US Defense Contractors Still Waiting For Breach Notification Rules

An anonymous reader writes US Department of Defense contractors will have to wait until September 24 to see what specific rules they will be required to follow when it comes to the reporting of computer breaches to the DoD. This particular requirement has been mandated by the US Congress last year, in an attempt to get clear view of the type and frequency of attacks contractors face. The US Congress will require "cleared defense contractors" — i.e. those who have been granted clearance by the DoD to access, receive, or store classified information — to effect a rapid report in the wake of a successful breach, and to include in it a description of the technique or method used in the penetration, a sample of the malicious software used (if discovered), and a summary of information created for the Department in connection with any Department program that has been potentially compromised due to such penetration.

Quickly now, tell us about the breach.

[penguinoid]

But not yet, maybe by next month we'll figure out how quickly we want you to tell us.

Re:

[easyTree]

One would assume that this would be basic common sense.

Tune in tomorrow when we'll bring the results of the multi-billion dollar, decades-long study on how best to drink a glass of water.

Re:

[NoKaOi]

One would assume that this would be basic common sense.

Not really, from the defense contractor's point of view. If they do have a breach, it is in their best interest to cover it up. Without any rules in place, they are not violating any rules. If there are rules in place, then covering it up would be a violation of those rules, so in some cases it would be in their best interest not to cover it up (risk/reward).

Re:

[gtall]

Contractor: Hi DoD, we've been breached.
DoD: How did this occur?
Contractor: We don't yet know.
DoD: What's been stolen?
Contractor: We don't yet know.
DoD: What are you going to do about it?
Contractor: We're working on it.
DoD: Damnit, we want instant karma information right NOW!!! Tell us everything you know!!
Contractor: We just did.
DoD: When will you know everything that's happened?
Contractor: We're assessing that, what specifically would you like to know.
DoD: Everything! Damit!
Contractor: What format would y

Simple two line answer

[dbIII]

Rootkits from large corporations such as Sony - ignore.
A mentally ill Brit stumbles across some web pages that are publicly available by accident - extradite and jail the bastard!

That seems to be that practice up to this point.

Re:

[Errol backfiring]

I thought it was more like:

• You have to disclose everything
• But if you disclose anything, you are hindering secret services who abuse known vulnerabilities. So if you disclose anything, you are a terrorist (TM).

What!?!

[Anonymous Coward]

Congress was actually able to get something done last year!?!

Oh wait! Upon further review, I see that this is part of the National Defence Spending Authorization Bill...

'Nuff said.

The rules are already out

[kennykb]

You must disclose any breach at least 90 days prior to discovery or 60 days prior to its occurrence, whichever comes first. Any breach occurring without advance notification will be dealt with severely.

You must disclose all breaches on Form 27B/6. The form is secret and you do not have access to it.

Access to your system by any person on the 'no access list' will be considered a breach. The identity of persons on the 'no access list' is secret, and the Government will not inform you of whether any given person is or is not on it.

Knowing of any breach makes a person a 'high risk' individual. 'High risk' individuals shall be added to the 'no access list.'

The Government reserves the right to access your system at any time without notification. Allowing anyone, including the Government, access without advance approval is a security breach.

These rules themselves are secret and you do not have access to them.

Thank you for your cooperation, Citizen.

Re:

[jpvlsmv]

Please report to level D-10 for reassignment as reactor shielding. The computer is your friend.

It's Not That They Need Clarification

[Greyfox]

They just really don't want to do that and are going to stall as long as they can get away with it. Most of them are probably running no form of IDS, have no personnel capable of actually detecting a breach, have no security policy beyond poorly-enforced DOD mandates (Which effectively boils down to "Change your password every 90 days") and really don't want to be distracted from collecting their fat government checks every month by anything resembling actual work.

Re:

[Greyfox]

I do know sexual tension when I see it. I appreciate you trying to get my attention but if you have the hots for me just come out and say it. I don't swing for the same team, but I'd be happy to take a picture of me with my shirt off so you can have a hot fantasy while staring at my prodigious man boobs.

What if they don't notice?

[penguinoid]

If they don't notice they've been breached, are they still required to go through with the embarrassing and expensive analysis and report of the breach?

Congress is in the Dark, NOT DoD

[laughingskeptic]

Breaches are already reported from the contractor's SSO to the government program office's SSO within 24 hours. Congress' issue is that they don't know what is going on and they decided to meddle in this one particular detail. Contractors absolutely do not attempt to cover this up, getting caught covering something like this up would cause them to immediately loose their funding and the right to bid on future contracts -- effectively a corporate death sentence. SSOs are almost all former soldiers with se

Re:

[PPH]

Breaches are already reported from the contractor's SSO to the government program office's SSO within 24 hours.

If they become aware of them.

Congress' issue is that they don't know what is going on and they decided to meddle in this one particular detail.

Or they have been made aware that some security breaches are not being reported properly up the chain to the DIA. And they want oversight.

Contractors absolutely do not attempt to cover this up, getting caught covering something like this up would cause them to immediately loose their funding and the right to bid on future contracts

Yeah, right. We'd be fighting our next war with pointed sticks.

I've worked at a DoD contractor in the past. Unacknowledged malware infections were rampant. And we had a couple of people running their own software businesses on company time and company equipment. Guess what? Still a DoD contractor.