Out-Law News

Cloud suppliers to US defence department subject to new cyber security rules

The cloud providers and subcontractors that serve the US Department of Defence (DoD) will have to adhere to new cyber incident reporting rules under proposals recently outlined.

Under the plans, the DoD's cloud suppliers and subcontractors will need to "report cyber incidents that result in an actual or potentially adverse effect on a covered contractor information system or covered defence information" they hold "or on a contractor’s ability to provide operationally critical support".

The DoD said the new rules (10-page / 297KB PDF) follow "recent high-profile breaches of federal information". Those breaches "show the need to ensure that information security protections are clearly, effectively, and consistently addressed in contracts".

It warned of the potential harm to the US government if "defence information or other government data" is compromised or if there was a "loss of operationally critical support capabilities". Such breaches "could directly impact national security", the DoD said.

New cyber incident reporting requirements are expected to be introduced into EU law through the proposed Network and Information Security (NIS) Directive.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.