Defense contractors must now disclose cybersecurity breaches when they occur.
According to rules published in the Federal Register on Friday, contractors will be required to report breaches that “result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.”
The requirements “are focused on cyber incidents that threaten specific types of DoD program information.”
In the past, hackers have used contractor vulnerabilities to breach federal agencies, including the Office of Personnel Management. This year, investigators determined that compromised user credentials at KeyPoint Systems, which is a contractor that conducts background checks for the federal government, were used by hackers to leverage their way into the OPM database.
“There was a credential that was used and that’s the way they got in,” former OPM Director Katherine Archuleta said of her agency’s breach, which resulted in the theft of information of more than 21 million people.
An additional breach of USIS, another contractor that conducted background checks for federal agencies, resulted in the loss of data on another 27,000 individuals.
Other contractors that are often targeted by hackers, most notably by the Chinese, include Lockheed Martin and Northrop Grumman.
