This guide was written to help DoD contractors and subcontractors quickly understand what is required of them to take proper action after they either suspect or discover a cyber incident on their information systems in compliance with DFARS regulations.
If you need information about how to protect yourself from cyber incidents, rather, please see our guide on NIST 800-171 for DFARS Compliance.
What is a Cyber Incident?
According to section 252.204-7012 of DFARS Documentation, a cyber incident is defined as “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on a DoD contractor’s information system and/or the information residing therein.” This broad definition includes actions that are taken by DoD contractors or subcontractors internally, and unauthorized outsiders, such as cyber criminals or foreign actors.
In simple terms, a cyber incident is any action taken, either internally or externally, that results in the compromise or potential compromise of a DoD contractor’s information system.
How to Know if There’s a Cyber Incident
Part of the DFARS regulation requires DoD contractors and subcontractors to implement and utilize cyber security monitoring tools. These tools may or may not have been implemented by your internal IT department, outsourced IT service provider, or a Managed Security Service Provider (MSSP) like SysArc. These monitoring tools would alert you of any compromise or attempt to compromise your information systems.
How to Report a Cyber Incident to the DoD
According to DFARS 204.7301 definitions, a cyber incident must be “rapidly reported” within 72 hours of your discovery of the incident. 204.7302 policy then states that DoD contractors and subcontractors must submit the following information via the DoD reporting website:
- A cyber incident report;
- Malicious software, if detected and isolated; and
- Media (or access to covered contractor information systems and equipment) upon request.
What information goes in the incident report?
DoD Contractors that are not providing Cloud Services
On the DIBNet Portal website, DoD contractors, except those providing cloud services, are required to submit as much as the following 20 items of information as possible:
- Your company name
- Company point of contact information (address, position, telephone, email)
- Data Universal Numbering System (DUNS) Number
- Contract number(s) or other type of agreement affected or potentially affected
- Contracting Officer or other type of agreement point of contact (address, position, telephone, email)
- USG Program Manager point of contact (address, position, telephone, email)
- Contract or other type of agreement clearance level (Unclassified, Confidential, Secret, Top Secret, Not applicable)
- Facility CAGE code
- Facility Clearance Level (Unclassified, Confidential, Secret, Top Secret, Not applicable)
- Impact to Covered Defense Information
- Ability to provide operationally critical support
- Date incident discovered
- Location(s) of compromise
- Incident location CAGE code
- DoD programs, platforms or systems involved
- Type of compromise (unauthorized access, unauthorized release (includes inadvertent release), unknown, not applicable)
- Description of technique or method used in cyber incident
- Incident outcome (successful compromise, failed attempt, unknown)
- Incident/Compromise narrative
- Any additional information
DoD Contractors that are providing Cloud Services
For DoD Contractors providing Cloud Services on behalf of the Department of Defense, the DoD requires you to submit the following 16 items of information:
- Contract information to include contract number, USG Contracting Officer(s) contact information, contract clearance level, etc.
- Contact information for the impacted and reporting organizations as well as the MCND
- Details describing any vulnerabilities involved (i.e., Common Vulnerabilities and Exposures (CVE) identifiers)
- Date/Time of occurrence, including time zone
- Date/Time of detection and identification, including time zone
- Related indicators (e.g. hostnames, domain names, network traffic characteristics, registry keys, X.509 certificates, MD5 file signatures)
- Threat vectors, if known (see Threat Vector Taxonomy and Cause Analysis flowchart within the US-CERT Federal Incident Notification Guidelines)
- Prioritization factors (i.e. functional impact, information impact, and recoverability as defined flowchart within the US-CERT Federal Incident Notification Guidelines)
- Source and Destination Internet Protocol (IP) address, port, and protocol
- Operating System(s) affected
- Mitigating factors (e.g. full disk encryption or two-factor authentication)
- Mitigation actions taken, if applicable
- System Function(s) (e.g. web server, domain controller, or workstation)
- Physical system location(s) (e.g., Washington DC, Los Angeles, CA)
- Sources, methods, or tools used to identify the incident (e.g., Intrusion Detection System or audit log analysis)
- Any additional information relevant to the incident and not included above
Do you need further assistance?
For DoD contractors who need further consultation, please feel free to give us a call at (866) 583-6946, or read about our NIST 800-171 Services. We help DoD contractors and subcontractors all over the United States comply with DFARS using the NIST 800-171 cyber security framework.