What Are the Cyber Incident Reporting Requirements for Department of Defense (DOD) Contractors?

September 14, 2021

Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 specifies the safeguarding of covered defense information and cyber incident reporting. This contract clause is commonly recognized for introducing the requirement to implement the 110 security controls outlined in NIST 800-171.

However, the DFARS clause also includes key cyber incident reporting requirements for covered defense contractors. These include:

(c) Cyber incident reporting requirement

(1) When the Contractor discovers a cyber incident that affects a covered contractor information system or the covered defense information residing therein, or that affects the contractor’s ability to perform the requirements of the contract that are designated as operationally critical support and identified in the contract, the Contractor shall –

(i) Conduct a review for evidence of compromise of covered defense information, including, but not limited to, identifying compromised computers, servers, specific data and user accounts. This review shall also include analyzing covered contractor information system(s) that were part of the cyber incident, as well as other information systems on the contractor’s network(s), that may have been accessed as a result of the incident in order to identify compromised covered defense information, or that affect the contractor’s ability to provide operationally critical support; and

(ii) Rapidly report cyber incidents to DoD at https://dibnet.dod.mil

(2) Cyber incident report. The cyber incident report shall be treated as information created by or for DoD and shall include, at a minimum, the required elements at https://dibnet.dod.mil.

(3) Medium assurance certificate requirement. In order to report cyber incidents in accordance with this clause, the Contractor or subcontractor shall have or acquire a DoD-approved medium assurance certificate to report cyber incidents. For information on obtaining a DoD-approved medium assurance certificate, see https://public.cyber.mil/eca/.

Per the definitions in DFARS 252.204-7012:

  • “Covered defense information” means unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations and government-wide policies, and is —
    • Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
    • Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
  • “Rapidly report” means within 72 hours of discovery of any cyber incident.

The items highlighted in bold indicate CUI data involved in a cybersecurity incident that must be reported within a period not to exceed 72 hours from discovery to the DOD.

DFARS 252.204-7012 also includes the following requirements:

(e) Media preservation and protection. When a Contractor discovers a cyber incident has occurred, the Contractor shall preserve and protect images of all known affected information systems identified in paragraph (c)(1)(i) of this clause and all relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report to allow DoD to request the media or decline interest.

(f) Access to additional information or equipment necessary for forensic analysis. Upon request by DoD, the Contractor shall provide DoD with access to additional information or equipment that is necessary to conduct a forensic analysis.

(g) Cyber incident damage assessment activities. If DoD elects to conduct a damage assessment, the Contracting Officer will request that the Contractor provide all of the damage assessment information gathered in accordance with paragraph (e) of this clause.

The items in bold above highlight important preservation and retention requirements related to a cyber incident. Contact Aprio’s Government Contracting team for more information and guidance.