The Pentagon is rolling out long-awaited rules governing how the defense industry should report cybersecurity incidents.
The regulations, published in the Federal Register on Wednesday, require contractors and subcontractors to report “cyber incidents that result in an actual or potentially adverse effect” on either the contractor’s information system and data, or its ability to “provide operationally critical support.”
The new rules are intended to create a single pathway for all Defense Department contractors to report cyber incidents, “minimiz[ing] duplicative reporting processes.”
While the Office of Management and Budget (OMB) has been working to shore up cybersecurity in the federal acquisition process, these regulations have their genesis in much earlier legislative efforts.
The proposed rules fulfill a provision of the 2013 National Defense Authorization Act, which required the Pentagon to develop breach-reporting procedures within 90 days.
The new regulations also satisfy a provision of the 2015 National Defense Authorization Act requiring contractors to report cyber incidents. It also mandates that the agency develops clear policies for acquiring cloud computing services.
The separate OMB guidance, open for comment until Sept. 10, would require federal contractors across agencies to report not only known breaches but also any suspicious activity that could result in an “adverse effect” on either an IT system or its data.
The deadline for submitting public comments on the Pentagon proposal is Oct. 26.