Industry had previously expressed concerns about this addition to the legislation, particularly that: 

• The legislative requirements would undermine the work of the existing DoD Defense Information Industrial Base (DIB) Voluntary Cybersecurity and Information Assurance (CS/IA) program, under which companies and the government have established individually negotiated framework agreements for information sharing regarding data breaches, and the release of a long-awaited Defense Federal Acquisition Regulation Supplement (DFARS) rule on the same;

• While the text applies to “cleared defense contractors,” the scope of the data breach reporting and investigation is not limited to classified information systems, but would allow DoD access to contractor networks and information systems in general, including areas of those systems not related to work performed for DoD;

• DoD could potentially access personally identifiable information (PII) of contractor employees; and

• The language also could allow DoD to take physical possession of hardware from a contractor’s information systems, hindering the ability of that contractor to perform any contract work or other business. 

The final text that emerged from a congressional conference committee late Tuesday makes some positive changes to Senator Levin’s proposal while leaving other issues unresolved. 

The new language now clarifies that DoD procedures to be established under the statute must safeguard trade secrets, commercial and financial information, and PII (Sec. 941(c)(2)(C) “reasonable protection of trade secrets, commercial or financial information, and information that can be used to identify a specific person”). 

However, while the text now says that contractors need provide just enough access for DoD to conduct a forensic analysis of the data breach (Sec. 941(c)(2)(A)–(B)), there are no explicit limits on what that entails, leaving open the possibility of DoD obtaining contractor data, computers, or other system hardware. Furthermore, while the text limits the dissemination of investigation data outside of DoD without the contractor’s consent (Sec. 941(c)(3)), there are no limits on what DoD does with that information within the Department. Lastly, while these requirements apply to “cleared defense contractors,” defined as those entities “granted clearance by the Department of Defense to access, receive, or store classified information” (Sec. 941(e)(2)), the scope of the text is still not limited to breaches on classified information systems but applies to any “covered system” defined as “a network or information system of a cleared defense contractor that contains or processes information created by or for the Department of Defense with respect to which such contractor is required to apply enhanced protection” (Sec. 941(e)(1)).

In light of this development, defense contractors who intend to handle classified information as part of their engagements should review and update their security breach detection, response, and reporting plans. If an incident is detected and reported to DoD under this expected law, a company should carefully consider any other reporting obligations it may have (e.g., under state data breach laws or federal health privacy law) and proceed carefully to deal with multiple governmental bodies. Furthermore, to protect themselves, as well as the DoD and all others concerned, defense contractors may also wish to consider whether the systems that support DoD engagements are appropriately segregated from other systems and data.

Authored by Harriet Pearson, Tom McGovern, and Michael Scheimer.