Conferees Agree on DoD Breach Requirement

Charging Defense Secretary to Create Breach Reporting Process
Conferees Agree on DoD Breach Requirement

Most U.S. Defense Department contractors would be required to report a data breach to the Pentagon under provisions of the National Defense Authorization Act agreed to by a House-Senate conference committee.

See Also: New OnDemand: How CISOs Can Ace Cyber Risk Reporting to the Board and the SEC

"Assuming that bill would pass," says House Cybersecurity Caucus Co-Chair Jim Langevin, D-R.I., "that would get us to a better level of cybersecurity from where we were."

Congress is expected to enact the National Defense Authorization Act, which funds the military, before it adjourns at the end of December.

According to the conference report made public Dec. 18, if enacted by Congress the legislation would:

  • Place the secretary of defense in charge of creating the breach reporting process;
  • Require that the defense secretary designate a senior official to establish criteria for designating which contractors and which networks and information systems would be subject to the reporting requirement;
  • Add to the reporting requirement a summary of information that has been potentially compromised;
  • Establish procedures to allow access by DoD personnel for forensic analysis that are limited to determining whether Defense Department information was successfully exfiltrated and provide for reasonable protection of trade secrets, commercial or financial information and information that can be used to identify a specific person.

In their report, conferees emphasize that the procedures developed in the statute generally should exclude access to information that is not essential to understanding and preventing penetrations potentially resulting in the loss of DoD information and should protect the privacy of private-sector communications.

The conferees also encourage DoD to build on the existing voluntary defense industrial base information sharing program, when practical, including areas such as defining reportable events and the forensics damage assessment process that allows contractors to remove proprietary or other types of information before DoD forensics teams copy information or image systems.

The provision drafted by the conferees isn't intended to apply to telecommunications and Internet service provider networks that merely transmit DoD information between defense contractors, within defense industrial base companies, between Defense Department units, or to and from DoD, unless such services are provided under requirements for the enhanced protection of DoD information.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.