This update will cover two things: (1) the new (yes, again) Department of Defense cybersecurity interim/final rule on reporting cyber incidents by contractors / subcontractors and (2) the money to fund these new rules and recovery of newly imposed requirements.
Interim Final Rule Cybersecurity Implementing Statutory Requirements for DoD Contractors and Subcontractors to Report Cyber Incidents from the National Defense Authorization Act of 2013
On October 2, 2015, the (DoD) issued a final interim rule on Cybersecurity Activities (yes, this is another interim final cyber security rule with a different twist). This rule was effective on October 2, 2015, and comments must be received by December 1, 2015.
The purpose of the rule is to require covered contractors and subcontractors to report cyber incidents which result in an actual or potentially adverse effect on a covered contractor’s information system or defense information on that system. This new rule does not abolish the voluntary reporting system in place.
The requirements apply to all forms of contracts or other agreements between Defense Industrial Base (DIB) cybersecurity contracts or other agreements between DoD and DIB contractors. The requirements are focused on cyber incidents that threaten certain types of DoD program information, such as the technical information under the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR).
This rule is intended to harmonize both in definition and operation with other DoD security rules and streamline the reporting process while preserving those distinctions. The rule also modifies eligibility criteria for the voluntary participation in the DIB-DoD cybersecurity information sharing program as part of a comprehensive approach to counter cybersecurity threats through greater insights into adversarial targeting the DIB.
Under this rule, contractors will incur costs associated with the requirements imposed. These costs include: identifying and analyzing cyber incidents and their impacts on covered defense information; or a contractor’s ability to provide operationally critical support; and obtaining DOD-approved medium assurance certificates to ensure authentication and identification when reporting cyber incidents in DoD. (One would think recoverable REA costs). DoD’s costs include onboarding new companies for the voluntary part of the program, and collecting and analyzing the reporting data.
Speaking of Costs—How is the Money Being Allocated by the Government for all the New Security Requirements of the Agencies
With the rash of cybersecurity incidents, like the Office of Personnel Management (OPM) having 5.6 million federal employee fingerprints stolen (think security clearances) and personal information, including social security numbers, being hacked for 21 million employees, it is clear the government is acting and reacting with new regulations and vigilance for itself and its contractors. With such measures come costs.
Since 2006, cybersecurity incidents have increased by roughly 1,000 percent and spending has also increased, with it being approximately $12.5 billion last year. In context, this is the biggest cybersecurity spend around—dwarfing other countries by at least two fold. The new budget asks for $14 billion for cybersecurity, with that money being divided among the agencies. Once at the agency, the agency must decide where to invest—more to detecting, more to preventing, even split, or some other combination. And let’s not forget that the agencies should be paying for the new requirements they are forcing down on its contractors. Practice Pointer: In short, the intention is great, but watch those contract and regulatory requirements, and think about the method you plan to use for recovering costs if you have to implement new requirements.