View Rule

The final rule responded to public comments to the interim final rule published on October 2, 2015. The rule implemented statutory requirements for DoD contractors and subcontractors to report cyber incidents that result in an actual or potentially adverse effect on a covered contractor information system or covered defense information residing therein, or on a contractor's ability to provide operationally critical support.

The mandatory reporting applies to all forms of agreements between DoD and DIB companies (contracts, grants, cooperative agreements, other transaction agreements, technology investment agreements, and any other type of legal instrument or agreement). The revisions are part of DoD's effects to establish a single reporting mechanism for such cyber incidents on unclassified DoD contractor networks or information systems. Reporting under this rule does not abrogate the contractor's responsibility for any other applicable cyber incident reporting requirement. Cyber incident reporting involving classified information on classified contractor systems will be in accordance with the National Industrial Security Program Operating Manual (DoD-M 5220.22 (http://dtic.mil/whs/directives/corres/pdf/522022M.pdf).

The rule also addressed the voluntary DIB CS information sharing program that is outside the scope of the mandatory reporting requirements. By modifying the eligibility critiera for the DIB CS program, the rule enabled greater participation in the voluntary program. Expanding participation in the DIB CS program is part of DoD's comprehensive approach to counter cyber threats through information sharing between the Government and DIB participants.