On August 26, 2015, the Department of Defense (DoD) published a long-awaited Interim Rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to require “rapid” reporting of “cyber incidents” that result in an “actual or potentially adverse effect” on certain information systems or defense information residing on contractor networks. The Interim Rule is effective immediately.

Executive Summary -

The Interim Rule results in a significant expansion of the mandate on defense contractors and their subcontractors to report on network penetrations and other cyber incidents. Not only does the Interim Rule expand the class of information covered by these new reporting requirements beyond controlled technical information, the Interim Rule also expands coverage to any cyber incident on a covered defense contractor’s system and modifies the baseline of what types of cybersecurity measures constitute adequate security. DoD has also included a host of new contract clauses delineating these requirements that explicitly require flowing these security and reporting requirements down to subcontractors and lower-tier contractors.