Companies doing business with the U.S. Department of Defense are facing new requirements for reporting data security breaches and for acquiring cloud computing services. The Interim Rule, effective August 26, 2015, amends the Defense Federal Acquisition Regulation Supplement (DFARS) to implement sections of the National Defense Authorization Act for Fiscal Years 2013 and 2015, which require DoD contractors to report network penetrations resulting in a compromise of covered information within 72 hours. The type of information covered by the Interim Rule includes controlled technical information, export controlled information, critical information and other information requiring protection by law or regulation. The Interim Rule also establishes new policies for contracts covering cloud computing, including the requirement to maintain government data within the United States. Given the urgency of implementing federal cybersecurity measures protecting sensitive defense information, the Interim Rule went into effect immediately, with comments due October 26, 2015 to be considered in the final rule. The Interim Rule is available here for review.