As Bobby has already noted the conference report on the NDAA was filed last night. Some readers may recall that I was concerned about section 936 of the Senate version of the bill — a provision that requires Defense contractors to report cyber breaches without affording them liability protection and without allowing DoD to share the threat or vulnerability information with other parts of the Government. As I said at the time, it was the worst of both worlds — mandatory reporting without information sharing.
Earlier today, I wrote that “it appears that Section 936 was removed from the bill in conference.” Sadly, it wasn’t — it was just renumbered as new section 941, where it resides in all its glory, soon to become law.