Susan Cassidy is quoted in a Federal Contracts Report article regarding the Defense Department’s updated cyber incident reporting rule. According to Cassidy, the rule succeeded in clarifying some industry concerns, but did not address them all. “They didn't take an opportunity to clarify everything you might have hoped they would.” For example, when asked whether Internet service providers fit the definition of subcontractors, the DOD punted, and said it would depend on the individual contract, she says. On the other hand, industry had complained about the requirement to report an incursion within 72 hours, and DOD made clear that it is going to keep that requirement.
Cassidy adds that the rule reflects a recognition that the more information the government has regarding hostile incursions, the better it can defend itself from ongoing attacks. “Because the threat is evolving, it's going to be in flux for a while. She continues, “Contractors are going to have to be flexible, and you hope that the government will remain equally flexible.”