentagon with access to their breached computer systems for investigation purposes, and also hand over any forensic analysis the company undertook following the cyber-attack.

Section 941 of the National Defense Authorization Act for Fiscal Year 2013 directs the Secretary of Defense to establish such reporting procedures.[1] A draft is expected to be released in September, which may include a public notice and comment period.[2] Just how the DOD will implement the new “rapid reporting” and other requirements, and how several key items will be defined, remains to be seen.

Defense Contractors to Whom Section 941 Applies

The rapid reporting requirements will apply to “cleared defense contractors,” which are those private companies that have been granted clearance by the DOD to access, receive or store classified information for the purpose of bidding for a contract or conducting activities in support of any DOD program.[3] It will apply to “covered networks,” meaning the network or information system of a cleared defense contractor that contains or processes information created by or for the DOD with respect to which such contractor is required to apply enhanced protection.[4]

What Section 941 Will Require

Rapid Reporting

Each cleared defense contractor will need to “rapidly report” to a designated Pentagon official “each successful penetration” of the covered network or information systems of such contractor. The report shall include a description of the technique or method used in such penetration; a sample of the malicious software, if discovered and isolated by the contractor, involved in the penetration; and a summary of the information created by or for the DOD that may have been compromised.[5]

Access for Pentagon Personnel to Compromised Systems and Information

In addition to the rapid reporting requirement, the  procedures will provide mechanisms for DOD personnel to gain access to hacked equipment and information for a forensic analysis of the penetration, as well as any analysis already conducted by the contractor.[6] The DOD’s access to the contractor’s computers is to be limited to determining what, if any, DOD information was actually taken (or in cyber parlance, “exfiltrated”). Section 941  calls for the reasonable protection of trade secrets, commercial or financial information, and information that can be used to identify a specific person.[7]  Non-DOD information derived through these procedures is prohibited from being disclosed outside the DOD, unless the contractor otherwise approves.[8]

Open Questions about Section 941

As with many regulations, the angels will be in the details. Section 941 did not specify several key items, such as how rapidly the contractor must report the breach to the DOD.[9] Also yet to be determined is how a “penetration” will be defined (and thus trigger the reporting requirement, etc.) and whether the incident will be required to be publicly disclosed or, conversely, whether it will be required not to be publicly disclosed for national security reasons (a particular concern to defense contractors which are public companies and may be subject to SEC disclosure guidelines/requirements). Also left open is whether a penetrating cyber-attack on a network or information system containing only unclassified information will be considered a reportable event.

Similarly unclear is the extent of access to networks/information systems the contractor must provide the DOD to allow a forensic analysis of the penetration and data breach. Whether that means the government will be allowed to access contractor business data or personal information of contractor employees or for how long the government will be given access (including taking physical possession of contractor computers and other network hardware) is yet to be determined. How these situations are handled could mean the difference between a contractor being able to continue operating or having to close its doors, either temporarily or permanently.

Section 941: Part of a Broader Defense/Intelligence Cyber Security Regulatory Scheme

The new reporting mandates in Section 941 are intended to be compatible with other cyber protections and reporting requirements being developed by the DOD and intelligence agencies for a broader range of contractors.

Protection of Unclassified DOD Controlled Technical Information

Late last year, the DOD issued a final rule amending the Defense Federal Acquisition Regulations (DFARS) to add a new provision for safeguarding unclassified controlled technical information.[10] It requires contractors with unclassified “controlled technical information” resident on or passing through their information systems to use a minimum set of cyber security controls to protect the information. In addition, as with Section 941, contractors bound by DFARS are required to notify the DOD of successful cyber-attacks on information system on which the unclassified controlled technical information is located. Notably, these new requirements also apply to subcontractors and vendors.

New Intelligence Contractor Cyber Security Reporting Requirements

On July 7, 2014, the President signed into law the Intelligence Authorization Act for Fiscal Year 2014 (Pub. L. 113-126). Section 325 of this statute is similar to the DOD’s Section 941, but applies to cleared intelligence contractors (those with security clearances). They, like their defense contractor counterparts, will be required to rapidly report and provide government investigators access following successful cyber-attacks on their systems. The Director of National Intelligence will be responsible for establishing the procedures to be followed by the affected intelligence contractors.

Conclusion

Companies that work with the U.S. government, and particularly defense contractors, have been prime targets for cyber-attacks for many years. Significant resource allocation for cyber security is simply part of the cost of doing business with the government.

Government is reacting to the cyber threat, in part, by doing what it does – passing new laws and enacting new regulations. Consequently, the cost of doing government business going forward will mean devoting more resources to tracking and complying with an expanding scheme of cyber security regulations.

The government’s attention to cyber security is not diminishing. Thus far in 2014, nearly every cabinet-level federal agency has issued policy statements, frameworks, directives, regulations or other guidance concerning various aspects of cyber security. Maintaining regulatory compliance will be an essential part of getting and keeping contracts, both in the public and private sectors.

Notes

[1] National Defense Authorization Act of 2013, Pub.L. No. 112-239 (Jan. 2, 2013). [back]

[2] Section 941 did not specify that DOD follow a rulemaking process with public notice and comment. However, the Congressional conferees noted that they “expect DOD to consult with industry as it develops the reporting process.” See Conference Report on H.R. 4310, National Defense Authorization Act for FY 2013, 112th Cong. 2nd Sess. 2012 H7149 (Dec. 18, 2012).

[3] Section 941 (e)(1).

[4] Section 941 (e)(2).

[5] Section 941 (c)(1).

[6] Section 941(c)(2)(A).

[7] Section 941(c)(2)(B).

[8] Section 941(c)(3).

[9] The Defense Federal Acquisition Regulation governing the protection of unclassified controlled technical information (UCTI) calls for contractors covered by that rule to report UCTI breaches within 72 hours.

[10] DFARS Case 2011-D039 (November 18, 2013).

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Snell & Wilmer | Attorney Advertising

Written by:

Snell & Wilmer
Contact
more
less

Snell & Wilmer on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.