Cyber Incident Reporting Requirements for Government Contractors

The Defense Industrial Base (DIB) consists of more than 100,000 federal contractors. It is critical in providing the U.S. Government with top-of-the-line defense and aerospace products, from design to production, delivery, and maintenance. However, the sensitive nature of the information held by the DIB has made it an enticing target for both nation-state adversaries and cybercriminals, who seek to exploit the data for nefarious purposes. This has posed a significant challenge for the federal government, whose national security interests are compromised when sensitive defense information is exposed to adversaries, and the DIB, which must balance fiduciary responsibilities with the increased costs associated with bolstering their cybersecurity defenses.
 
The Government, through the Federal Acquisition Regulations (FAR) and the Defense Federal Acquisition Regulations (DFARS), has attempted to address this issue through regulation, namely by requiring defense contractors to comply with DFARS 252.204-7012 – Safeguarding Covered Defense Information and Cyber Incident Reporting. This DFARS clause requires contractors and subcontractors (through mandatory flow-down clauses) to, among other things, safeguard covered defense information (CDI) and report cyber incidents that affect CDI. Compliance with this and other cyber-related clauses, including Cybersecurity Maturity Model Certification (CMMC), will become increasingly important for defense contractors. Especially as the Department of Justice’s (DOJ’s) Civil Cyber-Fraud Initiative takes aim at noncompliance with cyber standards within the DIB.[1]
 
Compliance with cyber reporting requirements requires an in-depth understanding of the statutory text, the threat environment, and the contractor’s security apparatus. This blog will address some of the more frequent concerns contractors within the DIB have with cyber reporting obligations and highlight some of the future possibilities for legislation and regulation in this area.

DFARS 252.204-7012

Generally, DFARS clause 252.204-7012 is generally required in all Department of Defense (DOD) contracts, except for contracts solely for acquiring Commercial Off-the-Shelf (COTS) items. The clause requires DOD contractors and subcontractors to safeguard covered defense information[2] by implementing the National Institute of Standards and Technology (NIST) 800-171 framework. The clause also requires contractors to rapidly report cyber incidents that affect CDI or the contractor’s ability to perform requirements designated as ‘operationally critical support.'[3] “Cyber incident,” as defined in the DFARS,

“means actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.”

Reportable incidents include those that affect CDI, controlled unclassified information (CUI), Controlled Technical Information (CTI), and export-controlled information, all of which should be marked in DOD contracts.
 
Collecting information on cyber incidents is important to the government’s mission of containing cyber threats and protecting critical infrastructure, such as the DIB. As such, the DOD expects contractors and subcontractors to rapidly report cyber incidents within 72 hours of discovery. Upon discovery of a reportable cyber incident, DOD expects contractors to conduct a review for evidence of compromised CDI. This review includes but is not limited to:

1. Identifying compromised computers, servers, specific data, and user accounts;
2. Isolating and submitting any malicious software found during the review; and
3. Analyzing information systems on the contractor’s networks that may have been accessed due to the incident.

DOD contractors must report as much information as possible through DIBNet, the Initial Collection Format.  

Submitting a report through DIBNet requires the contractor or subcontractor to have a DOD-approved Medium Token Assurance Certificate. Alternate reporting avenues exist for entities that still need to get a certificate.[4] As a best practice, subcontractors who suffer a reportable cyber incident should report it through DIBNet and to their primary contractor. 
 
In addition to the mandatory reporting requirements, DIBNet also operates a voluntary cyber incident reporting system, which encourages contractors to submit voluntary reports on:

1. Suspected Advanced Persistent Threat (APT) activity;
2. Compromises not impacting DOD information;
3. Targeted activity;
4. Vulnerability scanning and exploitation attempts;
5. Phishing email messages; and
6. Suspicious files, activity, or network traffic.[5]

Voluntary cyber reports encompass a wide array of threat indicators – who doesn’t receive at least a few phishing emails and/or texts daily? Nonetheless, they help improve the Government’s situational awareness of the threat landscape and should form a regular part of the contractor’s compliance program.

