On October 4, 2016, a final rule was published in the Federal Register which implements statutory requirements for Department of Defense (DoD) contractors and subcontractors to report cyber incidents that result in an actual or potentially adverse effect on a covered contractor information system or covered defense information residing therein, or on a contractor’s ability to provide operationally critical support.

The final rule includes new definitions of covered contractor information system and covered defense information. Covered contractor information system means an unclassified information system that is owned or operated by or for a contractor and that processes, stores, or transmits covered defense information. Covered defense information means unclassified controlled technical information or other information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government wide policies, and is: (1) marked or otherwise identified in an agreement and provided to the contractor by or on behalf of the DoD in support of the performance of the agreement; or (2) collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the agreement.
A foundational element of the mandatory reporting requirements, as well as the voluntary DIB CS program, is the recognition that the information being shared between the parties includes extremely sensitive information that requires protection. The final rule is meant to permit the sharing of information, including cyber threat information, and thereby provide greater insights into the hostile activity targeting the DIB.
Organizations which do business with the Government, must familiarize themselves with this final rule as well as other regulations governing the information they process, store, or transmit.