New, sweeping defense contractor rules on hack notifications take effect today, adding to a flurry of Pentagon IT security policies issued in recent years.

Just this month, the Office of Management and Budget proposed guidelines to homogenize the way vendors secure data governmentwide. The Defense Department had already released three other policies that dictate how military vendors are supposed to handle sensitive IT.

Now, industry, which is already concerned about overlapping and burdensome cyber rules, worries the Pentagon will go back and retroactively change contracts, after the White House draft is finalized. 

The new Pentagon regulations for “Network Penetration Reporting and Contracting for Cloud Services” cover more types of incidents and more kinds of information than past policies. The guidelines, which were published Wednesday, also apply to a broader swath of the contracting community. 

The objective here is to more tightly control the way defense data traverses contractor systems and is stored by companies, military officials say.  

“The benefits of the increased security requirements implemented through this rule are that more information will be protected from release, inadvertently or through malicious intent,” and in so doing strengthen national security,” Jennifer Hawes, editor of the Defense Acquisition Regulations System, said in the policy. 

Ongoing attacks against military contractors prompted the release of Wednesday’s regulations, according to the Pentagon. 

The “interim rule” will kick in before a public comment period because of “the urgent need to protect covered defense information and gain awareness of the full scope of cyberincidents being committed against defense contractors,” Hawes…

Continue Reading