Defense Contractors Have To Disclose Breaches Within 72 Hours

October 13, 2015 mitch tanenbaum Leave a comment

As if complying with 47 states individual laws on breaches wasn’t complicated enough, if you are a defense contractor, you now have to comply with DoD rules on disclosing breaches. I suspect that part of this is due to the fact that the DoD thinks that many of the state laws are too loose and the fact that, with contractors, they want to control what happens. It is fair that there should be a higher bar with defense contractors. The rule says that this cost comes out of your pocket, not the government’s.

The first thing that stands out about it is that contractors do not have 30-60-90 days to disclose a breach like they do in most of the state laws but rather 72 hours.

This disclosure is required whether or not there is DoD information compromised. After all, you likely won’t know that in 72 hours.

The next step is to do a review to see if defense information was in fact compromised. So, you have to tell DoD that you were breached and then tell them if their stuff was stolen.

Unlike state laws, under the DoD rule, you need to identify which computers, servers and user accounts were compromised as well as the specific data exposed.

Contractors also have to preserve system images (exact copies of the disks) as well as network packet capture – for at least 90 days.

This definitely raises the bar for defense contractors. My guess is that other than the very large contractors, no one is ready to deal with this new rule.

These new rules apply to unclassified information systems. The rules for classified systems, which are governed by the NISPOM (National Industrial Security Program Operating Manual).

I suspect it will take a little time for DoD to wrap its arms around this, but as they do, contractors should be ready to respond to DoD inquiries about their capabilities in this area.

This new rule is required to be included in all new contracts and work orders.

Information for this post came from an article by the law firm of Seyfarth Shaw on Lexology.

The actual rule (16 pages, single spaced) is available on the Federal Register for Oct 2, 2015, here.