Congress Ratchets Up Cyber Incident Reporting and Supply Chain Security Requirements

In December 2014, Congress expanded the cybersecurity requirements that will apply to certain government contractors and information technology (IT) procurements by enacting two bills with important new cyber and supply chain security provisions.  First, the National Defense Authorization Act for Fiscal Year 2015 (the NDAA) added a new requirement that "operationally critical contractors" must report certain "cyber incidents" related to their networks and information systems.¹ Second, the Consolidated and Further Continuing Appropriations Act, 2015 (the CFCAA) added a requirement that the Departments of Commerce and Justice, the National Aeronautics and Space Administration (NASA), and the National Science Foundation (NSF) must assess the risk of cyberespionage or sabotage before acquiring IT systems.² These cyber incident reporting and supply chain security requirements expand on existing Department of Defense (DoD) rules and requirements under past appropriations laws, as discussed below.³

After repeated failures to pass comprehensive cybersecurity legislation, Congress is increasingly using the "power of the purse" to expand cybersecurity requirements that apply to certain private sector companies.  Defense contractors and technology companies should be aware of how these new requirements could impact their businesses.  Other private sector entities may also face new cybersecurity laws in the new year because the massive cyber attacks on Sony Pictures and other recent high profile cyber incidents are likely to increase focus on cybersecurity now that the new Congress has taken office. 

Cyber Incident Reporting under the NDAA

On December 19, 2014, President Obama signed the NDAA, which contained a new provision that requires DoD to establish procedures requiring reporting of "cyber incidents" related to networks and information systems of "operationally critical contractors."  An "operationally critical contractor" is a contractor designated by DoD "as a critical  source of supply for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation.''  DoD will establish procedures for notifying contractors that have been designated as operationally critical.

Under Section 1632 of the NDAA, such operationally critical contractors will be required to report "in a timely manner" to DoD "cyber incidents" including all "actions taken through the use of computer networks that result in an actual or potentially adverse effect on an information system or the information residing therein."  Such reports will be required each time a cyber incident occurs with respect to a network or information system of such an operationally critical contractor and must include the following: (i) an assessment by the contractor of the effect of the cyber incident on the ability of the contractor to meet the contractual requirements of DoD, (ii) the technique or method used in such cyber incident, (iii) a sample of any malicious software, if discovered and isolated by the contractor, involved in such cyber incident, and (iv) a summary of information compromised by such cyber incident.

The NDAA requires DoD to establish procedures within 90 days of the law's enactment (i.e., by March 19, 2015) for operationally critical contractors to "rapidly" file such cyber incident reports.  DoD's procedures must include a mechanism for DoD to "assist operationally critical contractors in detecting and mitigating penetrations."  However, operationally critical contractors will only be required to provide access to equipment or information to determine whether information created by or for DoD in connection with DoD programs was successfully exfiltrated from a network or information system of such contractor and, if so, what information was exfiltrated.  The procedures will include "reasonable" protection of trade secrets, commercial or financial information, and information that can be used to identify a specific person.  The NDAA also requires DoD to assess its existing requirements for contractor cyber incident reports and for sharing of information relating to such cyber incidents with appropriate DoD components and to revise its guidance as appropriate.

These new cyber incident reporting requirements build on Section 941 of the National Defense Authorization Act for Fiscal Year 2013 and DoD's November 18, 2013 rule on adequate security and ''cyber incident'' reporting (the 2013 DoD Cyber Rule).⁴  However, the 2013 DoD Cyber Rule only relates to unclassified controlled technical information (UCTI), whereas Section 1632 of the NDAA could apply more broadly to information that would not constitute UCTI in the networks and information systems of operationally critical contractors.  The extent to which this will expand cyber incident reporting beyond DoD's existing requirements under the 2013 DoD Cyber Rule will depend on the details of the new procedures that are due to be issued by DoD no later than March 19, 2015. 

Supply Chain Security under the CFCAA

Section 515 of the CFCAA, which President Obama signed into law on December 16, 2014, requires the Departments of Commerce and Justice, NASA and NSF (CJS Agencies) to assess the risk of cyberespionage or sabotage before acquiring information technology systems and requires them to make a determination before acquiring such systems that such procurement is "in the national interest."  The requirements of Section 515 apply to acquisition of "high-impact or moderate-impact information systems," as defined for security categorization in the National Institute of Standards and Technology's (NIST) Federal Information Processing Standard Publication 199, Standards for Security Categorization of Federal Information and Information Systems (Covered Information Systems).

CJS Agencies must review the supply chain risk for Covered Information Systems against criteria developed by NIST and must review the supply chain risk from the presumptive awardee against available threat information provided by the Federal Bureau of Investigation (FBI) and other federal agencies.  In addition, CJS Agencies in consultation with the FBI and other appropriate federal agencies must conduct an assessment of any risk of cyber-espionage or sabotage associated with the acquisition of such systems, including risk associated with such systems being produced, manufactured, or assembled by entities identified by the U.S. government as posing a cyber threat.  In order for a CJS Agency to acquire a Covered Information System, the head of the entity conducting the cyber risk assessment must: (i) develop a mitigation strategy for any identified risks in consultation with NIST and supply chain risk management experts; (ii) determine that the acquisition of such system is in the "national interest" of the United States; and (iii) report that determination to the House and Senate Committees on Appropriations.

Section 515 of the CFCAA builds on Section 516 of the Consolidated and Further Continuing Appropriations Act, 2013, H.R.933, which prohibited CJS Agencies from purchasing IT equipment "produced, manufactured or assembled" by entities "owned, directed, or subsidized by the People's Republic of China" without performing an assessment of associated risk of cyber-espionage or sabotage in consultation with the FBI.  However, unlike under Section 516, Section 515 of the CFCAA does not limit the cyber risk assessment requirement to China, although it does explicitly refer to procurements from entities "that may be owned, directed, or subsidized by the People's Republic of China."  The CFCAA's new requirements will impose a higher burden on CJS Agencies that wish to purchase Covered Information Systems from non-US suppliers to assess and mitigate risks and to make a national interest determination.