By Susan Cassidy and Alex Sarria
On August 26, 2015, the Department of Defense (DoD) issued an interim rule that significantly expands the obligations imposed on defense contractors and subcontractors to safeguard “covered defense information” and for reporting cyber incidents on unclassified information systems that contain such information. The interim rule revises the Defense Federal Acquisition Regulation Supplement (DFARS) to implement section 941 of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2013 and section 1632 of the NDAA for FY 2015. In addition, the interim rule implements DoD policies and procedures for safeguarding data and reporting cyber incidents when contracting for cloud computing services.
This Covington Alert outlines the expanded cyber incident reporting and safeguarding requirements imposed on DoD contractors and subcontractors, as well as new policies applicable to cloud service providers.