On August 26, 2015, The Department of Defense (DOD) issued an interim final rule on cyber incident reporting. The rule is effective immediately and implements provisions of the 2013 and 2015 National Defense Authorization Acts.
The new rule requires contractors and subcontractors, (including lower-tier subcontractors, to report cyber incidents that result in an actual or potentially adverse effect on a covered contractor information system, on covered defense information residing in such a system, or on the contractor’s ability to provide operationally critical support. Contractors and subcontractors are required to report such incidents “rapidly,” which is defined as within 72 hours of discovering a cyber incident.
New DFARS clauses and provisions also address expanded safeguarding and reporting policies, limitations on the use and disclosure of third-party contractor information reported to DOD as part of a cyber incident, and offeror representations as to their intention to use cloud computing services in performance of a contract. When a contractor utilizes cloud services, a new DFARS clause requires the contractor to follow and implement certain safeguards and controls. The cloud services DFARS clause must be flowed down to subcontracts that involve or may involve cloud services, including subcontracts for commercial items.
While the new rule is effective immediately, interested parties may submit comments by October 26, 2015. Comments will be considered in shaping a final rule.