A Weekend in Incident Response #24: Department of Defense Contractors Required to Comply with New Cyber Incident Reporting Rules

Critical infrastructure is always a common target of cyber criminals. Similar to other countries, the Department of Defense (DoD) is a crucial part of the critical infrastructure in the United States, and as such, it is often exposed to various types of cyber attacks. Not only the Department itself, but its contractors are also under various cyber security threats. That is why the DoD is tightening up the requirements related to the cyber security of its contractors and subcontractors, in an effort to prevent cyber attacks on some of the key components of the nation’s critical infrastructure and protect classified information that is of major geopolitical and strategic importance.

As part of those efforts, the DoD issued a Final Rule aimed at better protecting covered defense information, applying to the Department’s contractors and subcontractors, in October of 2016. Most notably, the final rule revises the “Cloud Computing Services” and the “Safeguarding Covered Defense Information and Cyber Incident Reporting” clauses, referring to the way how contractors and subcontractors are required to handle covered defense information and report cyber incidents to authorities.

How Can Contractors Overcome the Challenges Involved in Mandatory Compliance with These Regulations?

As soon as the final rule was announced, many contractors doing business with the DoD expressed their concerns that the companies included in their supply chain will not be able to achieve full compliance with it before the December 31, 2017 deadline. Their grievances had to do with the clauses requiring contractors and subcontractors to notify the Department of Defense of a cyber security incident within 72 hours of it occurring, as well as some processes related to investigation and documentation of incidents.

The problem that the contractor and subcontractor communities have with these clauses is that they are expected to incur significant additional expenses for their businesses and require hiring additional human resources.

Avoid Increased Costs and Save Time with Just One Incident Response Platform

While the concerns that contractors have expressed regarding this rule are well founded, there are solutions that could help them avoid those potentially significant costs increases, while still ensuring complete compliance with these strict regulations.

One of the possible solutions is utilizing an automation-and-orchestration platform, providing complete case management for cyber security events. By using such a platform designed for fast and effective incident response, contractors and subcontractors will be able to notify authorities of any incident they detect in a timely manner, and collect and keep the required documentation that is required in the later stages of a future investigation.

Incident response platforms can track digital evidence for forensic investigation, along with keeping track of all actions taken by an organization’s cyber security team during an incident response process. On top of that, they can automatically create incident reports containing information that allow your cyber security teams to assess the current status of an incident, what has caused it, and the scope of the damages. With this capability, organizations can have a peace of mind that they will always be covered in case they suffer a cyber security breach. Understanding that they could now rely on an incident response platform to take care of the reporting and notification requirements included in the Department of Defense’s final rule on safeguarding covered defense information and cyber incident reporting.

NIS Directive With New Cybersecurity Requirements Goes into Effect in the EU

Back in July, the European Parliament adopted the Directive on Security of Network and Information Systems (NIS Directive), which is primarily aimed at enhancing network and information security within the European Union. The NIS Directive officially went into effect in August 2016, and Member States now have 21 months to implement it.

In what represents one of the first concrete steps toward making sure all EU-Member States follow a standard and uniform set of rules when it comes to the security of networks and information systems, the NIS introduces a series of requirements that are going to have to be complied with by operators of critical infrastructures and digital service providers when reporting cyber incidents and when handling cyber-security issues.

Cybersecurity Incident Reporting Requirements

Once this Directive starts being enforced, all Operators of Critical Infrastructures within the European Union, which include organizations in various sectors, such as transport, banking, energy, financial market infrastructure, health, drinking water, and digital infrastructure, as well as Digital Service Providers – including organizations providing cloud computing services, online marketplaces, and search engines – to comply with specific rules when notifying their relevant NIS national authorities of serious cyber-security incidents.

Operators of Critical Infrastructures and Digital Service Providers will have to implement a set of security measures that are appropriate to the risks faced, as well as risk assessment, as part of a culture of risk management which is supposed to be promoted by authorities in each Member State through the introduction of appropriate regulatory requirements.

The requirements that will apply to Operators of Critical Infrastructures and to Digital Service Providers include immediately notifying the NCA or the CSIRT about any “significant” or “substantial” incident, along with informing the relevant authorities on their own security policies that are designed to ensure the security of networks and information systems.

National NIS Strategies, Single Points of Contact and National Competent Authorities

The NIS Directive will make it mandatory for Member States to develop national NIS strategies, form National Competent Authorities (NCA) and Single Points of Contact (SPoC), and assign specific NIS tasks to Computer Security Incident Response Teams (CSIRTs).

This requirement is part of the efforts for enhancing the cross-border cooperation when it comes to cyber incidents, in a bid to improve the overall cyber security across the European Union.

NIS Directive and Incident Response

With the introduction of the NIS Directive, all organizations that it applies to will need to have a platform that provides an orchestrated Incident Response and helps prepare reports for the investigation that follows each incident.

Given that this type of platform will become mandatory, businesses affected by this Directive are advised to start exploring the market for orchestrated incident response platforms as soon as possible.

One of the greatest benefits of using such a platform is that it has the ability to enhance the entire incident response process and all security operations, allowing businesses to meet the best practices and criteria recommended by Gartner, among others. One of Gartner’s recommendations refers to implementing SOAR technologies by:

  • Consolidating data and extracting actionable insight from a variety of intelligence sources and existing security technologies
  • Prioritizing risk and security operation activities in the context of your attack surface and business
  • Automating security processes to reduce resource drain and threat response times
  • Enabling full SOM coverage by strategically combining SOAR technologies