A Weekend in Incident Response #3: U.S. Department of Defense Introduces Final Rule on Cyber Incident Reporting

Posted byDario Forte - 07th Nov 2016
Department of Defense introduces Final Rule on Cyber Incident Reporting

On November 3, 2016, a new cyber incident reporting rule for Defensive Industrial Base (DIB) companies that are doing business with the U.S. Department of Defense (DoD) has gone into effect.

The final rule, recently published by the Office of the Chief Information Officer of the DoD, will implement requirements that all DoD contractors and subcontractors will have to comply with when reporting cyber incidents. It defines the mandatory cyber incident reporting requirements, which the Department of Defense says will apply to “all forms of agreement between DoD and DIB companies”. The agreements in question include contracts, grants, cooperative agreements, and any other type of legal instrument or agreement.

Adopting a Standard Reporting Mechanism

One of the goals of this rule is to establish a uniform reporting standard for cyber incidents on unclassified DoD contractor networks or information systems. Under this rule, DoD contractors and subcontractors will be required to report cyber incidents that result in “actual or potentially adverse effect on a covered contractor information system or covered defense information residing therein, or on a contractor’s ability to provide operationally critical support“.

While it is interesting to see that every cyber incident is potentially subject to reporting, it’s also important to note that this rule changes the definition of Covered Defense Information (CDI). The rule states that it will now refer to any data in the Controlled Unclassified Information Registry that requires “safeguarding or dissemination controls pursuant to and consistent with law, regulations and Government-wide policies“ and is either marked or otherwise identified in an agreement and provided to the contractor by or on behalf of the DoD in support of the performance of the agreement, or collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the agreement.

Also, there is a new definition for covered contractor information system, which is now defined as “unclassified information system that is owned or operated by or for a contractor and that processes, stores, or transmits covered defense information.”

Using Incident Response Platform for Efficient and Quick Reporting

There is a lot of data and different types of information that go into a cyber incident report. While -on the technical side- there is an ongoing discussion on which taxonomy should be used for effective reporting, strategists are in agreement that creating a proper cyber incident report that complies with the above-mentioned requirements is not an easy task, and it might take a lot of time and resources to do it.

However, there are various solutions designed for this exact purpose, that can help contractors save a lot of time and money by automatically gathering all the necessary information following an incident and creating reports that can help during investigations.

For instance, all entities that the DoDs Final Rule on Cyber Incident Reporting applies to can get a lot of use out of a software with KPI report summary capabilities, creating information summaries for all incidents under previously specified user criteria.

Also, such a software should be able to create custom reports that can be invoked by the user, employing previously created custom templates, complying with most cyber incident reporting standards and requirements worldwide, not only in the United States.

Is the Existing Vendor Supply Chain Ready for This?

In general, I personally think there is still a consistent number of companies -that are part of the IT supply chain- which is not ready for such regulations. On the other hand, vendor risk management is quickly becoming part not only of the Government system but also of the business practice. So breach notification policies shall be globally followed as part of it. The main risk is that will be interpreted as a compliance task, not a security one. Thus, the real challenge will be creating value out of such compliance task. My personal experience suggests me that value can be created only in two ways: by providing the correct information (in a timely and standard manner) and by sharing them. Time will tell.