By David Fagan and Susan Cassidy

As an indicator of the continuing focus of government authorities on cybersecurity breaches and potential notification requirements, certain contractors for the federal government may soon face new rapid reporting requirements for successful network penetrations.  Specifically, President Obama signed the 2014 Intelligence Authorization Act (“2014 IAA”) into law on July 7, 2014, starting a 90-day clock under Section 325 of the Act for the Director of National Intelligence (“DNI”) to promulgate regulations for “cleared intelligence contractors” to report the successful penetration of their networks and information systems.

Section 325 defines a cleared intelligence community (“IC”) contractor as “a private entity granted clearance . . . to access, receive, or store classified information for the purpose of bidding for a contract or conducting activities in support of [the IC].”  The new regulations will apply to “covered” networks and information systems that “contain[] or process[] information created by or for an element of the [IC] with respect to which such contractor is required to apply enhanced protection.”

The Forthcoming Regulations

The regulations proposed by the DNI will require cleared IC contractors to report the following information to a designated IC element  following a “successful penetration” of the contractor’s covered network or information system:

  • A description of the technique or method used in such penetration;
  • A sample of the malicious software, if discovered and isolated by the contractor, involved in such penetration; and
  • A summary of information created by or for an element of the IC that has been potentially compromised as a result of such penetration.

Section 325 does not specify how quickly the cleared IC contractors will need to report this information, leaving this to the regulators to promulgate.  As discussed below, the Department of Defense (“DOD”) has already imposed a 72-hour reporting requirement in similar regulations.

IC Access to Covered Networks and Information Systems

In addition to setting forth rapid reporting requirements, the new regulations require IC contractors to allow IC personnel access to their “equipment or information” when there has been a “successful penetration” of covered networks.  What constitutes a successful penetration is not defined in the statute.  However, it may be telling that the statute provides that access is required so that the IC personnel can conduct a forensic analysis of the penetration to “determine whether information created by or for an element of the intelligence community in connection with any intelligence community program was successfully exfiltrated from a network or information system of such contractor and, if so, what information was exfiltrated.”  Section 325 also requires that new regulations provide for the “reasonable protection of trade secrets, commercial or financial information” and prohibit the dissemination of information obtained by a forensic analysis outside of the IC without the consent of the contractor.  Despite this prohibition on dissemination, Section 325 does not address whether the IC can use the information obtained during its forensic analysis to exclude IC contractors from the supply chain, or to make a responsibility or past performance determination.

Relationship to Other Cybersecurity Requirements

Section 325 is almost identical to Section 941 of the National Defense Authorization Act for Fiscal Year 2013 (“NDAA 2013”).  Section 941 similarly requires the Secretary of Defense to promulgate rapid reporting requirements following the successful penetration of covered networks and information systems. Section 325 attempts to harmonize these section by including a provision requiring the DNI and the Secretary of Defense to jointly establish procedures to allow contractors cleared by both the IC and DOD to submit a single report following a successful network penetration.

The rapid reporting requirements of Section 941 also contained a 90-day clock following the enactment of NDAA 2013; however, that rulemaking has been delayed, with the ad hoc committee’s report deadline currently extended to August 13, 2014. If DOD meets this new deadline, DOD’s rulemaking may influence the IC’s approach.

The new regulations envisioned by Section 325 (and Section 941) also may draw comparisons to the recent DFARS rule for safeguarding unclassified controlled technical information (“UCTI”).  The UCTI rule mandates that DOD contractors report cyber incidents, including unauthorized access to information, inadvertent release of information, and/or any other loss or compromise, within 72 hours of discovery. In some ways, the UCTI rule appears broader than the regulations contemplated by Section 325.  For example, the UCTI rule applies to all information systems on which UCTI may be “resident on” or “transiting through,” while Sections 325 (IC) and 941 (DOD) will apply to networks or information systems that “contain or possess” covered information.  Additionally, the UCTI rule requires contractors to report more detailed information about the compromise than what is listed in Sections 325 and 941.  Given that the UCTI rule is broader, contractors currently in compliance with the UCTI rule may have a head start on complying with the forthcoming IC and DOD regulations.

Photo of David Fagan David Fagan

David Fagan co-chairs the firm’s top ranked practices on cross-border investment and national security matters, including reviews conducted by the Committee on Foreign Investment in the United States (CFIUS), and data privacy and cybersecurity.

David has been recognized by Chambers USA and Chambers

David Fagan co-chairs the firm’s top ranked practices on cross-border investment and national security matters, including reviews conducted by the Committee on Foreign Investment in the United States (CFIUS), and data privacy and cybersecurity.

David has been recognized by Chambers USA and Chambers Global for his leading expertise on bet-the-company CFIUS matters and has received multiple accolades for his work in this area, including twice being named Dealmaker of the Year by The American Lawyer. Clients laud him for “[seeing] far more matters than many other lawyers,” his “incredible insight,” and “know[ing] how to structure deals to facilitate regulatory reviews” (Chambers USA).

David’s practice covers representations of both foreign and domestic companies before CFIUS and related national security regulators. The representations encompass matters in which the principal assets are in the United States, as well as those in which there is a smaller U.S. nexus but where solving for the CFIUS issues—including through proactive mitigation and carve-outs—is a critical path for the transaction. David has handled transactions for clients across every sector subject to CFIUS review, including some of the most sensitive and complex matters that have set the template for CFIUS compliance and security agreements in their respective industries. He is also routinely called upon to rescue transactions that have run into challenges in CFIUS, and to negotiate solutions with the U.S. government that protect national security interests, while preserving shareholder and U.S. business interests.

Reflecting his work on U.S.-China investment issues and his experience on complex U.S. national security matters intersecting with China, David is regularly engaged by the world’s leading multi-national companies across a range of industries to advise on strategic legal projects, including supply chain matters, related to their positioning in the emerging competition between the U.S. and China, as well as on emerging legal issues such as outbound investment restrictions and regulations governing information and communications technologies and services (ICTS). David also has testified before a congressional commission regarding U.S. national security, trade, and investment matters with China.

In addition, in the foreign investment and national security area, David is known for his work on matters requiring the mitigation of foreign ownership, control or influence (FOCI) under applicable national industrial security regulations, including for many of the world’s leading aerospace and defense companies and private equity firms, as well as telecommunications transactions that undergo a public safety, law enforcement, and national security review by the group of agencies known as “Team Telecom.”

In his cybersecurity practice, David has counseled companies on responding to some of the most sophisticated documented cyber-based attacks on their networks and information, including the largest documented infrastructure attacks, as well as data security incidents involving millions of affected consumers. He has been engaged by boards of directors of Fortune 500 companies to counsel them on cyber risk and to lead investigations into cyber attacks, and he has responded to investigations and enforcement actions from the Federal Trade Commission (FTC) and state attorneys general. David has also helped clients respond to ransomware attacks, insider theft, vendor breaches, hacktivists, state-sponsored attacks affecting personal data and trade secrets, and criminal organization attacks directed at stealing personal data, among other matters.