NDAA Amendment Would Mandate Reporting to DOD of Penetration of Contractor Networks and Information Systems
Senator Carl Levin (D-MI), Chairman of the Senate Armed Services Committee, has introduced an amendment to the FY 2013 National Defense Authorization Act (NDAA), S. 3254, which would require the Department of Defense (DoD) to establish a process by which cleared defense contractors must report when the contractor’s network or information system is successfully penetrated. The proposed amendment has substantial overlap with two different ongoing regulatory initiatives for mandating protections to contractor information systems and suggests that contractors may continue to see additional reporting requirements proposed by Congress until those regulations become final.
If passed, Amendment 3195 would apply to “a private entity granted clearance by the Defense Security Service to receive and store classified information for the purpose of bidding on a contract or conducting activities under a contract with the Department of Defense.” The amendment is silent on the question of whether the requirement will apply to only classified information systems, or, rather, all information systems maintained by a “cleared contractor.” Rather than specify an intended scope, the proposed amendment calls upon the Under Secretary of Defense for Intelligence to establish criteria for designating which networks and information will be subject to the reporting requirements. Such reports from contractors must include: (1) a description of the technique or method used in the penetration, and (2) a sample of the malicious software, if discovered and isolated by the contractor. Finally, the amendment also requires reporting contractors to provide access to DoD to conduct forensic analysis of the reported intrusion.
The lack of detail in the amendment itself makes it difficult to determine how broadly the reporting requirements may be applied. However, at first blush, the provision appears in tension with, and potentially duplicative of, two separate, on-going regulatory efforts to mandate protections for contractor information systems. First, on June 29, 2011, DoD issued a proposed Defense Federal Acquisition Regulation Supplement (DFARS) Rule establishing basic and enhanced safeguarding requirements for non-public DoD information residing on contractor non-classified information systems. See http://www.mckennalong.com/publications-advisories-2545.html. The rule proposed substantial compliance obligations for the protection of unclassified information, and imposed reporting and information sharing obligations on contractors subject to enhanced safeguarding requirements. Comments on the proposed DFARs rule were due in late 2011, a public meeting on the proposed DFARS rule that had been scheduled for November 2011 was cancelled, and the rule remains under consideration by the Defense Acquisition Regulations Council.
Second, in August 2012, DoD, the General Services Administration (GSA) and National Aeronautics and Space Administration (NASA) issued a proposed rule requiring contractors to safeguard contractor information systems containing information provided by or generated for the Government. See http://www.mckennalong.com/publications-advisories-3064.html. That proposed rule would add a new Federal Acquisition Regulation (FAR) subpart and contract clause that would require basic information protection measures as a contractual obligation. The Proposed FAR Rule mandates basic protection measures on contractor information systems and contractors’ use of non-public Government information aimed at deterring unauthorized disclosure, loss, or compromise of non-public Government information. Id. The Proposed FAR rule does not contain any express reporting obligations, but does extend basic safeguarding requirements to contractors across all agencies, regardless of whether the contractor has access to classified information. Comments on the proposed FAR rule were due in October 2012.
Senator Levin’s legislative foray into this area raises additional questions as to whether the proposed FAR and DFARS rules will be implemented as proposed, or further tailored to address the requirements of this new, ambiguous, legislative reporting requirement. Regardless of outcome, Senator Levin’s amendment is a strong indication that contractor reporting in the event of an unauthorized access or other cyber incident will remain an area of increased emphasis by the legislative branch for the foreseeable future despite the failure to pass comprehensive cybersecurity legislation.
McKenna Long & Aldridge will continue monitoring developments in this area.