Cloud Computing: DoD new cyber security reporting rules for contractors

September 1, 2015 Off By David

Grazed from Lexology. Author: Davis Wright Tremaine.

In a move that highlights the changing winds of federal cybersecurity policy, the Department of Defense (“DoD”) has issued an interim Rule (“Rule”) that imposes new security and reporting requirements on federal contractors, and new requirements for DoD cloud computing contracts.

The Rule requires federal contractors to report cyber incidents that result in an actual or potentially “adverse affect” on covered defense information (CDI), a covered contractor information system (a federal contractor’s information system that handles CDI), or on a contractor’s ability to provide operationally critical support. CDI includes “controlled technical information, export controlled information, critical information, and other information requiring protection by law, regulation or Government-wide,” but does not include classified information which is governed by a separate rule. The Rule also imposes restrictions on cloud computing contracts, including that data covered by the contracts be maintained within the 50 states…

This Rule comes in the wake of high profile security breaches of information maintained on federal systems. The Rule, at Defense Federal Acquisition Regulation Supplement (DFARS)-2015-0039 and issued on Aug. 27, 2015, is effective immediately without the normal public comment period due to the urgency of protecting CDI. The Rule revises the DFARS to implement two key provisions of the National Defense Authorization Acts for Fiscal Years 2013 and 2015. Specifically, the Rule implements the provision of the 2013 Act that requires cleared defense contractors to report breaches of networks and covered information systems and to allow DoD personnel to access those networks to assess the impact of the reported security breach…

Read more from the source @ http://www.lexology.com/library/detail.aspx?g=48afbcf6-2900-471c-91f2-3eb38b557d0d