Data breach requirement stays in conference defense authorization bill
Data breach reporting to the Pentagon by cleared defense contractors would become mandatory under a provision included in the House and Senate conference version of the fiscal 2013 national defense authorization act.
The conference bill (.pdf) made public Dec. 18 would change the original Senate proposal to have the head Defense Department intelligence official oversee a process for contractors that conduct classified activities to report network and information systems penetrations by placing the defense secretary as the official nominally in charge. The criteria for designating which contractors and which networks would come under the reporting requirement would be headed by a senior official designated by the secretary.
The conference version also includes language similar to the Senate proposal that would permit DoD personnel access to private sector systems for the purpose of forensic analysis.
The joint conference statement (.pdf) says the reporting requirement isn't intended to apply to telecommunications or Internet service provider networks that just carry defense information--whether between contractors, within them, or to and from the DoD--unless those services already fall under enhanced protection requirements.
The conference bill retains Senate language that would prohibit dissemination outside of the department information obtained through the mandatory reporting requirement unless it has the approval of the contractor. Skeptics of similar proposed prohibitions in other cybersecurity information-sharing legislation, however, note that companies may feel pressured to give approval even if they weren't already disposed to offer it.
The statement also says that DoD is preparing a rulemaking that would modify the Defense Federal Acquisition Regulation Supplement to mandate breach reporting requirements that would pertain to a much broader swath of contractors than those that would fall under the defense authorization act.