Possible Reporting Consequences

Given the breadth of information requested by the DOD in the Initial Collection Format, contractors have rightfully questioned whether the incident response submitted to DOD could later be used against the contractor as evidence of noncompliance with the NIST 800-171 framework. As outlined in the DFARS,

“A cyber incident that is reported by a contractor or subcontractor shall not, by itself, be interpreted as evidence that the contractor or subcontractor has failed to provide adequate security on their covered contractor information systems or has otherwise failed to meet the requirements of DFARS 252.204-7012."[6]

Also contained in the clause, however, is the provision stating that Contracting Officers (COs) will consider cyber incidents “in the context of an overall assessment of a contractor’s compliance with DFARS 252.204-7012."[7] This provision, coupled with the enhanced enforcement stance of the DOJ, can lead to, at the very minimum, a negative Contractor Performance Assessment Reporting System (CPARS) rating or, at worst, the basis of a False Claims Act suit against the contractor that misrepresented their compliance with NIST 800-171 when they were awarded the contract.  
 
Only some cyber incidents reported through DIBNet will result in an adverse action, as even contractors with the most robust cybersecurity environment will eventually experience a data breach. Adherence to the NIST 800-171 framework, with appropriate System Security Plans and Plans of Action and Milestones in place for any controls not yet attained, a solid cybersecurity incident response plan, and rapid reports of cybersecurity incidents through DIBNet will showcase the reasonableness of contractor actions in the event of any breach.

Cyber Incident Reporting for Critical Infrastructure Act of 2022

In March 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). CIRCIA essentially requires covered entities to report to the Cybersecurity and Infrastructure Security Agency (CISA) covered cyber incidents and ransomware payments. “Covered entities,” as defined by CIRCIA, are public and private organizations within industry sectors considered to be critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the U.S. that their incapacitation or destruction would have a debilitating effect on national security, national economic security, national public health or safety, or any combination thereof.[8] Presidential Policy Directive-21, signed by President Obama in 2013, designated several sectors within the U.S. economy as “critical infrastructure,” including communications, critical manufacturing, the Defense Industrial Base, financial services, and transportation systems.
 
CIRCIA requires covered entities to rapidly report covered cyber incidents to CISA within 72 hours of discovery, essentially the same timeline prescribed under DFARS 252.204-7012. “Covered Cyber Incident” under CIRCIA remains undefined and is likely to be defined following CISA’s release of its upcoming Notice of Proposed Rulemaking (NPRM), which is required to be published in the Federal Register no later than March 2024.[9]

How CIRCIA Will Affect Cyber Reporting Requirements for Defense Contractors

Although CIRCIA was signed into law by President Biden well over a year ago, its reporting requirements for covered entities are not yet mandatory. CISA, in collaboration with other governmental and private sector entities, is currently working on a draft NPRM assessing how the legislation will be practically implemented. At this point, it is unclear how CIRCIA’s mandatory reporting requirements will affect critical infrastructure sectors already subject to reporting requirements with other regulators. Government contractors already subject to the same 72-hour reporting requirements under DFARS 252.204-7012 could be subject to additional reporting requirements. However, it is also possible that a shared reporting mechanism will be developed among regulators for critical infrastructure entities subject to similar timeframes. Importantly, covered entities, and any other interested members of the public, will have an opportunity to review and provide comments on CISA’s planned implementation of CIRCIA when the NPRM is published in early 2024. Government contractors with questions or concerns should utilize the comment period to assist CISA in shaping the future regulatory environment.

