Cyber Incident Reporting: A frequently overlooked DFARS requirement
An overlooked component of DFARS 252.207–7012 compliance is cyber incident reporting.
An overlooked component of DFARS 252.207–7012 compliance is cyber incident reporting.
Many companies become distracted by the list of 110 security controls in NIST SP 800–171 and they miss part (c ) of the DFARS clause.
(c ) Cyber Incident Reporting Requirement
(1)(ii) Rapidly report cyber incidents to DoD at https://dibnet.dod.mil.
-Excerpts from DFARS 252.204–7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (DEC 2019)
Reporting a cyber incident is not a simple process. It requires careful preparation, time, and of course, money.
Obtain: DIBNet requires a medium assurance certificate (or a CAC) to report a cyber incident.
Investigate: determine affected parts of your system.
Report: report cyber incidents within 72 hours.
Obtain.
Before you can report an incident to DIBNet, you must verify your identity. That process requires a medium assurance certificate from an External Certificate Authority (ECA). A third party must verify your identity and grant the certificate. After all, you wouldn’t want an adversary to impersonate you to the Government.
This process is important, but it also takes time and money. You will miss the 72-hour reporting window if you don’t have an ECA certificate beforehand.
Investigate.
Following an incident, you must investigate to find the affected part(s) of your system. Are computers compromised? Servers? Cloud resources?
This will take advanced preparation. Do you have someone with the right technical knowledge to do this?
Do you have an Incident Response Plan? If not, this is a good time to create one. It’s also required for NIST compliance (see section 3.6).
Investigating an incident will take time and money. It’s best to prepare ahead of time so you don’t miss the 72-hour reporting window.
Report.
“Rapidly report” means within 72 hours of discovery of any cyber incident.
-Excerpts from DFARS 252.204–7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (DEC 2019)
The clause requires that you report a cyber incident within 72 hours of discovery. Three days is not much time. Preparation is key. Develop an Incident Response Plan that makes sense for your company. Be sure to have an ECA certificate. Otherwise, meeting the rapid report window will be impossible.
Information that’s needed when reporting a cyber incident can be found on the DIBNet website: https://dibnet.dod.mil/portal/intranet/#reporting-2