Today the US Department of Defence announced that it will soon require all of its contractors to report any major cybersecurity breaches. And if your first question is, "why in the hell didn't they require that before?", that's a great question.
The move comes after a tough few months for US government officials and their data. The head of the Office of Personnel Management resigned after it was revealed that over 22 million government personnel had their sensitive information scooped up — everything from security clearances to 5.6 million sets of fingerprints.
But the Department of Defence, under constant attack itself, wants to make sure that its contractors are keeping it in the loop on any cyberattacks. Until now, contractors used a voluntary system to report serious breaches of various kinds. According to the new report, the new statute requires contractors to:
[...] report cyber incidents that result in an actual or potentially adverse effect on a covered contractor information system or covered defence information residing therein, or on a contractor's ability to provide operationally critical support.
The new regulatory requirements make it clear that the DoD already had required contractors to report breaches of "personally identifiable information" or financial information. But this new directive broadens the mandatory reporting of things that probably should have been required years ago. Better late than never, I suppose.
Top image via Shutterstock