Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Defense Contractors Still Waiting For Breach Notification Rules

Posted by samzenpus on from the a-little-while-longer dept.

An anonymous reader writes US Department of Defense contractors will have to wait until September 24 to see what specific rules they will be required to follow when it comes to the reporting of computer breaches to the DoD. This particular requirement has been mandated by the US Congress last year, in an attempt to get clear view of the type and frequency of attacks contractors face. The US Congress will require "cleared defense contractors" — i.e. those who have been granted clearance by the DoD to access, receive, or store classified information — to effect a rapid report in the wake of a successful breach, and to include in it a description of the technique or method used in the penetration, a sample of the malicious software used (if discovered), and a summary of information created for the Department in connection with any Department program that has been potentially compromised due to such penetration.

2 of 19 comments (clear)

  1. Re:Quickly now, tell us about the breach. by NoKaOi · · Score: 2

    One would assume that this would be basic common sense.

    Not really, from the defense contractor's point of view. If they do have a breach, it is in their best interest to cover it up. Without any rules in place, they are not violating any rules. If there are rules in place, then covering it up would be a violation of those rules, so in some cases it would be in their best interest not to cover it up (risk/reward).

  2. The rules are already out by kennykb · · Score: 2

    You must disclose any breach at least 90 days prior to discovery or 60 days prior to its occurrence, whichever comes first. Any breach occurring without advance notification will be dealt with severely.

    You must disclose all breaches on Form 27B/6. The form is secret and you do not have access to it.

    Access to your system by any person on the 'no access list' will be considered a breach. The identity of persons on the 'no access list' is secret, and the Government will not inform you of whether any given person is or is not on it.

    Knowing of any breach makes a person a 'high risk' individual. 'High risk' individuals shall be added to the 'no access list.'

    The Government reserves the right to access your system at any time without notification. Allowing anyone, including the Government, access without advance approval is a security breach.

    These rules themselves are secret and you do not have access to them.

    Thank you for your cooperation, Citizen.