On October 4, 2016, the Department of Defense (“DoD”) published a final rule implementing mandatory cyber incident reporting requirements for DoD contractors and subcontractors. The rule, which is effective as of November 3, 2016, requires DoD contractors and subcontractors to report cyber incidents to the DoD within 72 hours of discovery. A “cyber incident” is defined as “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.”
The rule applies prospectively and mandates that the reporting requirement be included in all forms of agreements between the DoD and contractors (both prime contractors and subcontractors) in which “covered defense information resides on, or transits covered contractor information systems or under which a contractor provides operationally critical support.”
Contractors are required to flow down the same reporting requirements to their subcontractors that provide operationally critical support or if the subcontract involves a covered contractor information system. Such subcontractors are required to report cyber incidents both directly to the DoD and to the contractor.
In issuing the final rule, the DoD clarified that the reporting requirements under the final rule do not abrogate a contractor’s responsibility to report cyber incidents under any other statutory or regulatory scheme or based on other contract requirements.
The rule also describes procedures for a Defense Industrial Base (“DIB”) cybersecurity information sharing program that eligible DoD contractors can join on a voluntary basis. Under the information sharing program, the DoD can share both classified and unclassified information regarding cyber threat information and cybersecurity best practices to DIB participants.
In response to public comments, the final rule, codified at 32 C.F.R. Part 236, modifies an interim final rule previously published on October 2, 2015.