Yesterday the OMB’s Office of Information and Regulatory
Affairs (OIRA) approved an interim final rule for the DOD concerning contractorreporting requirements for certain cyber intrusions. This rule was required by
Congress in 2012 as part of the Defense Authorization Act of 2013 (§941; PL
112-239). The rule is likely to be published in the Federal Register later
this week.
Commentary
It will be interesting to see if the procedures that DOD
develops for a relatively selected group of non-governmental networks could be
adopted for critical systems at all critical infrastructure facilities. I think
that the government (and the public) has a specific and legitimate interest in
attacks on critical infrastructure cyber-physical systems that could have a
significant impact on the public.
The requirements of §941
focused principally on information compromise rather than cyber-physical
systems and it would probably be inappropriate to require reporting on purely
information related incidents (other than those involving significant amounts
PII, of course; but those would be covered by separate requirements). This
would mean that adaptations of the DOD rule would certainly be required, but
the actual reporting process (other than to whom the reports would be sent)
should be fairly easy to adapt to a cyber-physical incident reporting system.
Posts
No comments:
Post a Comment