Mandatory Reporting and “Cyber Mission Forces” Created in 2015 National Defense Authorization Act (NDAA)

Posted by

Beyond appropriating $560,000,000,000 for military spending for 2015, the Defense Authorization Act passed this month expands the role of the military in wide range of areas, including strategic programs in outer space, budgeting and accounting for a new “cyber mission” major force program category, and new mandatory reporting of “cyber incidents” by government contractors and agencies.

Title XVI, Subtitle C of the Senate Amendment to H.R. 3979, “Cyber-Related Matters,” first directs the Secretary of Defense to submit with the 2017 budget a new program for the training, manning and equipping of the cyber mission forces, together with program elements, as well as to create executive agents for new “cyber and information technology training ranges” who oversee all test facilities, test beds, and software and personnel development, all under the supervision of the United States Cyber Command created in 2009.

The Bill’s second “Cyber-Related Matter” creates a new mandatory reporting program, and directs the Secretary to “designate a component of the Department of Defense to receive reports of cyber incidents from contractors…or from other governmental entities,” and to establish the reporting procedures.  Under the procedures (to be established) “operationally critical contractors” must “report in a timely manner…each time a cyber incident occurs with respect to a network or information system” of the contractor.  Such contractors will be “designated by the Secretary…as a critical source of supply for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation.”  And, the contractor’s “Rapid Reporting” must include information on the effect of the “cyber incident” on the contractor’s ability to perform its duties to the Department, the technique of the cyber attack, a summary of information compromised, and a sample of any malicious software discovered by the contractor.

The Department must also provide support personnel to assist contractors in detecting and mitigating penetrations; however, such personnel will have only limited access to private equipment or information, and the Secretary must also create procedures necessary to protect “trade secrets, commercial or financial information, and information that can be used to identify a specific person.”

While reporting breaches may help in the future, all contractors and other businesses are well advised to maintain a robust and up-to-date security program to minimize the risk that an attack will be successful.  The Secretary of Defense will have 90 days after the Bill’s execution by President Obama to create the procedures to identify “operationally critical contractors” and the process for reporting a “cyber incident,” defined as an action “taken through the use of computer networks that result in an actual or potentially adverse effect on an information system or the information residing therein.”  During that time, contractors will have the opportunity to revise and improve their cybersecurity program, with an eye toward streamlining the reporting process.

A copy of the bill can be viewed by clicking here, see page 877).