On Saturday the OMB’s Office of Information and Regulatory Affairs (OIRA) had received from the DOD a final rule mandating cybersecurity incident reporting by covered organizations in the Defense Industrial Base (DIB). This rule will modify the interim final rule published on this topic in October of last year.
According to the Spring 2015 Unified Agenda listing for this rulemaking:
“DoD is revising its DoD-Defense Industrial Base (DIB) Cybersecurity (CS) Activities regulation to mandate reporting of cyber incidents that result in an actual or potentially adverse effect on a covered contractor information system or covered defense information, or on a contractor’s ability to provide operationally critical support, and modify eligibility criteria to permit greater participation in the voluntary DoD-(DIB) (CS) information sharing program. The rule also revises the program's definitions to better harmonize with definitions that are already established and used by DoD and other Government agencies in similar contexts and modifies eligibility criteria to permit greater participation in the voluntary DoD-DIB CS information sharing program.”
This rulemaking is only directly applicable to DIB organizations who already have tighter cybersecurity reporting requirements than general industry because of their requirements to protect DOD classified and sensitive but unclassified information. If Congress ever mandates cybersecurity incident reporting requirements for other segments of the economy, this rule would probably serve as a model for any subsequent rulemaking.