Cleared Defense Contractors Should Anticipate New Rapid Reporting Procedures To Report Cyber Intrusions
The clock is ticking for the Department of Defense (DOD) to establish "rapid reporting" requirements for cleared defense contractors to report cyber intrusions on their networks. Section 941 of the National Defense Authorization Act for 2013, signed by the President on January 2, 2013, mandates that the Secretary of Defense must establish such reporting procedures within ninety days of the Act. While Section 941 sets out a basic framework for what the new procedures must require, it leaves unresolved several open questions as to how DOD will implement the new rapid reporting requirements. On January 31, 2013, the Defense Acquisition Regulations (DAR) Council opened a new Defense Federal Acquisition Regulation Supplement (DFARS) case, 2013-D018, Reports to DOD on Penetrations of Networks and Information Systems, to implement Section 941. Contractors should be on alert for a forthcoming rulemaking notice, which would include an opportunity for public comments.