04 Sep 2015, 5:04 pm
Under the plans, the DoD's cloud suppliers and subcontractors will need to "report cyber incidents that result in an actual or potentially adverse effect on a covered contractor information system or covered defence information" they hold "or on a contractor’s ability to provide operationally critical support".
The DoD said the new rules (10-page / 297KB PDF) follow "recent high-profile breaches of federal information". Those breaches "show the need to ensure that information security protections are clearly, effectively, and consistently addressed in contracts".
It warned of the potential harm to the US government if "defence information or other government data" is compromised or if there was a "loss of operationally critical support capabilities". Such breaches "could directly impact national security", the DoD said.
New cyber incident reporting requirements are expected to be introduced into EU law through the proposed Network and Information Security (NIS) Directive.
