Photo of Kate Growley

As a part of the Senate’s recent passage of the 2013 National Defense Authorization Act, Senator Carl Levin (D-MI) has introduced an amendment that would direct the Department of Defense to establish procedures requiring contractors with security clearances to make disclosures when their covered networks have been successfully breached. Amendment 3195 appears to be the latest chapter in the recent trend at the federal and state levels to expand private sector obligations to report data security breaches.

However, this latest breach notification proposal by the Senate Armed Services Committee Chairman raises significant questions for those that it seeks to regulate. In particular, the Amendment creates uncertainty about its scope and the notification process. SA 3195 broadly asks the DOD to determine not only the process by which contractors must report breaches, but to also determine which contractor networks are subject to that process. If the DOD interprets the Amendment expansively, it could extend not only to classified networks, but also to those that are unclassified. Given the expanded responsibilities of the Defense Security Service (DSS) to assist government contractors with cybersecurity for both their classified and unclassified networks, the implementing the DOD procedures would presumably follow suit and opt to include reporting requirements covering unclassified, in addition to classified, networks.

Amendment 3195 does establish broad audit and inspection rights for the DOD to probe the private networks of cleared DOD contractors. Specifically, the bill states that any resulting DOD process must include a mechanism by which the DOD can access a contractor’s networks to perform forensic analyses. Such right of entry may create some of the same tensions that DOD contractors experience in dealing with the scope of the Defense Contract Audit Agency’s access to a contractor’s financial and other sensitive information during an audit. Beyond the usual confidentiality concerns, this provision could open the door to other types of investigations if the DOD network audit uncovers wrongdoing unrelated to the original security breach. How deeply may the DOD penetrate the contractor’s networks? What happens if the DOD security auditors trip across attorney-client privileges or other secrets unrelated to the original purpose of the audit? Will a safe harbor be available to contractors? These questions remain unanswered.

Regardless of its future progress in Congress, Amendment 3195 – like many other legislative and regulatory expansions – reflects the growing scrutiny of contractors for data security breaches and cybersecurity shortfalls.

Tags: 2013 National Defense Authorization Act, Defense Security Service, Senator Carl Levin
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kate Growley Kate Growley

Businesses around the globe rely on Kate M. Growley to navigate their most challenging digital issues, particularly those involving cybersecurity, artificial intelligence, digital infrastructure, and their intersection with national security. Clients seek her guidance on proactive compliance, incident response, internal and government-facing investigations…

Businesses around the globe rely on Kate M. Growley to navigate their most challenging digital issues, particularly those involving cybersecurity, artificial intelligence, digital infrastructure, and their intersection with national security. Clients seek her guidance on proactive compliance, incident response, internal and government-facing investigations, and policy engagement. With a unique combination of legal, policy, and consulting experience, Kate excels in translating complex technical topics into advice that is practical and informed by risk and business needs.

Kate has extensive experience working with members of the U.S. government contracting community, especially those within the Defense Industrial Base. She has partnered with contractors from every major sector, including technology, manufacturing, health care, and professional services. Kate is an IAPP AI Governance Professional (AIGP) and a Certified Information Privacy Professional for both the U.S. private and government sectors (CIPP/G and CIPP/US). She is also a Registered Practitioner with the U.S. Cybersecurity Maturity Model Certification (CMMC) Cyber Accreditation Body (AB).

Having lived in Greater China for several years, Kate also brings an uncommon understanding of digital and national security requirements from across the Asia Pacific region. She has notable experience with the regulatory environments of Australia, Singapore, Japan, and Greater China—including the growing regulation of data flows between the latter and the United States.

Kate is a partner in the firm’s Washington, D.C., office, as well as a senior director in the firm’s consultancy Crowell Global Advisors, to which she was seconded for several years. She is a founding member of the firm’s Privacy & Cybersecurity Group and part of the firm’s AI Steering Committee. She has been internationally recognized by Chambers and named a “Rising Star” by both Law360 and the American Bar Association (ABA). She has held numerous leadership positions in the ABA’s Public Contract Law and Science & Technology Sections and has been inducted as a lifetime fellow in the American Bar Foundation.

Read more about Kate Growley
Show more Show less
Related Posts
An ITAR-ly Critical Reminder of Cybersecurity Requirements: DOJ Settles with Swiss Automation, Inc.
December 29, 2025
From Yellow Jackets to Red Flags: DOJ Stings Georgia Tech for Alleged Cybersecurity Noncompliance
October 15, 2025
For Better or MORSE: Another Settlement Under DOJ’s Civil Cyber-Fraud Initiative
April 10, 2025