via Federal Times
Dipping its toe into mandatory compliance, the Pentagon is circulating for comment until Aug. 29 the proposed DFARS (Defense Federal Acquisition Regulation Supplement) rule that would compel contractors to disclose intrusions. The rule would require that contractors provide “adequate security,” report cyber incidents within 72 hours and review their networks to search for information about the attacks.
Chvotkin said that contractors agree with the notion of improving security but have questions about the rule.
“One of the underlying concerns in the DFARS proposed rule is that it makes security a contract compliance issue, so does a breach incur not only some liability and exposure but also a contract breach because you haven’t met the standards? Even if you’ve met the regulations, errors still occur,” he said.
He also pointed to the unknown risk of liability, citing concerns about trust as it relates to company anonymity during the reporting process.