Today DoD issued an interim final rule, effective immediately, which revised its DoD-DIB Cybersecurity (CS) Activities regulation to mandate reporting of cyber incidents that result in an actual or potentially adverse effect on a covered contractor information system or covered defense information residing therein, or on a contractor’s ability to provide operationally critical support. This rule is similar to the DFARS network penetration reporting rule we reported on recently, but according to DoD will apply to all forms of contracts or other agreements between DoD and DIB companies (e.g., procurement contracts, cooperative agreements, other transaction agreements). The rule also modifies eligibility criteria to permit greater participation in the Voluntary DoD-Defense Industrial Base (DIB) Cybersecurity (CS) information sharing program, which is a program for Cleared Defense Contractors (CDCs).
Comments are due on December 1. We anticipate a further posting regarding this rule shortly.