Support: 800-699-0925 Sales: 800-481-1984

SysArc

IT Company

Reporting Cyber Incidents with the Department of Defense

by

This guide was written to help DoD contractors and subcontractors quickly understand what is required of them to take proper action after they either suspect or discover a cyber incident on their information systems in compliance with DFARS regulations.

If you need information about how to protect yourself from cyber incidents, rather, please see our guide on NIST 800-171 for DFARS Compliance.

What is a Cyber Incident?

According to section 252.204-7012 of DFARS Documentation, a cyber incident is defined as “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on a DoD contractor’s information system and/or the information residing therein.” This broad definition includes actions that are taken by DoD contractors or subcontractors internally, and unauthorized outsiders, such as cyber criminals or foreign actors.

In simple terms, a cyber incident is any action taken, either internally or externally, that results in the compromise or potential compromise of a DoD contractor’s information system.

How to Know if There’s a Cyber Incident

Part of the DFARS regulation requires DoD contractors and subcontractors to implement and utilize cyber security monitoring tools. These tools may or may not have been implemented by your internal IT department, outsourced IT service provider, or a Managed Security Service Provider (MSSP) like SysArc. These monitoring tools would alert you of any compromise or attempt to compromise your information systems.

How to Report a Cyber Incident to the DoD

According to DFARS 204.7301 definitions, a cyber incident must be “rapidly reported” within 72 hours of your discovery of the incident. 204.7302 policy then states that DoD contractors and subcontractors must submit the following information via the DoD reporting website:

  1. A cyber incident report;
  2. Malicious software, if detected and isolated; and
  3. Media (or access to covered contractor information systems and equipment) upon request.

What information goes in the incident report?

DoD Contractors that are not providing Cloud Services

On the DIBNet Portal website, DoD contractors, except those providing cloud services, are required to submit as much as the following 20 items of information as possible:

  1. Your company name
  2. Company point of contact information (address, position, telephone, email)
  3. Data Universal Numbering System (DUNS) Number
  4. Contract number(s) or other type of agreement affected or potentially affected
  5. Contracting Officer or other type of agreement point of contact (address, position, telephone, email)
  6. USG Program Manager point of contact (address, position, telephone, email)
  7. Contract or other type of agreement clearance level (Unclassified, Confidential, Secret, Top Secret, Not applicable)
  8. Facility CAGE code
  9. Facility Clearance Level (Unclassified, Confidential, Secret, Top Secret, Not applicable)
  10. Impact to Covered Defense Information
  11. Ability to provide operationally critical support
  12. Date incident discovered
  13. Location(s) of compromise
  14. Incident location CAGE code
  15. DoD programs, platforms or systems involved
  16. Type of compromise (unauthorized access, unauthorized release (includes inadvertent release), unknown, not applicable)
  17. Description of technique or method used in cyber incident
  18. Incident outcome (successful compromise, failed attempt, unknown)
  19. Incident/Compromise narrative
  20. Any additional information

DoD Contractors that are providing Cloud Services

For DoD Contractors providing Cloud Services on behalf of the Department of Defense, the DoD requires you to submit the following 16 items of information:

  1. Contract information to include contract number, USG Contracting Officer(s) contact information, contract clearance level, etc.
  2. Contact information for the impacted and reporting organizations as well as the MCND
  3. Details describing any vulnerabilities involved (i.e., Common Vulnerabilities and Exposures (CVE) identifiers)
  4. Date/Time of occurrence, including time zone
  5. Date/Time of detection and identification, including time zone
  6. Related indicators (e.g. hostnames, domain names, network traffic characteristics, registry keys, X.509 certificates, MD5 file signatures)
  7. Threat vectors, if known (see Threat Vector Taxonomy and Cause Analysis flowchart within the US-CERT Federal Incident Notification Guidelines)
  8. Prioritization factors (i.e. functional impact, information impact, and recoverability as defined flowchart within the US-CERT Federal Incident Notification Guidelines)
  9. Source and Destination Internet Protocol (IP) address, port, and protocol
  10. Operating System(s) affected
  11. Mitigating factors (e.g. full disk encryption or two-factor authentication)
  12. Mitigation actions taken, if applicable
  13. System Function(s) (e.g. web server, domain controller, or workstation)
  14. Physical system location(s) (e.g., Washington DC, Los Angeles, CA)
  15. Sources, methods, or tools used to identify the incident (e.g., Intrusion Detection System or audit log analysis)
  16. Any additional information relevant to the incident and not included above

Do you need further assistance?

For DoD contractors who need further consultation, please feel free to give us a call at (866) 583-6946, or read about our NIST 800-171 Services. We help DoD contractors and subcontractors all over the United States comply with DFARS using the NIST 800-171 cyber security framework.  

  • Contact Us for a Free Cybersecurity Consultation

    Learn how we can protect your company's data and help you become compliant.

    Free Consultation