Reporting Requirements for Government Contractors Under CMMC

The CMMC framework will soon be a requirement for federal contractors hoping to compete for lucrative DOD contracts. The current iteration of CMMC, CMMC 2.0, introduces three increasingly progressive levels of cybersecurity that contractors must meet depending on the type of contract they wish to compete for, along with the type of information DOD typically shares with the contractor through the acquisition process (CUI or FCI). Currently undergoing 32 CFR rulemaking, CMMC 2.0’s requirements are subject to change. Located in a draft CMMC Assessment Guide for Level 2 compliance, however, are draft Incident Response requirements for contractors undergoing assessments through certified third-party assessor organizations.[10]
 
CMMC 2.0 envisions third-party assessment organizations testing federal contractors on their incident response plans. The assessment may include incident handling procedures, incident reporting procedures, and incident response testing.[11] Whether CMMC 2.0 will include the DFARS requirement that cyber incidents affecting CDI be reported within 72 hours of discovery is currently unknown. However, it can be assumed that the 72-hour timeframe will be maintained to stay in harmony with CIRCIA and previous DIB reporting practices. 

Conclusion

Incident response planning is quickly becoming a necessary step in the compliance ladder for federal contractors. An effective incident response plan should outline the organization's procedures for detecting, investigating, containing, and mitigating the impact of cyber incidents. It should also include clear communication protocols to ensure that all relevant stakeholders are informed promptly of any incident. Currently, federal contractors with CDI on their systems are required to report cyber incidents within 72 hours of discovery. This timeline is relatively short, so having a proper incident response plan is critical to mitigate any losses due to the breach and ensure all required information is promptly submitted to DOD through DIBNet. The speed and thoroughness of the response will be crucial factors that the DOD considers when it makes determinations regarding CPARS ratings, debarment, or possible referral to the DOJ’s Civil Cyber-Fraud Initiative.
 
While the cybersecurity requirements may seem burdensome, they are essential for protecting national defense interests, and compliance is required for companies participating in the sector. Hardened cybersecurity environments, speedy incident reporting, and adequate planning are necessary to protect critical defense information. Evolving regulatory frameworks and legislative enactments will continue to affect reporting channels, requirements, and timelines for defense contractors. With decades of service in defense and intelligence, attorneys at Whitcomb Selinsky, PC are uniquely positioned to support your cybersecurity and incident response needs. Whether developing or reviewing a cybersecurity program, preparing government bids with cybersecurity considerations, or responding to cyber incidents, our attorneys can support your company’s cybersecurity, data privacy, and government contracting needs. 

Contact our firm today calling our Denver office at (303) 534-1958 by reaching us through our online form.

[1] “For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it,” said Deputy Attorney General Monaco. “Well, that changes today. We are announcing today that we will use our civil enforcement tools to pursue companies, those who are government contractors who receive federal funds, when they fail to follow required cybersecurity standards — because we know that puts all of us at risk. This is a tool that we have to ensure that taxpayer dollars are used appropriately and guard the public fisc and public trust.” https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative  (last accessed Mar. 22, 2023).

[2] Defined as unclassified controlled technical information (“CTI”) or controlled unclassified information (“CUI”) and is either marked in the contract by DOD or collected/developed/stored/received/transmitted/used by the contractor in performance of the contract.

[3] Operationally critical support is defined as supplies/services designated by the Government as

critical for airlift, sealift, intermodal transportation services, or logistical support that is essential to

the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation. https://business.defense.gov/Portals/57/Safeguarding%20Covered%20Defense%20Information%20-%20The%20Basics.pdf (last accessed Apr. 20, 2023).

[4] A step-by-step guide to obtaining a Medium Token Assurance Certificate can be found at https://icf.dib.mil/my.policy (last accessed Apr. 20, 2023).

[5] https://dibnet.dod.mil/portal/intranet/#faq-6 (last accessed Apr. 20, 2023).

[6] DFARS 204.7302(d).

[7] Id.

[8] https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil (last accessed Apr. 26, 2023).

[9] https://www.cisa.gov/topics/cyber-threats-and-advisories/information-sharing/cyber-incident-reporting-critical-infrastructure-act-2022-circia (last accessed May 3, 2023).

[10] https://dodcio.defense.gov/Portals/0/Documents/CMMC/AG_Level2_MasterV2.0_FINAL_202112016_508.pdf at 132.

[11] Id. at 132-139.