WASHINGTON -- The US Department of Defense has issued its response to public comments to a pending rule regarding cybersecurity at its contractors.
The pending rule implements statutory requirements for DoD contractors and subcontractors to report cyber incidents that result in an actual or potentially adverse effect on a covered contractor information system or covered defense information residing therein, or on a contractor’s ability to provide operationally critical support.
The interim final rule was published Oct. 2, 2015. At that time, the DoD requested input from users. The agency has collated those comments and issued its responses as part of a 23-page report.
The mandatory reporting applies to all forms of agreements between DoD and DIB companies (contracts, grants, cooperative agreements, other transaction agreements, technology investment agreements, and any other type of legal instrument or agreement). The revisions provided are part of DoD’s efforts to establish a single reporting mechanism for such cyber incidents on unclassified DoD contractor networks or information systems. Reporting under this rule does not abrogate the contractor's responsibility for any other applicable cyber incident reporting requirement. Cyber incident reporting involving classified information on classified contractor systems will be in accordance with the National Industrial Security Program Operating Manual (DoD–M 5220.22).
The rule also addresses the voluntary DIB CS information sharing program that is outside the scope of the mandatory reporting requirements. By modifying the eligibility criteria for the DIB CS program, the rule enables greater participation in the voluntary program. Expanding participation in the DIB CS program is part of DoD’s comprehensive approach to counter cyber threats through information sharing between the Government and DIB participants.