Conferees Agree on DoD Breach RequirementCharging Defense Secretary to Create Breach Reporting Process
Most U.S. Defense Department contractors would be required to report a data breach to the Pentagon under provisions of the National Defense Authorization Act agreed to by a House-Senate conference committee.
"Assuming that bill would pass," says House Cybersecurity Caucus Co-Chair Jim Langevin, D-R.I., "that would get us to a better level of cybersecurity from where we were."
Congress is expected to enact the National Defense Authorization Act, which funds the military, before it adjourns at the end of December.
- Place the secretary of defense in charge of creating the breach reporting process;
- Require that the defense secretary designate a senior official to establish criteria for designating which contractors and which networks and information systems would be subject to the reporting requirement;
- Add to the reporting requirement a summary of information that has been potentially compromised;
- Establish procedures to allow access by DoD personnel for forensic analysis that are limited to determining whether Defense Department information was successfully exfiltrated and provide for reasonable protection of trade secrets, commercial or financial information and information that can be used to identify a specific person.
In their report, conferees emphasize that the procedures developed in the statute generally should exclude access to information that is not essential to understanding and preventing penetrations potentially resulting in the loss of DoD information and should protect the privacy of private-sector communications.
The conferees also encourage DoD to build on the existing voluntary defense industrial base information sharing program, when practical, including areas such as defining reportable events and the forensics damage assessment process that allows contractors to remove proprietary or other types of information before DoD forensics teams copy information or image systems.
The provision drafted by the conferees isn't intended to apply to telecommunications and Internet service provider networks that merely transmit DoD information between defense contractors, within defense industrial base companies, between Defense Department units, or to and from DoD, unless such services are provided under requirements for the enhanced protection of DoD information.