Get Started with a One-to-One Personalized Demo
Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.
See IncMan SOAR in Action.
The final rule, recently published by the Office of the Chief Information Officer of the DoD, will implement requirements that all DoD contractors and subcontractors will have to comply with when reporting cyber incidents. It defines the mandatory cyber incident reporting requirements, which the Department of Defense says will apply to “all forms of agreement between DoD and DIB companies”. The agreements in question include contracts, grants, cooperative agreements, and any other type of legal instrument or agreement.
Specifically, under the final rule, contractors and subcontractors to report cyber incidents which result in the actual or potentially adverse effect on a “covered contractor information system” or “covered defense information residing therein,” or on the contractor’s ability to provide “operationally critical support.” The final rule doesn't change the content or timing of the incident reports, which must be made within 72 hours of the contractor’s awareness of the breach.
One of the goals of this rule is to establish a uniform reporting standard for cyber incidents on unclassified DoD contractor networks or information systems. Under this rule, DoD contractors and subcontractors will be required to report cyber incidents that result in “actual or potentially adverse effect on a covered contractor information system or covered defense information residing therein, or on a contractor’s ability to provide operationally critical support“.
While it is interesting to see that every cyber incident is potentially subject to reporting, it’s also important to note that this rule changes the definition of Covered Defense Information (CDI). The rule states that it will now refer to any data in the Controlled Unclassified Information Registry that requires “safeguarding or dissemination controls pursuant to and consistent with law, regulations and Government-wide policies“ and is either marked or otherwise identified in an agreement and provided to the contractor by or on behalf of the DoD in support of the performance of the agreement, or collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the agreement.
Also, there is a new definition for covered contractor information system, which is now defined as “unclassified information system that is owned or operated by or for a contractor and that processes, stores, or transmits covered defense information.”
There is a lot of data and different types of information that go into a cyber incident report. While on the technical side there is an ongoing discussion on which taxonomy should be used for effective reporting, strategists are in agreement that creating a proper cyber incident report that complies with the above-mentioned requirements is not an easy task, and it might take a lot of time and resources to do it.
However, there are various solutions designed for this exact purpose, that can help contractors save a lot of time and money by automatically gathering all the necessary information following an incident and creating reports that can help during investigations.
For instance, all entities that the DoDs Final Rule on Cyber Incident Reporting applies to, can get a lot of use out of a software with KPI report summary capabilities, creating information summaries for all incidents under previously specified user criteria.
Also, such a software should be able to create custom reports that can be invoked by the user, employing previously created custom templates, complying with most cyber incident reporting standards and requirements worldwide, not only in the United States.
In my personal opinion, there is still a consistent number of companies -that are part of the IT supply chain- which is not ready for such regulations. On the other hand, vendor risk management is quickly becoming part not only of the Government system but also of the business practice. So breach notification policies shall be globally followed as part of it. The main risk is that will be interpreted as a compliance task, not a security one. Thus, the real challenge will be creating value out of such compliance task. In my personal experience, value can be created only in two ways: by providing the correct information (in a timely and standard manner) and by sharing it. Time will tell.
Dario Forte / 26 Jan 2018
The requirements in the incident response plan apply to various types of cyber incidents, specifically centered around significant cyber incidents.
Dario Forte / 12 May 2017
DFLabs / 29 Nov 2017
John Moran / 24 Jul 2018
Discover the three core pillars which define what a SOAR solution is: Security Orchestration, Automation and Measurement. Learn more
See IncMan SOAR in Action.