Raytheon voices concerns on DOD cyber-incident reporting rule

Raytheon is expressing concerns about the Pentagon's second interim rule on cyber-incident reporting, which gives defense contractors more time to implement new security requirements but still increases government oversight.

Inside Cybersecurity reports this week that the first interim rule on breach reporting and contracting for cloud services was issued last August in response to a congressional mandate and became effective immediately. It required contractors and subcontractors to report "cyber incidents that result in an actual or potentially adverse effect on a covered contractor information system or covered defense information residing therein, or on a contractor's ability to provide operationally critical support." Further:

But the regulation drew many complaints from industry, including calls for the Defense Department to reconsider its decision to have the new regulations focus on the standards in the National Institute of Standards and Technology's Special Publication (SP) 800-171, "Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations," rather than NIST SP 800-53, "Security and Privacy Controls for Federal Information Systems and Organizations."

"There still are concerns regarding the significant increase in the depth and breadth of government oversight into contractor networks without the benefit of the close and cooperative collaboration between industry and the government that has served us well to date," Raytheon writes in a Feb. 11 letter to the Defense Department. "We believe many of our concerns about the interim rule could be addressed by such collaboration going forward."

The letter identifies Raytheon's concerns in several categories: versions, definitions, marking, applicability, process, security controls, suppliers, incident reporting, post-incident investigations and cost recovery.

Public comments on the second interim rule are due to DOD by the end of the month.