On January 27th, 2017 the DoD published the “Networking and Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013-DO18) Frequently Asked Questions (FAQs) regarding the implementation of DFARS Subpart 204.73 and PGI Subpart 204.73, DFARS Subpart 239.76 and PGI Subpart 239.76.”
This is a mouthful. And you might ask, “Why should I care?” The answer: because you’re one of the thousands of Defense Industrial Base (DIB) contractors working to meet DoD cybersecurity requirements.
DFARS Case 2013-D018 acted as an update to DFARS 204.252-7012, the foundational clause for federal cyber requirements in the United States. In turn, PGI stands for “Procedures, Guidance, and Information” and was written to provide direction to members of the government’s acquisition community. PGI 204.73, “Safeguarding Covered Defense Information and Cyber Incident Reporting,” lists this FAQ as a place to find information on how to implement the cybersecurity controls detailed in DFARS and other foundational documents.
Therefore, this FAQ provides a collection of comments of interest, specifically pertaining to the details of governing cyber regulations. It includes questions like, “What is the relationship between Controlled Unclassified Information (CUI), and Covered Defense Information (CDI)?” “Is information identified as FOUO considered CDI?” and “Must all cryptography used in covered information systems be FIPS validated?” These questions and many others, along with their responses, provide key insights into federal cyber requirements, as well as into the expectations for their implementation.
DCG has been highlighting discussions of interest detailed in the Networking and Penetration FAQ. Check out our fourth installment below, where we discuss questions surrounding incident response.
Q44: What should the contractor do when they do not have all the information required by the clause within 72 hours of discovery of any cyber incident?
A44: When a cyber incident is discovered, the contractor/subcontractor should report whatever information is available to the DIBNet portal (https://dibnet.dod.mil) within 72 hours of discovery. If the contractor/subcontractor does not have all the information required on the Incident Collection Form (ICF) at the time of the report, the contractor should submit a follow-on report when additional information becomes available.
For most incidents, 72 hours is actually a very short timeline. Often, information will be scarce or under construction. As the old Navy adage goes, “the first report is always wrong.” You still have a responsibility to report within this time frame. It is normal for the details of reporting to change, or even for your understanding of the gravity of the incident to evolve as time goes on. We highly recommend that you meet these reporting timelines regardless of the information that may or may not be available.
Q45: What happens when the contractor submits a cyber incident report?
A45: When a cyber incident report is submitted to DoD via https://dibnet.dod.mil, the DoD Cyber Crime Center (DC3) reviews the report, provides a copy to the Contracting Officer(s) identified on the report, and conducts analysis to identify trends. The contracting officer is directed in the DFARS Procedures, Guidance and Information (PGI) 204.7303-3 to provide the cyber incident report to the required activities whose contracts were affected. The DoD Cyber Crime Center (DC3) serves as the DoD operational focal point for receiving cyber incident reporting.
There are two kinds of reports that a contractor can make to the DoD in the portal. The first is a voluntary report. It asks for the same information as a mandatory report, however it is considered to not impact CDI. The second is a mandatory report, which is made in reference to a system that processes, handles, or stores CUI. If the contractor is unsure about whether or not CUI is involved in the incident, consider a voluntary report in order to meet your 72 hour requirement. Update the DoD when it becomes apparent that CUI was involved in the incident.
The majority of this posting was extracted from the DoD FAQ regarding regulations on contractor cybersecurity, which is posted here, and linked directly out of DFARS/PGI as clarifying information on the regulations. Have a Q/A from the FAQ you'd like us to deep dive? Let us know at email@example.com.