US defense contractors still waiting for breach notification rules

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://net-security.org/secworld.php?id=17258

US Department of Defense contractors will have to wait until September 24
to see what specific rules they will be required to follow when it comes to
the reporting of computer breaches to the DoD.

This particular requirement has been mandated by the US Congress last year,
in an attempt to get clear view of the type and frequency of attacks
contractors face.

The US Congress will require "cleared defense contractors" - i.e. those who
have been granted clearance by the DoD to access, receive, or store
classified information - to effect a rapid report in the wake of a
successful breach, and to include in it a description of the technique or
method used in the penetration, a sample of the malicious software used (if
discovered), and a summary of information created for the Department in
connection with any Department program that has been potentially
compromised due to such penetration.

Defense contractors have become preferred targets for cyber spies who, it
seems, find their networks easier to breach than those of government
departments and agencies.

The March 2011 RSA hack is believed to have been executed in order to
compromise the company's SecurID tokens, widely used by a great number of
companies that do business with the government.

As the companies are waiting for the rules to be punished, they expressed
their worry about government agents being allowed to access to their
networks so that they can conduct forensic analysis of the attack (in
addition to the analysis conducted by the contractor). They are not to
happy about the possibility of the Pentagon having access to their trade
secrets, commercial, financial, and customer information.

Contractors are also eager to see whether the Pentagon will return the
favor and share threat information it has with the firms, so that they can
be better prepared to fend off attacks.

Smaller firms are worried that complying to some of the rules might be too
costly and impossible for them, which would ultimately make it impossible
to keep and gain new government contracts.

What the contractors are really hoping for is some "clear guidance on how
to implement whatever requirements the government is looking to put into
place," Daniel Stohr, director of communications for the Aerospace
Industries Association, said to Bloomberg's Chris Strohm.

“We don’t want contracting officers giving their personal interpretation of
what this rule would or should be," he noted.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!