Executive Branch Activity

U.S. Department of Defense Network Breach Reporting Regulations

The U.S. Department of Defense (DOD) is expected to release draft regulations this summer that would require defense contractors to report network and information system penetrations within a specified amount of time. As part of the National Defense Authorization Act of 2013, DOD was required to develop these procedures within 90 days – a deadline that passed last week. A committee within the Department has been working to draft the regulations since January which will require contractors to report the techniques or methods used in any security breach, provide a sample of the malicious software if possible and share how DOD data contained in the contractor networks may have been compromised. DOD is still developing the definition of network penetration and how long contractors will have to report penetrations under the new rule. The Department is considering having the new regulations require contractors report a breach within 72 hours, which would be consistent with the requirement included in DOD’s rule on reporting unclassified controlled technical information.

Cybersecurity Executive Order: Updates to DHS’s Critical Infrastructure LIST

As a result of the Executive Order issued by President Obama in 2013 on cybersecurity, the U.S. Department of Homeland Security (DHS) was directed to identify an initial list of critical infrastructure where a cybersecurity incident could “reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.” After presenting the list of specific critical infrastructure to the White House, DHS confidentially notified the entities that were included on the list last summer. According to a recent Federal Register notice, the DHS will provide those owners and operators who are on the list an appeal process if they feel that they have been incorrectly added to the list.  DHS will be collecting requests for reconsideration from critical infrastructure owners and operators through May 15.

Securities and Exchange Commission Risk Alert

The Securities and Exchange Commission (SEC) recently announced that the Office of Compliance Inspections and Examinations will review more than 50 financial firms to assess their cybersecurity governance, assessment of cyber risks, protection of networks and information, and experiences with cyber threats, among other items. The SEC released a risk alert that included a sample request for information and list of questions related to the National Institute of Standards and Technology Cybersecurity Framework that was released in February. These questions will likely be used by the SEC examiners that will be facilitating the inspection of the financial firms over the coming months.