Government Contracts Monitor

2015 NDAA Likely to Require Reporting of Cyber Incidents by Certain Contractors; Potential Impact Remains Unclear

December 9, 2014

Last week, members of the House and Senate agreed to retain draft language in the 2015 National Defense Authorization Act (2015 NDAA) bill that would amend Title 10 of the U.S. Code to require “operationally critical” Defense contractors to promptly report “cyber incidents” to the Department of Defense (DoD). The proposed statutory change comes as a result of a yearlong Senate committee investigation into hacking incidents relating to the U.S. Transportation Command (TRANSCOM) – an investigation that revealed over 50 incidents of hacking over a 12-month period ending May 2013, only two of which were reported to TRANSCOM, according to The Washington Post.

Section 1632 of the draft 205 NDAA bill, entitled Reporting on Cyber Incidents with Respect to Networks and Information Systems of Operationally Critical Contractors, requires the Secretary of Defense to designate a DoD component to receive cyber incident reports and to publish procedures by which all operationally critical contractors will timely report such incidents to that DoD component.

Section 1632 defines an “operationally critical” contractor as “a contractor designated by the Secretary for purposes of this section as a critical source of supply for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation.” To make clear which contractors are covered, the draft language requires DoD to notify all contractors deemed to meet the definition of their status. These contractors will then be required “to rapidly report … each cyber incident with respect to any network or information system of such contractor.”

Under Section 1632, the term “cyber incident” means any action “taken through the use of computer networks that result in an actual or potentially adverse effect on an information system or the information residing therein.” All cyber incidents are reportable incidents. The draft provision requires each report to include: (i) the affected contractor’s assessment of the cyber incident’s effect on its ability to meet the contractual requirements of the DoD; (ii) the technique or method used in such cyber incident; (iii) a sample of any malicious software, if known; and (iv) a summary of the information compromised by the incident.

The 2015 NDAA bill is expected to face final Congressional scrutiny shortly, but it remains to be seen how the required reporting, if adopted, would ultimately affect those contractors deemed “operationally critical.” The bill attempts to protect certain potentially sensitive information by requiring procedures ensuring reasonable protection of trade secrets, commercial or financial information, and information that could identify a specific individual. As currently drafted, the bill also requires procedures to limit DoD’s dissemination of information obtained to those entities that “may be affected by such information; that may be called upon to assist in the diagnosis, detection, or mitigation of cyber incidents; that conduct counterintelligence or law enforcement investigations; or for national security purposes, including cyber situational awareness and defense purposes.”

Still, sharing such sensitive information could easily lead to potential exposure to private or public lawsuits or stricter scrutiny during future procurements. For this reason, if the current version of Section 1632 becomes law, industry participation in the resulting rulemaking will be the key to avoiding unintended consequences. We will continue to monitor and report on this issue.

Heather Joyce is responsible for the contents of this article.