Skip to content

Menu

LexBlog, Inc. logo
NetworkSub-MenuBrowse by SubjectBrowse by PublisherJoin the NetworkGet StartedSubscribeSupport
Contact Us
Search
Close

DoD Issues its Long Awaited Final Rule on Cyber Incident Reporting and Cloud Computing

By Michael Scheimer, Mike Mason & Stacy Hadeka on October 21, 2016
Email this postTweet this postLike this postShare this post on LinkedIn

On Friday, October 21, 2016, the Department of Defense (DoD) issued a final rule implementing changes to its December 2015 interim rule on DoD contractor cyber incident reporting and cloud computing. See our earlier reporting on the 2015 interim rule here. The final rule is effective upon the publication date, October 21, 2016. DoD has also issued a separate final rule for the Defense Industrial Base (DIB) Cybersecurity (CS) Activities program, effective November 3, 2016, that applies the same cyber incident reporting requirements to entities with other, non-procurement DoD agreements (e.g., contracts, grants, cooperative agreements, other transaction agreements, technology investment agreements, and any other type of legal instrument or agreement). See our post on that DIB final rule here.

The final rule includes a number of significant changes in response to public comments received on the interim rule. Although we will be releasing a more detailed analysis shortly, some key highlights of the final rule are:

  • Mirroring the recent Defense Industrial Base Cybersecurity Activities (DIB CS) final rule, the definition of “covered defense information” (CDI) in the Defense Federal Acquisition Regulation Supplement (DFARS) has been revised to include Unclassified Controlled Technical Information (UCTI) and all other types of Controlled Unclassified Information (CUI) on the CUI Registry. See our earlier analysis of the CUI final rule here.
  • In response to public comments, DoD has amended the rule to exclude solicitations and contracts for the acquisition of Commercial-off-the-shelf (COTS) items.
  • The final rule also amends DFARS clause 252.204–7000, Disclosure of Information, to clarify that fundamental research is exempt from the coverage of the rule (i.e., fundamental research, by definition, does not involve any CDI).
  • The rule has been amended to clarify that when a DoD contractor is not itself providing cloud computing services in the performance of the contract, but intends to use an external cloud service provider (CSP) to store, process, or transmit any CDI for the contract, then that external CSP must meet security requirements “equivalent to” those established by the government for the FedRAMP Moderate baseline at the time of award.

For additional information about this topic, please contact the authors of this posting or the Hogan Lovells attorney with whom you work.

Photo of Michael Scheimer Michael Scheimer
Read more about Michael ScheimerEmail
  • Posted in:
    Technology and AI
  • Blog:
    Focus on Regulation
  • Organization:
    Hogan Lovells
  • Article: View Original Source

Call us at 1-800-913-0988 or email sales@lexblog.com.

Facebook LinkedIn Twitter RSS
  • About LexBlog
  • The Field We Built
  • Our Beliefs
  • Our Team
  • Contact LexBlog
  • Disclaimer
  • Editorial Policy
  • Terms of Service
  • Get Started
  • Publishing Solutions
  • Compass
  • Submit a Request
  • Support Center
  • System Status
Copyright © 2026, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo