The US government has posted a new set of rules outlining how cloud providers should report IT security cockups that involve Uncle Sam's data.
The new Department of Defense (DoD) rules [PDF] include requirements on how contractors who handle government information should deal with computer network breaches and attacks, and how to report them to government agencies.
The rules apply only to those contractors whose cloud services host unclassified material. Classified data is covered by a different set of reporting rules and security requirements.
The DoD estimates that the new rules cover as many as 10,000 companies who hold contracts to handle government data.
"This interim rule requires contractors and subcontractors to report cyber incidents that result in an actual or potentially adverse effect on a covered contractor information system or covered defense information residing therein, or on a contractor's ability to provide operationally critical support," the DoD said.
"DoD is working to establish a single reporting mechanism for DoD contractor reporting of cyber incidents on unclassified information systems."
The requirements include reporting cyber-intrusions to the DoD within 72 hours, recording and saving all affected disk and system images for a period of 90 days, and isolating and sharing any malware discovered on a system holding government data.
The rules also outline how government agencies should select cloud computing providers, factoring in requirements such as the hard storage of data at a US facility.
"Generally, the DoD shall acquire cloud computing services using commercial terms and conditions that are consistent with Federal law, and an agency's needs," the notification reads.
Though they aim to simplify cloud computing storage and security, the rules could also create more confusion over the handing of government data. As noted by NextGov, the rules are considered temporary, are subject to rewrites, and interact with previous contractor regulations posted in 2013 and 2015. ®