FY13 NDAA Imposes New Breach Reporting Requirements on Cleared Defense Contractors
January 28, 2013
By: Eric Whytsell
As previously reported here, despite the FAR rule proposed last August relating to the protection of nonpublic Government information, the contracting community continues to wait for the Department of Defense (DoD) to issue a proposed rule governing unclassified information under Defense Federal Acquisition Regulation Supplement (DFARS) Case 2008-D028, 75 Fed. Reg. 9563 (Mar. 3, 2010). Against this backdrop, Congress has decided to forge ahead to address what happens when classified systems are compromised. Section 941 of the FY13 National Defense Authorization Act (NDAA) requires the DoD to establish mandatory procedures governing the reporting of successful cyber-penetration of a covered network within 90 days of the NDAAs enactment (i.e., by April 2013).
As used in Section 941, covered network means a network or information system of a cleared defense contractor that contains or possesses information created by or for the [DoD] with respect to which such contractor is required to apply enhanced protection. Section 941(e)(2). A cleared defense contractor is a private entity granted clearance by the [DoD] to access, receive, or store classified information for the purposes of bidding for a contract or conducting activities in support of any program of the [DoD]. Section 941(e)(1). Whether a particular covered network will be subject to the new reporting requirements will depend on criteria to be developed by a yet-to-be-appointed senior official in consultation with a collection of other high-level DoD officials identified in the statute. Section 941(b).
The procedures to be developed by DoD under Section 941 must require rapid reporting of each successful penetration, including (i) a description of the technique used; (ii) a sample of any malicious software used, if discovered and isolated by the contractor; and (iii) a summary of any information created by or for the DoD in connection with a DoD program that was potentially compromised. Section 941(c)(1). They must also include mechanisms for DoD personnel to obtain access to equipment or information necessary to conduct a forensic analysis to determine whether DoD information was successfully exfiltrated and, if so, what information was involved. Section 941(c)(2)(A)-(B). In addition, the procedures must provide for reasonable protection of trade secrets, commercial or financial information, and information that can be used to identify a specific person.
Section 941(c)(2)(C). Indeed, they must prohibit the dissemination outside the [DoD] of information obtained or derived through such procedures that is not created by or for the Department except with the approval of the contractor providing such information. Section 941(c)(3).
Despite the NDAAs nod to the importance of protecting contractors valuable proprietary information, its requirement for reasonable protection may not inspire great confidence in contractors, at least not yet. But, since the procedures have not yet been drafted, most contractors will withhold their comments until they see the actual parameters of the new rules.
The good news is that the Conference Report on the FY13 NDAA makes clear that Congress expects DoD to consult with industry as it develops the reporting process pursuant to [Section 941]. H.R. Rep. No. 112-705 at 837 (2012) (Conf. Rep.). For what its worth, the Conference Report also notes that the provision is intended to be compatible with, and provide support for, that eventual DFARS rule. Id. Hopefully, DoD will engage with industry in a productive manner that enables the development of reporting procedures that fulfill Congress stated goals. Only time will tell.
Eric Whytsell is the attorney responsible for the content of this article.