A report published by the U.S. Government Accountability Office (GAO) on Dec. 8, 2021, highlights the complexity surrounding cybersecurity compliance for the Department of Defense (DOD) and its contractors. The GAO’s report recommended that the DOD improve its communication to industry, develop a plan to evaluate a pilot program, and develop outcome-oriented performance measures. This may also be an opportunity for DOD to simplify other defense industry cybersecurity compliance challenges, such as incident reporting.

CMMC Update

The GAO report focused on the DOD’s Cybersecurity Maturity Model Certification (CMMC), which is designed to address concerns about contractor protection of sensitive information. After unveiling the CMMC in January 2020 and considering a number of comments from the public — including one official comment from the U.S. Small Business Administration that small businesses may find it difficult to navigate the complex requirements of the CMMC — the DOD streamlined the framework on Nov. 4, 2021. Most significantly, the DOD reduced the number of certification levels in the CMMC from five to three.

Incident Reporting

The focus on cybersecurity is understandable. Forty-two percent of the top U.S. defense contractors reportedly suffered a data breach in 2020, and by one estimation, 20 percent are highly susceptible to a ransomware attack. Cyberattackers often seek access to and exfiltration of U.S. government contractors’ sensitive information related to U.S. government projects. This information can include controlled unclassified information, technical data subject to U.S. export controls and other sensitive information. But when these cyberattacks happen, defense contractors can face a maze of disclosure obligations to various U.S. government agencies.

U.S. government contractors that experience a cyberattack involving the potential release of controlled unclassified information generally must disclose such an incident to the DOD within 72 hours. If the compromised technical data’s export is controlled pursuant to the International Traffic in Arms Regulations, then the victim of such a cyberattack may be required to also report the incident to the U.S. Department of State. Similarly, a cyberattack involving data that is subject to the Export Administration Regulations could also merit disclosure to the U.S. Department of Commerce. In addition, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) strongly advises all U.S. businesses to report ransomware attacks to the Cybersecurity and Infrastructure Security Agency, the FBI, or the U.S. Secret Service, and if there is any reason to suspect a potential sanctions nexus with regard to a ransomware payment, OFAC directs victims to also report ransomware attacks and payments to OFAC itself and the U.S. Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection.

U.S. government contractors could benefit from a similar streamlining of the various cybersecurity disclosure obligations to which they are subject. One option would be to create a central repository for reporting cyberattacks to the U.S. government. As the victims of such attacks learn more information about the types of data affected and the potential identity(ies) or location(s) of the attacker(s), and as U.S. government agencies draw preliminary conclusions about the incident, relevant agencies may be notified from that centralized reporting platform.

U.S. government contractors face a deluge of cyberattacks and resulting cybersecurity disclosure obligations. They should be aware of the increasing breadth and complexity of their cybersecurity compliance and reporting obligations. Perhaps more could be done to streamline these rules for defense contractors.