View Rule

DoD is issuing a final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement section 941 of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2013 and section 1632 of the NDAA for FY 2015, both of which require contractor reporting on network penetrations. Section 941 requires cleared defense contractors to report penetrations of networks and information systems and allows DoD personnel access to equipment and information to assess the impact of reported penetrations. Section 1632 requires that a contractor designated as operationally critical must report each time a cyber-incident occurs on that contractor’s network or information systems. The rule requires contractors and subcontractors to report cyber incidents that result in an actual or potentially adverse effect on a covered contractor information system or covered defense information residing therein, or on a contractor's ability to provide operationally critical support. This rule also implements policy on the purchase of cloud computing services. DoD expects this rule may have a significant economic impact on a substantial number of small entitite.  The revisions to this rule will be reported in future status updates as part of DoD's retrospective plan under Executive Order 13563, completed in August 2011. DoD's full plan can be accessed at: http://www.regulations.gov/#!docketDetail;D=DOD-2011-OS-0036.