Due to the obvious cost and resources required, the implementation of the NIST SP 800-171 security requirements is receiving the majority of attention, however the requirements for incident reporting cannot be ignored. This is especially true as the prime on a contract who has responsibility of ensuring the language from DFARS clause 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) is included in subcontracts, and requiring subcontractors to rapidly report incidents.
There are other aspects of the cybersecurity incident reporting process that must be understood, and included in a contractor’s incident response processes. For example, if malware is determined to be involved in the incident, samples of the malware must be provided to the government. The contracting officer should be contacted for additional submission information, however the basic procedures for malware submission are available from the USD(AT&L) Defense Procurement and Acquisition Policy web site: http://www.acq.osd.mil/dpap/pdi/docs/Instructions_for_Malware_Submission.docx. In addition to malware samples, contractors are required to preserve and protect images of all known affected information systems, and all relevant monitoring data (firewall/IDS/IPS/malware detection systems/etc.) for at least 90 days from the incident submission. The resources required to collect and store this data can be significant and so must be allocated for in an incident response plan. The final aspect includes the possibility of government requests for additional access to contractor information systems as part of their forensic analysis of the incident.
Contractors will need to carefully consider the effects of the cyber incident reporting processes on their information systems and processes, and make decisions on how best to manage there IS. This becomes critical if your IT supports both commercial work and government contract work on the same infrastructure. A question that each company will need to answer is “What are the possible effects on your commercial work (or other government contracted work), if the government comes requesting additional information to investigate a cyber incident?”
It would be best to ask yourself that question now, while you have time to consider it, and before the clock starts ticking down on that 72 hour reporting window.
You must be logged in to reply to this topic.