Insights
PH Privacy
72-Hour Cyberattack Reporting Rule for Federal Government Contractors Finalized
October 11, 2016
Charles A. Patrizia & Mary-Elizabeth M. Hadley
The Department of Defense has promulgated a new rule, effective November 3, 2016, that requires federal defense contractors and subcontractors to report within 72 hours any cyber incidents “that result in an actual or potentially adverse effect on a covered contractor information system” (or “covered defense information residing therein”), or that affect “a contractor’s ability to provide operationally critical support.” The rule also establishes eligibility criteria for participation in the DoD’s voluntary Defense Industrial Base Cyber Security Program for sharing cyber threat information and cybersecurity best practices with program participants.