How To Report Cybersecurity Incidents Working With The DoD


June 17, 2019

Department of Defense contractors are subject to stringent security requirements in order to remain in compliance with regulatory guidelines. One of those compliance obligations focuses on notifying the DoD of cybersecurity incidents.

Contractors must meet guidelines spelled out in the Defense Acquisition Federal Regulation Supplement (DFARS), which requires contractors to adhere to cybersecurity requirements spelled out by the National Institute of Standards and Technology, specifically standard NIST SP 800-171.

The guidelines state that contractors need to provide adequate security across 14 categories of defense information stored in or sent by a contractor’s information management systems. If a cyber incident occurs, the contractor must alert the DoD about the company’s response and allow access to the affected media if necessary.

How Do The Regulations Define Cybersecurity Incidents?

The DFARS documentation defines a cyber incident as “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.” The guidelines also address other aspects of a breach, including compromises (the disclosure of information to an unauthorized individual or violation of a system’s security policy) and counterfeit electronic parts.

A cyber incident may include a physical intrusion, such as when an unauthorized person gains direct access to facilities, documents or computers, including break-ins or thefts of equipment. Network and system breaches are usually remote online attacks by individuals or nation-states and can take the form of economic espionage, ransomware attacks or the introduction of malicious software

When and How Do You Report Cyber Incidents?

DoD contractors and subcontractors are required to use system monitoring tools implemented and managed by your own IT department or a managed IT services provider. When those tools detect a compromise or an attempted compromise of your information systems, the DFARS reporting requirement is triggered.

What Information Is Required When Reporting a Cyber Incident?

Once it has been determined that a cyber incident has occurred, contractors are required to submit within 72 hours:

  • A cyber incident report
  • Any malicious software that’s been detected or isolated
  • If requested, any media or access to information systems and equipment

The cyber incident report is an extensive document, requiring 20 items of information, including:

  • Contact information
  • Contract numbers and personnel related to the work being done for the DoD
  • Contract and facility clearance level (unclassified, confidential, secret, top secret or not applicable)
  • The impact to covered defense information
  • Date and location of compromise
  • Programs, platforms and systems involved
  • Type of compromise (unauthorized access, unauthorized release (includes inadvertent release), unknown, not applicable)
  • Description of the technique or method used in the cyber incident
  • The incident outcome (successful compromise, failed attempt, unknown)
  • A narrative about the incident or compromise

For contractors that are providing cloud services, there are 16 items required in the report, including:

  • Contract information, including contract number, staff contacts and contract clearance level
  • Contact information for the impacted and reporting organizations
  • Details about any vulnerabilities involved
  • Date time and time zone of incident, detection and identification
  • Related indicators, including hostnames, domain names, network traffic characteristics, registry keys, X.509 certificates and MD5 file signatures
  • Threat vectors, if known
  • Prioritization factors, such as the functional impact, information impact and recoverability as defined by federal guidelines
  • Source and destination Internet Protocol (IP) address, port, and protocol
  • Operating system(s) affected
  • Mitigating factors, such as full disk encryption or two-factor authentication
  • Mitigation actions taken, if applicable
  • System function(s), such as web server, domain controller, or workstation
  • Physical system location(s)
  • Any sources, methods, or tools used to identify the incident, such as an intrusion detection system or audit log analysis
  • Any additional information relevant to the incident

How Are Cyber Incidents Detected?

The best way to ensure that you’re compliant is to have strong layers of security that cover your networks, systems, endpoints and users. Those protections need to meet the standards required by the federal compliance mandates and provide for the rapid detection and reporting of incidents.

Integris offers extensive compliance assessments and solutions designed to keep your company in good standing with federal agencies. To learn more about why federal contractors turn to Integris for compliance adherence, contact us for a free, no-obligation initial consultation today.

We're Integris. We're always working to empower people through technology.

Keep reading

Bridging the Gap between Automation and Innovation

Bridging the Gap between Automation and Innovation

Automation and Innovation. Some people might say those two words cancel each other out. Yet, I believe these two concepts can create capacity for each other—if your business leverages the free time automation creates to foster innovation. Automation can be...

Why Is My Laptop Draining So Fast?

Why Is My Laptop Draining So Fast?

Before You Replace Your Laptop Battery, Try These Fixes First Stuck with a laptop that’s running out way before it’s standard 8-10 hours of run time? Don't throw it out just yet.  Try these quick fixes to extend its life: Reduce your screen brightness If possible,...