Skip to main content
Top Button
DFARS Cyber-Incidents: Effective Incident Response To Streamline Defense Contractor Reporting Requir DFARS Cyber-Incidents: Effective Incident Response To Streamline Defense Contractor Reporting Requir

DFARS Cyber-Incidents: Effective Incident Response To Streamline Defense Contractor Reporting Requirements

Defense contractors must report cyber-incidents that affect covered defense information (CDI) within 72 hours of discovering the incident occurred, to be in compliance with the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. In other words, if an unauthorized actor gains access to certain sensitive defense contract information residing on your computer network, then you are required to report the cyber-incident to the Department of Defense (DoD).

The breadth and detail of information you are required to report in the initial 72-hour timeframe can be quite onerous, especially when you are simultaneously trying to understand what transpired and to secure your network in the wake of a cyber-attack. Implementing an effective DFARS incident response plan ahead of a reporting incident is the only practical way to ensure you can meet the notification requirement by setting up a streamlined process that allows your team to focus on incident response alongside notifications.

What is CDI?

For an incident to trigger your reporting requirement there must be unauthorized access to CDI or the systems that house it. CDI is information related to your defense contracts—such as so-called Controlled Unclassified Information or information which is export controlled or restricted under U.S. export control laws or regulations as listed at https://www.archives.gov/cui/registry/category-list—which is either:
 
  1. Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
  2. Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
Many entities subject to the DFARS are uncertain as to what CDI covers, where they may hold or process CDI, and what protections to apply to CDI. It is highly advisable to have these questions resolved well in advance of an incident—whether through information governance or data mapping, such that questions about the presence of CDI can be quickly addressed during the initial window of reporting around an incident.

How do I report a DFARS cyber-incident?

To report a DFARS cyber-incident, you must access the DIBNet portal (https://dibnet.dod.mil) and complete the fields in the Incident Collection Format (ICF). However, access to this form requires a DoD-approved medium assurance public key infrastructure (PKI) certificate, which can be obtained through one of the External Certificate Authorities identified by the DoD at http://iase.disa.mil/pki/eca/Pages/certificate.aspx. The timeline for submitting and processing a PKI certificate request can take several days. We recommend you set up your PKI in advance, again to reduce the time to respond in any incident.

What do I need to report?

Upon discovery of a cyber-incident, defense contractors must report the following 20 items listed in the ICF within 72 hours:
 
  1. Company name
  2. Company point of contact information (address, position, telephone, email)
  3. Data Universal Numbering System (DUNS) Number
  4. Contract number(s) or other type of agreement affected or potentially affected
  5. Contracting officer or other type of agreement point of contact (address, position, telephone, email)
  6. USG program manager point of contact (address, position, telephone, email)
  7. Contract or other type of agreement clearance level (unclassified, confidential, secret, top secret, not applicable)
  8. Facility CAGE code
  9. Facility clearance level (unclassified, confidential, secret, top secret, not applicable)
  10. Impact to covered defense information
  11. Ability to provide operationally critical support
  12. Date incident discovered
  13. Location(s) of compromise
  14. Incident location CAGE code
  15. DoD programs, platforms or systems involved
  16. Type of compromise (unauthorized access, unauthorized release (includes inadvertent release), unknown, not applicable)
  17. Description of technique or method used in cyber incident
  18. Incident outcome (successful compromise, failed attempt, unknown)
  19. Incident/compromise narrative
  20. Any additional information 
Who do I notify?

DFARS 252.204-7012 requires prime contractors and subcontractors to report DFARS cyber-incidents to the DoD as discussed above. In addition, subcontractors must also notify the prime contractor or next higher-tier subcontractor of the incident as soon as practicable. Separately, contractors might have notification obligations unique to their subcontracts that require them to provide information to other contractors beyond what the DFARS requires. Outside of the DFARS context, a contractor may also have obligations under state or other federal data breach notifications if the impacted data involved PII or PHI. All of these notifications may implicate business and legal liabilities and should be carefully assessed to understand the scope of concerns that may be triggered once a mandatory reporting obligation arises.

How can I address my DFARS response requirements now?

Contractors should implement a DFARS incident response plan in procedure and practice.  Understanding and meeting the DFARS reporting requirement in 72 hours can be exceedingly difficult, even when an entity is well prepared, and practically impossible if unprepared or caught flat-footed. Implementing an effective incident response plan, testing the plan, and training employees, can streamline your response efforts, allowing you to comply with the regulation and focus on securing your operations. Effective incident response plans should be thoughtfully tailored to the organization, culture, networks, and threat spectrum that faces the applicable entity. In general, an incident response plan for DFARS compliance might include the following:
 
  1. Identify CDI. Because the reporting requirement is triggered when CDI is compromised, defense contractors should identify and catalog CDI kept in their possession and keep it somewhere with limited access. This requires contractors to review government contracts, task orders, and delivery orders to locate information marked as “CDI,” “CONTROLLED,” “CUI,” or the like. However, not all CDI is marked and, thus, might require additional analysis by the contractor or requests for information from the contracting officer. Having in place an ongoing process to keep the data catalog current is key, as data sets tend to grow quickly.
  2. Complete general ICF items. As discussed above, the DoD requires contractors to include responses to the 20 questions listed in the ICF. Many of those questions, however, can be answered before an incident occurs, such as company name, company point of contact information, DUNS, etc. To reduce the workload in the event of a cyber-incident, contractors should consider answering general ICF questions now and keeping these forms on file. This exercise will also help you identify and organize any CDI in your possession.
  3. Acquire a Medium-Assurance PKI Certificate. DoD-approved medium assurance public key infrastructure (PKI) certificates, which can be obtained through one of the External Certificate Authorities identified by the DoD at http://iase.disa.mil/pki/eca/Pages/certificate.aspx, are required to submit a cyber-incident report. Because submitting and processing a PKI certificate request can take several days, it is recommended that you acquire one now to have a certificate on file instead of trying to obtain one after the incident.  
  4. Review and Track Reporting Requirements under Subcontracts. Although the DFARS requires subcontractors to report cyber-incidents to the DoD, contracts between prime and subcontractors or lower-tiered contractors may include different or additional cyber-incident reporting requirements. Contractors should review their subcontracts and track their requirements to ensure compliance. Similarly, contractors should revise their own subcontracts for future engagements to ensure they flow down the DFARS reporting requirements to their subcontractors. Such reviews should also take into account the commercial impact of an incident to the prime and sub-prime, as this may argue in favor of taking additional measures to protect the systems and data involved.
  5. Incorporation into Cyber Maturity Model Certification (CMMC). Soon, DoD’s required third-party cybersecurity certification under CMMC will be rolled out. This go/no-go requirement will limit business with the DoD to certified contractors and exclude the rest. Having a DFARS incident response plan in place will help you on your way to achieving your desired CMMC Maturity Level.  
Conclusion
 
Ice Miller has extensive experience with cyber incident reporting requirements and DoD contract compliance and can assist you with implementing an incident response plan. Our team includes Guillermo Christensen, a partner in our DC office with close to 20 years of national security experience in the CIA and the intelligence community with a focus on nation-state threats and response; Christian Robertson, a former US Air Force intelligence officer who regularly advises clients on government contract matters; and Clayton Heil, a partner in Ice Miller Strategies with prior experience in Congress on homeland security matters.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
 
View Full Site View Mobile Optimized