Header graphic for print
Government Contracts Advisor Industry Insights & Analysis

NDAA Amendment Would Mandate Reporting to DOD of Penetration of Contractor Networks and Information Systems

Posted in Cybersecurity, Legislative & Regulatory, Security Clearance

This blog post was written by Elizabeth Ferrell and Erin Sheppard

Last week, Senator Carl Levin (D-MI), Chairman of the Senate Armed Services Committee, introduced an amendment to the FY 2013 National Defense Authorization Act (NDAA), which would require the DoD to establish a process by which cleared defense contractors must report when the contractor’s network or information system is successfully penetrated. If passed, the amendment would apply to “a private entity granted clearance by the Defense Security Service to receive and store classified information for the purpose of bidding on a contract or conducting activities under a contract with the Department of Defense.” The amendment is silent on the question of whether the requirement will apply to only classified information systems, or, rather, all information systems maintained by a “cleared contractor,” and defers the issue of scope to Under Secretary of Defense for Intelligence.  The proposed amendment has substantial overlap with two different ongoing regulatory initiatives for mandating protections to contractor information systems – -the proposed DFARs rule establishing basic and enhanced safeguarding requirements for non-public DoD information residing on contractor non-classified information systems and the proposed FAR rule requiring contractors to safeguard contractor information systems containing information provided by or generated for the government.  Senator Levin’s legislative foray into this area raises additional questions as to whether the proposed FAR and DFARS rules will be implemented as proposed, or further tailored to address the requirements of this new, ambiguous, legislative reporting requirement. Regardless of outcome, Senator Levin’s amendment is a strong indication that contractor reporting in the event of an unauthorized access or other cyber incident will remain an area of increased emphasis by the legislative branch for the foreseeable future despite the failure to pass comprehensive cybersecurity legislation.