Global technology company Yahoo! recently admitted it was the victim of a colossal data breach potentially affecting hundreds of millions of its users. Although most cyber incidents encountered by businesses today are significantly smaller in scale, unfortunately, such incidents remain a current fact of life. The question is not “if” a cyber incident will happen, but “when.” Companies doing business with the government may have certain reporting obligations when such incidents occur and should act accordingly.
On October 2, 2016, the Department of Defense (“DoD”) published a final rule implementing mandatory cyber incident reporting requirements for defense contractors, effective November 3, 2016 (the “Final Rule”). (See 32 C.F.R. Part 236). This article examines generally what the requirements are, to whom they apply and when, and other related considerations.
Definition Of A “Cyber Incident”
As a preliminary matter, “cyber incident” is defined as “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.” (See 32 C.F.R. 236.2). Examples of “cyber incidents” include encounters with malicious software, such as trojan horses and spyware, as well as forms of cyber eavesdropping, to name a few.
Types Of “Cyber Incidents” Requiring Reporting
A contractor has an obligation to report a “cyber incident” when it results in “an actual or potentially adverse effect on a covered contractor information system or covered defense information residing therein, or on a contractor’s ability to provide operationally critical support.” (32 C.F.R. § 236.4(b)).
“Covered” defense information in this context essentially refers to unclassified information relating to the contractor’s performance under the contract, that could potentially harm the government if exported, or is identified by the government as requiring safeguarding. (32 C.F.R. § 236.2). A “covered” information system is one that processes, stores, or transmits “covered” defense information.
Contractors should be aware that cyber incident reporting involving classified information on classified contractor systems should be in accordance with the National Industrial Security Program Operating Manual (NISPOM).
If the contractor’s circumstances match the foregoing, then it must (1) conduct a review for evidence of compromise of covered defense information, and (2) submit a cyber incident report to the DoD. The contractor’s review should, at a minimum, identify compromised computers, servers, specific data, and user accounts. As part of their review, contractors must also analyze covered information systems that were a part of the incident, as well as those systems on the contractor’s network that may have been accessed. (32 C.F.R. § 236.4(b)(1)).
The contractor’s cyber incident report should include as much information as the contractor has at the time, and must be supplemented with any additional information thereafter. (32 C.F.R. § 236.4(c)). Generally, the report should include the known details about what occurred, to whom it occurred, what was or may be affected and how, as well as information concerning the underlying contract. Specifically, the report should contain the information obtained from its review for evidence of compromise, including the date the incident was discovered, impact to covered defense information, the contractor’s ability to provide operationally critical support, locations and types of compromise, a description of the technique/method used in the cyber incident, and the outcome of the incident (i.e., successful compromise, failed attempt, unknown).
The affected contractor should also identify the incident location and facility Commercial And Government Entity (CAGE) codes and Data Universal Numbering System (DUNS) Number, as well as any DoD programs, platforms or systems involved. Additionally, the incident report should identify all applicable clearance levels, point of contact information for contractor and contract number(s) or other type of agreement potentially affected. (See http://dibnet.dod.mil/staticweb/ReportCyberIncident.html for additional requirements).
Before it can submit an incident report, the contractor must first obtain a DoD-approved medium assurance certificate. (32 C.F.R. § 236.4(e)). This certificate permits contractors to securely communicate with the DoD and authenticate themselves.
Also, if malicious software is discovered and isolated, such as a trojan horse, a contractor must disclose such to the DoD. (32 C.F.R. § 236.4(h)). Additionally, a contractor must preserve media (images or data) known to be affected by a cyber incident for at least 90 days from reporting the incident to the DoD. (32 C.F.R. § 236.4(i)). This allows the DoD to request or decline the affected media.
Subcontractors are required to simultaneously report to both the prime contractor and the DoD. Consequently, contractors, in addition to expressly including (or incorporating by reference) the mandatory reporting requirements in any applicable contract with the DoD, must ensure they “flow down” the requirements to applicable subcontracts. (32 C.F.R. § 236.4(d)).
Who Must Comply With The Reporting Requirements
The mandatory reporting requirements apply to contractors or subcontractors (including lower tiered subcontractors) who have entered into agreements with the DoD. This embraces “all forms of agreements,” including contracts, grants, cooperative agreements, other transaction agreements, technology investment agreements, and any other type of legal instrument or agreement.
When To Report A “Cyber Incident”
A contractor must “rapidly” report a “cyber incident” to the DoD, essentially within 72 hours of discovery. (32 C.F.R. § 236.4(b)(2), § 236.2). A subcontractor must simultaneously report such incidents to the DoD and the prime contractor. (32 C.F.R. § 236.4(d)).
Other Reporting Requirements
Defense contractors should note that reporting under the Final Rule does not relieve it of any other cyber incident reporting obligations they may have, including any reporting requirements that may exist in the underlying contract or agreement or in other governmental statutes or regulatory requirements. (32 C.F.R. § 236.4(p)).
Consequences For Non-Compliance
Contractors should also not be fooled into thinking there are no consequences for non-compliance with the new reporting requirements simply because the Final Rule does not impose any new or additional consequences. Contractors are still subject to any existing generally applicable contractor compliance mechanisms. Additionally, a contracting officer may take whatever remedial actions he or she deems necessary for non-compliance with the requirements of the underlying contract or agreement.
In summary, under the Final Rule, the DoD has obligated contractors and subcontractors to conduct a review and submit a report within 72 hours of discovering a qualifying “cyber incident.” Contractors should be aware of additional reporting requirements that may exist in any underlying agreement or in other applicable statutes or regulations.
Each particular “cyber incident” is unique and an affected contractor (or other organization) should consult with a government contracts attorney to review the applicable rules, regulations, and contractual requirements.