Department of Defense contractors are subject to stringent security requirements in order to remain in compliance with regulatory guidelines. One of those compliance obligations focuses on notifying the DoD of cybersecurity incidents.
Contractors must meet guidelines spelled out in the Defense Acquisition Federal Regulation Supplement (DFARS), which requires contractors to adhere to cybersecurity requirements spelled out by the National Institute of Standards and Technology, specifically standard NIST SP 800-171.
The guidelines state that contractors need to provide adequate security across 14 categories of defense information stored in or sent by a contractor’s information management systems. If a cyber incident occurs, the contractor must alert the DoD about the company’s response and allow access to the affected media if necessary.
How Do The Regulations Define Cybersecurity Incidents?
The DFARS documentation defines a cyber incident as “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.” The guidelines also address other aspects of a breach, including compromises (the disclosure of information to an unauthorized individual or violation of a system’s security policy) and counterfeit electronic parts.
A cyber incident may include a physical intrusion, such as when an unauthorized person gains direct access to facilities, documents or computers, including break-ins or thefts of equipment. Network and system breaches are usually remote online attacks by individuals or nation-states and can take the form of economic espionage, ransomware attacks or the introduction of malicious software
When and How Do You Report Cyber Incidents?
DoD contractors and subcontractors are required to use system monitoring tools implemented and managed by your own IT department or a managed IT services provider. When those tools detect a compromise or an attempted compromise of your information systems, the DFARS reporting requirement is triggered.
What Information Is Required When Reporting a Cyber Incident?
Once it has been determined that a cyber incident has occurred, contractors are required to submit within 72 hours:
- A cyber incident report
- Any malicious software that’s been detected or isolated
- If requested, any media or access to information systems and equipment
The cyber incident report is an extensive document, requiring 20 items of information, including:
- Contact information
- Contract numbers and personnel related to the work being done for the DoD
- Contract and facility clearance level (unclassified, confidential, secret, top secret or not applicable)
- The impact to covered defense information
- Date and location of compromise
- Programs, platforms and systems involved
- Type of compromise (unauthorized access, unauthorized release (includes inadvertent release), unknown, not applicable)
- Description of the technique or method used in the cyber incident
- The incident outcome (successful compromise, failed attempt, unknown)
- A narrative about the incident or compromise
For contractors that are providing cloud services, there are 16 items required in the report, including:
- Contract information, including contract number, staff contacts and contract clearance level
- Contact information for the impacted and reporting organizations
- Details about any vulnerabilities involved
- Date time and time zone of incident, detection and identification
- Related indicators, including hostnames, domain names, network traffic characteristics, registry keys, X.509 certificates and MD5 file signatures
- Threat vectors, if known
- Prioritization factors, such as the functional impact, information impact and recoverability as defined by federal guidelines
- Source and destination Internet Protocol (IP) address, port, and protocol
- Operating system(s) affected
- Mitigating factors, such as full disk encryption or two-factor authentication
- Mitigation actions taken, if applicable
- System function(s), such as web server, domain controller, or workstation
- Physical system location(s)
- Any sources, methods, or tools used to identify the incident, such as an intrusion detection system or audit log analysis
- Any additional information relevant to the incident
How Are Cyber Incidents Detected?
The best way to ensure that you’re compliant is to have strong layers of security that cover your networks, systems, endpoints and users. Those protections need to meet the standards required by the federal compliance mandates and provide for the rapid detection and reporting of incidents.
Integris offers extensive compliance assessments and solutions designed to keep your company in good standing with federal agencies. To learn more about why federal contractors turn to Integris for compliance adherence, contact us for a free, no-obligation initial consultation today.