Due to the recent Russian invasion in Ukraine, there has been a significant increase in cyber-attacks reported across the world. While the U.S. Government has concerns related to attacks on U.S. companies including banks, power companies, fuel suppliers, they are also concerned with defense contractors. President Biden has issued multiple warnings to companies including defense contractors about looming cyber-attacks.
The majority of cyber-attacks within a company are due to employees and has probably increased due to an increase in the number of employees working from home. Some of the most common breaches are emails containing links or an attachment to download. Employees receive an email that looks real, has a company logo and has a link to click on or an attachment to download. The link is a fake website and when clicked on can allow an adversary access to a company’s information or downloading an attachment can result in a malicious code/virus hacking into your system.
Additionally, free WIFI at businesses does not encrypt data, so this is another weakness in security especially when employees are accessing emails on unsecured networks. Outdated software and weak passwords also create risk for cyber incidents.
So, what does that mean to contractors and subcontractors?
If you have a government contract or subcontract whether it is competitive, negotiated, or commercial FAR Part 12, the DFARS 252.204-7012 Compliance with Safeguarding Covered Defense Information and Cyber Incident Reporting clause is included in your contract. The clause is not required in solicitations for commercially available off the shelf (COTS) items.
This clause requires contractors and subcontractors to rapidly report cyber incidents to DoD. DFARS 252.204-7012 defines “Rapidly report” as within 72 hours of the cyber incident. Seventy-two hours is not a lot of time for reporting an incident. We see 72 hours as a limited period as the contractor needs to determine if the cyber incident affects covered defense information, the system containing it, or ability to perform on the contract, and what information was comprised in the system to fully report the incident.
While a company may not have all the information necessary to report the cyber incident, the Government expectation is that contractors and subcontractors report as much of the information that is known through the DoD website within 72 hours of discovering the cyber incident and then update as more information becomes available. Listed below is the information for reporting a cyber incident.
- Company name
- Company point of contact information (address, position, telephone, email)
- Data Universal Numbering System (DUNS) Number
- Contract number(s) or other type of agreement affected or potentially affected
- Contracting Officer or other type of agreement point of contact (address, position, telephone, email)
- USG Program Manager point of contact (address, position, telephone, email)
- Contract or other type of agreement clearance level (Unclassified, Confidential, Secret, Top Secret, Not applicable)
- Facility CAGE code
- Facility Clearance Level (Unclassified, Confidential, Secret, Top Secret, Not applicable)
- Impact to Covered Defense Information
- Ability to provide operationally critical support
- Date incident discovered
- Location(s) of compromise
- Incident location CAGE code
- DoD programs, platforms or systems involved
- Type of compromise (unauthorized access, unauthorized release (includes inadvertent release), unknown, not applicable)
- Description of technique or method used in cyber incident
- Incident outcome (successful compromise, failed attempt, unknown)
- Incident/Compromise narrative
- Any additional information
Contractors should ensure they have a system in place for identifying, and reporting cyber incidents. Higher-tier contractors must also track incident reports received from lower-tier contractors that reported cyber incidents, by the DoD assigned incident report number.
While a reporting system is important, it is equally important for companies to ensure they have security controls in place to prevent cyber-attacks. Companies should invest in security training for employees, ensure software is updated timely, enforce strong password standards, and test employees with exercises (similar to a fire drill). You want to prevent a breach that will compromise your system, steal competitive information, or be forced to shut down the computer network to recover the system.
While you may think you are not required to report cyber incidents to the government if you do not have CUI data, President Biden signed into law the Cyber Incident Reporting Act on March 15, 2022. This law contains a new cybersecurity report requirement that will likely apply to businesses in every major sector including health care, financial services, energy, transportation, and commercial facilities. The Act, when implemented through future rule making, is likely to require any entity to report a covered cyber incident no later than 72 hours after the cyber incident occurred.
Redstone GCI can provide our clients with trusted referrals to established industry leading partners who can assist in fulfilling numerous cybersecurity compliance requirements including, but not limited to, penetration testing, incident response, security assessments and POAM revolving around the information technology infrastructure. Redstone GCI along with our trusted partners can bring you a full solution with ensuring cyber security policy and flow-down requirements revolving around all aspects are accomplished including but not limited to purchasing policy requirements.
Lynne is a Director with Redstone Government Consulting, Inc. providing government contract consulting services to our clients primarily related to Commercial Item Determinations and support, Cost Accounting Standards, DFARS Business System Audits, Proposals, and Incurred Cost. Prior to joining Redstone Government Consulting, Lynne served in several capacities with DCAA and DCMA for over 35 years. Professional Experience Lynne began her career working with DCAA in the Honeywell Resident Office, Clearwater, FL in 1984. Lynne’s experience included various positions which involved conducting or reviewing forward proposals or rate audits, financial capability audits, progress payments, accounting and estimating systems, cost accounting standards, claims and disclosure statement reviews. She is an expert in FAR, DFARS, CAS and testified as an expert witness. Lynne assisted in drafting the commercial item guidance for DCAA Headquarters. Lynne was assigned as a Regional Technical Specialist where she provided guidance to 20 field offices on highly complex or technical issues relative to forward pricing, financial capability or progress payment issues. As an Assistant for Quality, she was involved in reviewing and ensuring audit reports were in compliance with policy and GAGAS as well as made NASBA certified presentations to the staff including but not limited to billing reviews, CAS, unallowable cost and progress payments. To enhance her experience in government contracting, Lynne accepted a position with DCMA in 2015 as part of the newly organized DCMA Cadre of Experts in the Commercial Item Group. This included performing reviews of prime contractor’s assertions and/or commercial item determinations as well as performing price analyses. Lynne was a project lead and later became a lead analyst where she engaged with the buying commands on requests and reviewed price analysis reviews performed by a team of 5 analysts. She also assisted the DCMA CPSR team relative to commercial items and co-instructed the Commercial Item Training presented to DCMA. Education Lynne earned a Bachelor of Science Degree in Accounting from the University of Central Florida. Certifications State of Florida Certified Public Accountant State of Alabama Certified Public Accountant Defense Acquisition Workforce Improvement Act (DAWIA) Level III- Auditing DAWIA Level III – Contracting