On Saturday the OMB’s Office of Information and Regulatory
Affairs (OIRA) had received from
the DOD a final rule mandating cybersecurity incident reporting by covered
organizations in the Defense Industrial Base (DIB). This rule will modify the
interim final rule published
on this topic in October of last year.
According to the Spring 2015 Unified Agenda listing for this
rulemaking:
“DoD is revising its DoD-Defense
Industrial Base (DIB) Cybersecurity (CS) Activities regulation to mandate
reporting of cyber incidents that result in an actual or potentially adverse
effect on a covered contractor information system or covered defense information,
or on a contractor’s ability to provide operationally critical support, and
modify eligibility criteria to permit greater participation in the voluntary
DoD-(DIB) (CS) information sharing program. The rule also revises the program's
definitions to better harmonize with definitions that are already established
and used by DoD and other Government agencies in similar contexts and modifies
eligibility criteria to permit greater participation in the voluntary DoD-DIB
CS information sharing program.”
This rulemaking is only directly applicable to DIB
organizations who already have tighter cybersecurity reporting requirements
than general industry because of their requirements to protect DOD classified
and sensitive but unclassified information. If Congress ever mandates
cybersecurity incident reporting requirements for other segments of the
economy, this rule would probably serve as a model for any subsequent
rulemaking.
Posts
No comments:
Post a Comment