DOD now requires contractors to report hacks

The Department of Defense (DOD) will require its biggest contractors to disclose certain cybersecurity breaches.

According to a notice published in Friday’s Federal Register, DOD contractors are now mandated to report “cyber incidents that result in an actual or potentially adverse effect on a covered contractor information system.”

{mosads}The move is part of a broad effort to secure government networks in the wake of a spate of cyberattacks at high-profile agencies and contractors.

The new rule covers contractors in the DOD’s Defense Industrial Base (DIB) information-sharing network. DIB members are able to exchange classified and unclassified data on hacking threats.

“These requirements are focused on cyber incidents that threaten specific types of DOD program information, such as technical information … and operational security information that relates to DOD activities.”

Breaches last year at the government’s largest outside background-check processors brought attention to the security shortcomings at contractors that handle government data.

The two breaches exposed files on roughly 70,000 federal employees, many of whom held security-clearance-level positions with the Department of Homeland Security.

Hackers also lifted credentials from an employee at one of the contractors, and then used that information to break into the network at the Office of Personnel Management (OPM). The OPM breach exposed more than 22 million federal workers’ sensitive data.

The White House in August released a draft of guidelines that would require government contractors handling sensitive data to meet baseline security requirements and report digital intrusions to authorities.