U.S. Department of Defense Introduces Final Rule on Cyber Incident Reporting

Back to all articles

U.S. Department of Defense Introduces Final Rule on Cyber Incident Reporting

On November 3, 2016, a new cyber incident reporting rule for Defensive Industrial Base (DIB) companies that are doing business with the U.S. Department of Defense (DoD) has gone into effect.

The final rule, recently published by the Office of the Chief Information Officer of the DoD, will implement requirements that all DoD contractors and subcontractors will have to comply with when reporting cyber incidents. It defines the mandatory cyber incident reporting requirements, which the Department of Defense says will apply to “all forms of agreement between DoD and DIB companies”. The agreements in question include contracts, grants, cooperative agreements, and any other type of legal instrument or agreement.

Adopting a Standard Reporting Mechanism

One of the goals of this rule is to establish a uniform reporting standard for cyber incidents on unclassified DoD contractor networks or information systems. Under this rule, DoD contractors and subcontractors will be required to report cyber incidents that result in “actual or potentially adverse effect on a covered contractor information system or covered defense information residing therein, or on a contractor’s ability to provide operationally critical support“.

While it is interesting to see that every cyber incident is potentially subject to reporting, it’s also important to note that this rule changes the definition of Covered Defense Information (CDI). The rule states that it will now refer to any data in the Controlled Unclassified Information Registry that requires “safeguarding or dissemination controls pursuant to and consistent with law, regulations and Government-wide policies“ and is either marked or otherwise identified in an agreement and provided to the contractor by or on behalf of the DoD in support of the performance of the agreement, or collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the agreement.

Also, there is a new definition for covered contractor information system, which is now defined as “unclassified information system that is owned or operated by or for a contractor and that processes, stores, or transmits covered defense information.”

Using Incident Response Platform for Efficient and Quick Reporting

There is a lot of data and different types of information that go into a cyber incident report. While -on the technical side- there is an ongoing discussion on which taxonomy should be used for effective reporting, strategists are in agreement that creating a proper cyber incident report that complies with the above-mentioned requirements is not an easy task, and it might take a lot of time and resources to do it.

However, there are various solutions designed for this exact purpose, that can help contractors save a lot of time and money by automatically gathering all the necessary information following an incident and creating reports that can help during investigations.

For instance, all entities that the DoDs Final Rule on Cyber Incident Reporting applies to can get a lot of use out of a software with KPI report summary capabilities, creating information summaries for all incidents under previously specified user criteria.

Also, such a software should be able to create custom reports that can be invoked by the user, employing previously created custom templates, complying with most cyber incident reporting standards and requirements worldwide, not only in the United States.

Is the Existing Vendor Supply Chain Ready for This?

In general, I personally think there is still a consistent number of companies -that are part of the IT supply chain- which is not ready for such regulations. On the other hand, vendor risk management is quickly becoming part not only of the Government system but also of the business practice. So breach notification policies shall be globally followed as part of it. The main risk is that will be interpreted as a compliance task, not a security one. Thus, the real challenge will be creating value out of such compliance task. My personal experience suggests me that value can be created only in two ways: by providing the correct information (in a timely and standard manner) and by sharing them. Time will tell.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request Your Live IncMan SOAR Demo.

DFLabs IncMan SOAR is the pioneering Security Orchestration, Automation and Response (SOAR) platform to automate, orchestrate and measure security operations tasks.

IncMan SOAR harnesses machine learning and automation capabilities to augment human analysts to maximize the effectiveness and efficiency of security operations teams, reducing the time from breach discovery to resolution by up to 80%.

What You'll See in a Demo

See for yourself why IncMan SOAR is the preferred solution of Fortune 500, Global 2000 and MSSP clients. DFLabs IncMan SOAR at a glance:

  • Full and semi-automated Incident Response, improving response times by up to 80%
  • Covers the entire spectrum of IR and SecOps
  • Automated Responder Knowledge (ARK) generated by machine learning
  • Highly flexible and customizable, with over 100 templates and automation actions out of the box
  • Correlation engine correlates all relevant IOCs and artefacts between incidents
  • Multi-tenancy and granular role-based access
  • Dual mode playbooks and intelligence sharing
  • Powerful case management with integrated forensics capabilities.

Yes, I want a demo

DFLabs would like to stay in touch to provide you with marketing related content. By ticking the box you consent to receive educational, company and promotional information from DFLabs and accept DFLabs' Privacy Policy.

* Required fields