Frank Kendall, the Pentagon's acquisition and technology chief, said a new reule requiring contractors to report cyber-attacks that result in the loss of technical information said, 'This is an essential step to ensure that this valuable information is protected.' (Staff)
Defense Department contractors will have to report cyber-attacks that result in the loss of technical information under a new rule that takes effect this week.
Contractors throughout the supply chain have been targeted by criminals seeking to steal unclassified technical data, Frank Kendall, the department’s acquisition and technology chief, said in a statement. “This is an essential step to ensure that this valuable information is protected.”
Defense firms will also have to incorporate established information security standards on to their unclassified networks, Kendall said.
The final rule, published in Monday’s Federal Register, is dramatically scaled back from the Pentagon’s initial 2011 draft, which alarmed both contractors and open-government advocates. That proposal would have placed new controls on unclassified DoD information not cleared for public release that was either provided by DoD to a contractor or else developed by a contractor on the department’s behalf. Those controls would have required in two forms: basic and enhanced.
While watchdog groups worried that the original proposal would have kept large tracts of unclassified DoD information under wraps, contractors were concerned about the cost of compliance and potential uncertainties created by the two-tier control structure.
The final rule requires only one level of protection and limits the type of data that it covers to “unclassified controlled technical information.” It’s also helpful because “it allows the company the flexibility to implement the standards in a way that makes the most sense to them,” said Alan Chvotkin, executive vice president and counsel for the Professional Services Council, a trade group for service contractors.
At the Center for Effective Government, a liberal leaning advocacy and research group, analyst Gavin Baker said the final rule also addresses concerns that the original draft had been so vague and open-ended that almost any unclassified information would have been treated as “needing to be controlled.”