The Department of Defense has issued an Interim Rule amending the Defense Federal Acquisition Regulation Supplement (DFARS).

The specific focus is on new rules  which require contractor reporting on network penetrations.

Additionally, this Rule implements DoD policy on the purchase of cloud computing services.

The Interim Rule is here.

According to the Federal Registry:

This interim rule requires contractors and subcontractors to report cyber incidents that result in an actual or potentially adverse effect on a covered contractor information system or covered defense information residing therein, or on a contractor’s ability to provide operationally critical support. DoD is working to establish a single reporting mechanism for DoD contractor reporting of cyber incidents on unclassified information systems.

In addition, this rule also implements DoD policies and procedures for use when contracting for cloud computing services. The DoD Chief Information Officer (CIO) issued a memo on December 15, 2014, entitled “Updated Guidance on the Acquisition and Use of Commercial Cloud Computing Services” to clarify DoD guidance when acquiring commercial cloud services (See memo here: http://iase.disa.mil/cloud_security/Pages/docs.aspx). The DoD CIO also released a Cloud Computing Security Requirements Guide (SRG) Version 1, Release 1 on January 13, 2015, for cloud service providers to comply with when providing the DoD with cloud services (See SRG here: http://iase.disa.mil/cloud_security/Pages/index.aspx). This rule implements these new policies developed within the DoD CIO memo and the SRG in the DFARS to ensure uniform application when contracting for cloud services across the DoD. The combination of the two statutes as well as the cloud computing policy will serve to increase the cyber security requirements placed on DoD information in contractor systems and will help the DoD to mitigate the risks related to compromised information as well as gather information for future improvements in cyber security policy.