DoD Issues Final Rule on Cyber Incident Reporting

Effective November 3, 2016, U.S. Department of Defense (DoD) contractors and subcontractors must disclose cyber incidents that result in actual or potentially adverse effect on a covered contractor information system or covered defense information residing in it within 72 hours. The DoD Defense Industrial Base (DIB) Cybersecurity (CS) Activities rule implements mandatory cyber incident reporting requirements for all forms of agreements between DoD and DIB companies, including contracts, grants, cooperative agreements, technology investment agreements and other transaction agreements.

The final rule responds to public comments to the interim rule published on October 2, 2015.