Starting this year, when it comes to cyber attacks, defense contractors must tell the government when the contractor’s system suffered a breach.
While disclosure used to be voluntary, the new mandate is a cyber security requirement outlined in the $633 billion National Defense Authorization Act (NDAA) President Obama signed January 3.
The act gives the Department of Defense 90 days to establish procedures for defense contractors to disclose cyber attacks. Defense contractors will eventually need to report breaches, the tools attackers used to steal sensitive government information and the impact to Department of Defense data. It remains unclear as to what the penalty would be to the contractors that fail to participate.
With the growth of cyber attacks across the country, these rules are a sign the government is starting to crack down on companies who don’t willingly disclose cyber breaches.
With the NDAA’s passage, chief information officers will need to report intrusions, but also know when their companies suffered an attack in the first place. About 92% of cyber breaches end up reported to companies by third parties, according to the 2012 Verizon Data Breach Investigations report.
The NDAA goes into effect after Senate Republicans last November killed a bill that would have created mechanisms for sharing cyberthreat information between government and businesses as well as required critical infrastructure operators to notify the government when they suffered an attack. The demise of the Cyber Security Act of 2012 may ultimately result in President Obama signing an executive order on the issue.