One requirement that often gets overlooked by companies subject to Defense Federal Acquisition Requirement Supplement (DFARS) Covered Defense Information (CDI) protection requirements is the Cyber Incident Reporting regulation. Part of 252.204-7012, the reporting requirement often gets glossed over as prime and subprime contractors are distracted with implementing the security requirements of NIST Special Publication 800-171 as required in 252.204-7008.
In short, 7012 requires any company in the possession of CDI to “rapidly report” any “cyber incidents” to the Department of Defense office of the CIO through DIBnet. “Rapidly report” is defined as within 72 hours of discovery of the incident. It should be noted that the ability to submit a cyber incident report requires a DoD-approved medium assurance certificate. Procuring a medium assurance certificate takes some time, so do not assume you can procure one after an incident has taken place and still meet the 72-hour requirement as defined in clause 7012.
For subcontractors – you are required to notify the prime contractor or next higher-up subcontractor of the incident and to provide them the incident report number.
If you are subject to 252.204-7012, you should have a Cyber Incident Reporting policy and procedure in place, along with a medium assurance certificate, so if the unspeakable occurs, you are not going to place your contract in jeopardy. Contact OCD-Tech today! 844-OCDTECH
