A Weekend in Incident Response #24: Department of Defense Contractors Required to Comply with New Cyber Incident Reporting Rules

Critical infrastructure is always a common target of cyber criminals. Similar to other countries, the Department of Defense (DoD) is a crucial part of the critical infrastructure in the United States, and as such, it is often exposed to various types of cyber attacks. Not only the Department itself, but its contractors are also under various cyber security threats. That is why the DoD is tightening up the requirements related to the cyber security of its contractors and subcontractors, in an effort to prevent cyber attacks on some of the key components of the nation’s critical infrastructure and protect classified information that is of major geopolitical and strategic importance.

As part of those efforts, the DoD issued a Final Rule aimed at better protecting covered defense information, applying to the Department’s contractors and subcontractors, in October of 2016. Most notably, the final rule revises the “Cloud Computing Services” and the “Safeguarding Covered Defense Information and Cyber Incident Reporting” clauses, referring to the way how contractors and subcontractors are required to handle covered defense information and report cyber incidents to authorities.

How Can Contractors Overcome the Challenges Involved in Mandatory Compliance with These Regulations?

As soon as the final rule was announced, many contractors doing business with the DoD expressed their concerns that the companies included in their supply chain will not be able to achieve full compliance with it before the December 31, 2017 deadline. Their grievances had to do with the clauses requiring contractors and subcontractors to notify the Department of Defense of a cyber security incident within 72 hours of it occurring, as well as some processes related to investigation and documentation of incidents.

The problem that the contractor and subcontractor communities have with these clauses is that they are expected to incur significant additional expenses for their businesses and require hiring additional human resources.

Avoid Increased Costs and Save Time with Just One Incident Response Platform

While the concerns that contractors have expressed regarding this rule are well founded, there are solutions that could help them avoid those potentially significant costs increases, while still ensuring complete compliance with these strict regulations.

One of the possible solutions is utilizing an automation-and-orchestration platform, providing complete case management for cyber security events. By using such a platform designed for fast and effective incident response, contractors and subcontractors will be able to notify authorities of any incident they detect in a timely manner, and collect and keep the required documentation that is required in the later stages of a future investigation.

Incident response platforms can track digital evidence for forensic investigation, along with keeping track of all actions taken by an organization’s cyber security team during an incident response process. On top of that, they can automatically create incident reports containing information that allow your cyber security teams to assess the current status of an incident, what has caused it, and the scope of the damages. With this capability, organizations can have a peace of mind that they will always be covered in case they suffer a cyber security breach. Understanding that they could now rely on an incident response platform to take care of the reporting and notification requirements included in the Department of Defense’s final rule on safeguarding covered defense information and cyber incident reporting.

A Weekend in Incident Response #3: U.S. Department of Defense Introduces Final Rule on Cyber Incident Reporting

On November 3, 2016, a new cyber incident reporting rule for Defensive Industrial Base (DIB) companies that are doing business with the U.S. Department of Defense (DoD) has gone into effect.

The final rule, recently published by the Office of the Chief Information Officer of the DoD, will implement requirements that all DoD contractors and subcontractors will have to comply with when reporting cyber incidents. It defines the mandatory cyber incident reporting requirements, which the Department of Defense says will apply to “all forms of agreement between DoD and DIB companies”. The agreements in question include contracts, grants, cooperative agreements, and any other type of legal instrument or agreement.

Adopting a Standard Reporting Mechanism

One of the goals of this rule is to establish a uniform reporting standard for cyber incidents on unclassified DoD contractor networks or information systems. Under this rule, DoD contractors and subcontractors will be required to report cyber incidents that result in “actual or potentially adverse effect on a covered contractor information system or covered defense information residing therein, or on a contractor’s ability to provide operationally critical support“.

While it is interesting to see that every cyber incident is potentially subject to reporting, it’s also important to note that this rule changes the definition of Covered Defense Information (CDI). The rule states that it will now refer to any data in the Controlled Unclassified Information Registry that requires “safeguarding or dissemination controls pursuant to and consistent with law, regulations and Government-wide policies“ and is either marked or otherwise identified in an agreement and provided to the contractor by or on behalf of the DoD in support of the performance of the agreement, or collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the agreement.

Also, there is a new definition for covered contractor information system, which is now defined as “unclassified information system that is owned or operated by or for a contractor and that processes, stores, or transmits covered defense information.”

Using Incident Response Platform for Efficient and Quick Reporting

There is a lot of data and different types of information that go into a cyber incident report. While -on the technical side- there is an ongoing discussion on which taxonomy should be used for effective reporting, strategists are in agreement that creating a proper cyber incident report that complies with the above-mentioned requirements is not an easy task, and it might take a lot of time and resources to do it.

However, there are various solutions designed for this exact purpose, that can help contractors save a lot of time and money by automatically gathering all the necessary information following an incident and creating reports that can help during investigations.

For instance, all entities that the DoDs Final Rule on Cyber Incident Reporting applies to can get a lot of use out of a software with KPI report summary capabilities, creating information summaries for all incidents under previously specified user criteria.

Also, such a software should be able to create custom reports that can be invoked by the user, employing previously created custom templates, complying with most cyber incident reporting standards and requirements worldwide, not only in the United States.

Is the Existing Vendor Supply Chain Ready for This?

In general, I personally think there is still a consistent number of companies -that are part of the IT supply chain- which is not ready for such regulations. On the other hand, vendor risk management is quickly becoming part not only of the Government system but also of the business practice. So breach notification policies shall be globally followed as part of it. The main risk is that will be interpreted as a compliance task, not a security one. Thus, the real challenge will be creating value out of such compliance task. My personal experience suggests me that value can be created only in two ways: by providing the correct information (in a timely and standard manner) and by sharing them. Time will tell.