Incident Reporting Key To New Cybersecurity Rule.

• Author: Metzger, Robert S.
• Position: Viewpoint

* By now, most companies in the Defense Department supply chain know they were to implement a series of cybersecurity safeguards by no later than Dec. 31 in order to protect "covered defense systems" from being stolen by foreign adversaries.

The duty arose from the mandatory clause in the Defense Federal Acquisition Regulation Supplement 252.204-7012 titled, "Safeguarding Covered Defense Information and Cyber Incident Reporting." The National Institute of Standards and Technology spelled out the measures that must be taken in Special Publication 800-171.

The regulation encompasses Defense Department prime contracts and flows down, without alteration, to all levels. Many companies, especially smaller and medium-size ones, are challenged to address the special publication's 110 individual requirements.

Naturally, because of the deadline, many focus on the "front half of the regulation--safeguarding--without much attention to the "other half--incident reporting.

Defense contractors need to give incident reporting equal attention--and not simply because the obligation is present in the regulation.

The importance of reporting is best understood in the context of experience that led to this regulation. Over a period of many years, and in too many examples to recount, valuable defense-related technical data and contractor intellectual property has been "exfiltrated" from contractor information systems by acts of cyber espionage. The regulation, therefore, aims to improve contractor security and mitigate those risks.

The department defines a cyber incident as "actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein."

Unauthorized access to sensitive but unclassified technical information dilutes national military capability, denies us the advantage of favorable technological asymmetries and enables our adversaries to copy accomplishments and impair missions.

But recent experience also teaches us that no network security is perfect. The new controls will make it harder for adversaries to reach and steal technical information and may limit the information taken. However, the possibility of a breach cannot be denied and will not be eliminated by this regulation.

This brings us to the second set of purposes of the regulation. It is important for the Defense Department to know what has been taken so that it can conduct a "damage assessment."

The damage assessment has several purposes. It can determine the impact of compromised information on U.S. military capability underpinned by the technology. It can reveal how the compromised information may enable an adversary to counter, defeat or reverse engineer...