The government will use reported information regarding threats and vulnerabilities at its discretion to help protect information systems in the future. “A standardized system for tracking and reporting unclassified breaches will help assess the impact of loss, better understand the methods of loss, and facilitate information sharing and collaboration, the policy states.
DoD said that most efforts to protect this type of data is already standard practice for many contractors, saying the proposed rule requires a “basic and enhanced level of information protection,” but acknowledged that a financial burden was possible to smaller contractors. DoD estimates that the rule will affect 76 percent of its small business contractors as they will be required to provide enhanced protection of DoD data, however.
“For the basic protection, the resultant cost impact is considered to not be significant since the first-level protective measures (i.e. updated virus protection, the latest security software patches, etc.) are typically employed as part of the routine course of doing business,” DoD wrote.