The Pentagon has updated data breach rules for defense contractors to allow companies an extra year-and-a-half to comply with one portion.
The original regulations, titled "Network Penetration Reporting and Contracting for Cloud Services," took effect Aug. 26, 2015, and cover more network problems and types of information than past guidelines.
After hearing from 85 members of the public at an open meeting on Dec. 14, the Defense Department relaxed the regulations right before New Year's Eve.
This second rule has been issued "to provide immediate relief" from one stipulation that had required vendors to comply with certain standards as soon as they are awarded a contract, Pentagon officials said.
"Contractors are at risk of not being able to comply with the terms of contracts that require the handling of covered defense information," they said in the revision, which was published Dec. 30, 2015, in the Federal Register, the government’s daily journal.
At the meeting and in prior written comments, industry members emphasized they need an extension to institute certain National Institute of Standards and Technology security requirements (NIST SP 800-171).
Those protections, which include multistep login procedures for systems, would have had to be in place before June 2016. The update moves back the deadline to "as soon as practical" but no later than Dec. 31, 2017.
Now, contract awardees, within 30 days of winning work, must notify the department's chief information officer if any of the required NIST security controls are lacking. Pentagon officials say they believe the heads-up should enable the military to spot difficulties contractors are experiencing with requirements and possibly adjust them.
Also, the advance notice on security gaps "will inform the department in assessing the overall risk to DOD-covered defense information on unclassified contractor systems and networks," as well as "enable the department to monitor progress across the defense industrial base,” the notice stated.
Other key parts of last summer's rule remain intact, including the breadth of data covered. Defense information, whether stored in contractor systems or transiting company networks, must be protected, per the regulations.
Also unchanged, lead contractors and nonexempt subcontractors must report events that actually or potentially produce an "adverse effect" on a contractor's system or defense information within 72 hours of detection. Those firms also must report incidents that might interfere with the contractor's ability to provide "operationally critical support," the rule stated.
Past Defense authorization legislation and a spike in hacking campaigns prompted the new regulations.
"The proliferation of information technology and increased information access has exposed DOD and DOD contractor information systems and networks to greater vulnerability of attacks," officials said.
The Pentagon expects the reprieve might yield "a significant beneficial economic impact" on a substantial number of small companies, the regulation states.
About 10,000 contractors will be subject to the rules.
A Nov. 23 letter from the Council of Defense and Space Industry Associations had raised concerns that the initial rule, which kicked in without public comment, created technological, contract and compliance challenges "that cannot be addressed instantly by the defense industrial base or their supply chains."
Professional Services Council Executive Vice President Alan Chvotkin, who signed the letter but was not at the meeting, said he is "thankful" the Pentagon eased the requirements.
Still, even the looser rule adds to a growing number of mismatched cybersecurity policies the Obama administration is forcing on industry, he told Nextgov on Monday.
For example, in the wake of a massive breach of federal contractor and employee background checks, the White House released an Oct. 30, 2015 "Cybersecurity Strategy and Implementation Plan" that applies to government agencies and suppliers.
Meanwhile, in June 2015, NIST published guidelines for potential contractor clauses involving the protection of sensitive “controlled unclassified” information inside company systems. The Pentagon in May 2014 released rules involving counterfeit electronic parts, which aim to address the problem of downstream suppliers damaging computerized military systems.
"One of my frustrations with regulations generally is they are often written in isolation, not as one element of a multifaceted scheme for coverage" of information technology, Chvotkin said.