July 9, 2020

Volume X, Number 191

July 09, 2020

Subscribe to Latest Legal News and Analysis

July 08, 2020

Subscribe to Latest Legal News and Analysis

July 07, 2020

Subscribe to Latest Legal News and Analysis

Cleared Intelligence Contractors Readying for New Cybersecurity Reporting Requirements

When it became law on July 7, 2014, the 2014 Intelligence Authorization Act (“IAA”) gave the Director of National Intelligence (“DNI”) 90 calendar days to issue new regulations addressing the requirement that “cleared intelligence contractors” report any “successful penetration” of their networks and information systems.  With the DNI on the clock, what can these contractors expect?

For one thing, following a penetration of a covered network or information system, the DNI regulations will require that a cleared intelligence contractor report the following information to a designated element of the Intelligence Community (“IC”):

  • A description of the technique or method used in such penetration;

  • A sample of the malicious software, if discovered and isolated by the contractor, involved in such penetration; and

  • A summary of information created by or for an element of the IC that has been potentially compromised.

The DNI regulations will specify the turn-around time for these reports (by comparison, under regulations for Department of Defense contracts, a report would be required within 72 hours).

Some requirements may be more onerous.  For example, the DNI regulations will implement an IAA requirement that intelligence community contractors give IC personnel access to equipment or information in the event of a “successful penetration” of a covered network so that the IC personnel can conduct a forensic analysis of the breach.  The regulations should prohibit the IC from disseminating the information from such a forensic analysis without the contractor’s consent.  Still, whether the IC will be barred from using the information for other purposes, such as for responsibility or past performance determinations, is unclear.

For more detailed information concerning the rapid reporting requirements under the IAA, please see our recent blog post addressing this topic.

© 2020 Covington & Burling LLPNational Law Review, Volume IV, Number 257


About this Author

Susan B. Cassidy, Government Contracts Attorney, Covington Burling, Law Firm

Susan Cassidy advises clients on the complex rules and regulations imposed on government contractors, with a special emphasis on the defense and intelligence sectors. She combines a sophisticated knowledge of the FAR and DFARS with the practical insight gained from senior in-house positions at both dedicated defense and commercial item contractors.

Ms. Cassidy conducts internal investigations for clients on wide array of government contracts and national security compliance issues. She regularly advises on FAR mandatory disclosure obligations and represents...

Catlin Meade, Cybersecurity lawyer, Covington

Catlin Meade advises clients across a broad range of cybersecurity and government contracts matters, including government and internal investigations, compliance with cybersecurity and data breach regulations, and SAFETY Act applications.

Representative Matters

  • Counsel to multiple companies in responding to data and cybersecurity incidents.
  • Advised a leading defense contractor on a multi-million-dollar prime-subcontractor dispute in connection with a NATO contract.
  • Key member of team that successfully represented a large government contractor in proceedings before a military department Suspending and Debarring Official, resulting in a determination of present responsibility.
  • Advised Fortune 100 financial services corporation on all aspects of federal contracting, including legal review of solicitations, contract administration, and novation of existing contracts in connection with the company's global reorganization of various business units.
  • Represented three large sports stadiums during their successful efforts to obtain SAFETY Act protection for their respective security programs.
  • Advised top software company on compliance with newly-promulgated cybersecurity regulations.