Due to the recent Russian invasion in Ukraine, there has been a significant increase in cyber-attacks reported across the world. While the U.S. Government has concerns related to attacks on U.S. companies including banks, power companies, fuel suppliers, they are also concerned with defense contractors. President Biden has issued multiple warnings to companies including defense contractors about looming cyber-attacks.
The majority of cyber-attacks within a company are due to employees and has probably increased due to an increase in the number of employees working from home. Some of the most common breaches are emails containing links or an attachment to download. Employees receive an email that looks real, has a company logo and has a link to click on or an attachment to download. The link is a fake website and when clicked on can allow an adversary access to a company’s information or downloading an attachment can result in a malicious code/virus hacking into your system.
Additionally, free WIFI at businesses does not encrypt data, so this is another weakness in security especially when employees are accessing emails on unsecured networks. Outdated software and weak passwords also create risk for cyber incidents.
So, what does that mean to contractors and subcontractors?
If you have a government contract or subcontract whether it is competitive, negotiated, or commercial FAR Part 12, the DFARS 252.204-7012 Compliance with Safeguarding Covered Defense Information and Cyber Incident Reporting clause is included in your contract. The clause is not required in solicitations for commercially available off the shelf (COTS) items.
This clause requires contractors and subcontractors to rapidly report cyber incidents to DoD. DFARS 252.204-7012 defines “Rapidly report” as within 72 hours of the cyber incident. Seventy-two hours is not a lot of time for reporting an incident. We see 72 hours as a limited period as the contractor needs to determine if the cyber incident affects covered defense information, the system containing it, or ability to perform on the contract, and what information was comprised in the system to fully report the incident.
While a company may not have all the information necessary to report the cyber incident, the Government expectation is that contractors and subcontractors report as much of the information that is known through the DoD website within 72 hours of discovering the cyber incident and then update as more information becomes available. Listed below is the information for reporting a cyber incident.
- Company name
- Company point of contact information (address, position, telephone, email)
- Data Universal Numbering System (DUNS) Number
- Contract number(s) or other type of agreement affected or potentially affected
- Contracting Officer or other type of agreement point of contact (address, position, telephone, email)
- USG Program Manager point of contact (address, position, telephone, email)
- Contract or other type of agreement clearance level (Unclassified, Confidential, Secret, Top Secret, Not applicable)
- Facility CAGE code
- Facility Clearance Level (Unclassified, Confidential, Secret, Top Secret, Not applicable)
- Impact to Covered Defense Information
- Ability to provide operationally critical support
- Date incident discovered
- Location(s) of compromise
- Incident location CAGE code
- DoD programs, platforms or systems involved
- Type of compromise (unauthorized access, unauthorized release (includes inadvertent release), unknown, not applicable)
- Description of technique or method used in cyber incident
- Incident outcome (successful compromise, failed attempt, unknown)
- Incident/Compromise narrative
- Any additional information
Contractors should ensure they have a system in place for identifying, and reporting cyber incidents. Higher-tier contractors must also track incident reports received from lower-tier contractors that reported cyber incidents, by the DoD assigned incident report number.
While a reporting system is important, it is equally important for companies to ensure they have security controls in place to prevent cyber-attacks. Companies should invest in security training for employees, ensure software is updated timely, enforce strong password standards, and test employees with exercises (similar to a fire drill). You want to prevent a breach that will compromise your system, steal competitive information, or be forced to shut down the computer network to recover the system.
While you may think you are not required to report cyber incidents to the government if you do not have CUI data, President Biden signed into law the Cyber Incident Reporting Act on March 15, 2022. This law contains a new cybersecurity report requirement that will likely apply to businesses in every major sector including health care, financial services, energy, transportation, and commercial facilities. The Act, when implemented through future rule making, is likely to require any entity to report a covered cyber incident no later than 72 hours after the cyber incident occurred.
Redstone GCI can provide our clients with trusted referrals to established industry leading partners who can assist in fulfilling numerous cybersecurity compliance requirements including, but not limited to, penetration testing, incident response, security assessments and POAM revolving around the information technology infrastructure. Redstone GCI along with our trusted partners can bring you a full solution with ensuring cyber security policy and flow-down requirements revolving around all aspects are accomplished including but not limited to purchasing policy requirements.