Race to Report: How to Triage a DFARS Cybersecurity Incident

Cybersecurity and Privacy Alert

Client Alert


“Triage – to assign degrees of urgency and decide the order of treatment.”

A U.S. Department of Defense (DoD) cybersecurity incident must be reported within 72 hours of discovery, and there is a litany of information that must be gathered, assessed and reported – but it can be accomplished with the help of informational triage.

Actual triage doesn’t begin at the time of an event, rather it begins with advance planning and policies for critical events – deployed when an event occurs.

Informational triage for a DoD cybersecurity incident is no different; prepare for the inevitable, and when an event happens focus solely on what is specifically required to meet the 72-hour reporting deadline.

What is a DFARS cybersecurity incident?

A DFARS cybersecurity incident arises under the Defense Federal Acquisition Regulation Supplement 252.204-7000 et. seq., which became effective December 31, 2017 (DFARS).

There are multiple forms of cybersecurity incidents, including physical intrusions and network/system breaches. A physical intrusion can include direct access by an unauthorized person to controlled facilities, documents or computers. This can include criminal break-ins or theft of equipment.

A network/systems breach is typically a remote online intrusion, often conducted for the purpose of economic espionage, insertion of malicious software, cloud-based attack or market disruption. Some nation states engage in political espionage and virtual trade disputes. Others actively engage in cyberwar against geopolitical targets.

What is required?

As noted, a DoD cybersecurity incident must be reported within 72 hours of discovery. By any standard that is an exceedingly short investigative period. Additionally, any malicious software must be provided to the DOD Cyber Crime Center, with the affected system and monitoring data preserved and accessible for 90 days for forensic analysis. A subcontractor must also provide notice to its prime contractor (or next higher-tier subcontractor).

Who is covered?

The intent of the DFARS regulations and reporting is to protect national security data and networks from cybersecurity threats. More specifically, to protect Controlled Unclassified Information – commonly referred to as “CUI” -- and defense information on systems that support the performance of DoD contracts.

As a result, any contractor that stores CUI on its servers in support or performance of a DoD contract is subject to the DFARS, as is any contractor who has access/connectivity to DoD networks or systems. In fact, prime contractors must "flow down" DFARS requirements to subcontractors, and subcontractors must notify the prime contractor when submitting a request to a DoD contracting officer to vary from the cybersecurity standards.

What is CUI and/or CDI?

CUI is information which is export controlled or restricted under U.S. export control laws or regulations. Covered Defense Information, or “CDI,” is CUI that is either identified by DoD, or developed, received, collected, transmitted or stored by or on behalf of the DoD, and which has certain controlled distribution markings.

What is NIST?

NIST stands for National Institute of Standards and Technology, which publishes standards, guidelines, recommendations, and research on computer and cybersecurity.

DFARS-covered systems must comply with NIST Special Publication (SP) 800-171, which establishes certain minimum cybersecurity requirements related to access control, awareness training, audit accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk      assessment, security assessment, system and communication protection, and system and information integrity. Significantly, there is no exception for cloud-based services operated on behalf of government.

How do you make a DFARS cyber-incident report?

Once a breach has been determined, it is critical to review computers, servers, data, and user accounts on any and all related systems on the network. If it is determined that there has been a reportable event, it is critical to prepare a summary of the relevant facts to aid with the online reporting to DoD, which must be submitted at https://dibnet.dod.mil. Again, a DoD cybersecurity incident must be reported within 72 hours of discovery.

What information should be gathered for review and reporting?

There are several areas of information required for reporting. Fortunately, much of it can be gathered and maintained in advance before a cyber incident as part of advance informational triage. Doing so will permit resources to focus on gathering facts specific to the incident to expedite the reporting. 

A key part of advance informational triage is to gather and maintain general company and contact information in advance of a cyber incident – such as place of incorporation, registration, qualification, cage code, DUNS number, officers and directors.

Information specific to the cyber incident will include contract/award details, contract contact information, specific incident information and relevant CUI and/or CDI involved – much of which can also be gathered and maintained on a regular advanced basis.

What are some other areas of informational triage?

Rapid response planning can help minimize the impact and potential damage from a cybersecurity incident. Rapid response planning should include probable exposure and mitigation plans. It should also include a pre-determination of management, IT and legal resources needed for rapid response.

Advance informational triage should include assessment of physical, cyber and data weaknesses, policies and procedures, as well as rapid response capabilities for data and network threats and breaches. Finally, effective informational triage is dependent on the development of specific procedures for incident response, document retention, audits, awareness and training.

Informational triage can reduce the risk of a cybersecurity incident.

Develop a clear and concise explanation of the business, operations, customers and employees for outside resources that are retained to assist with the review and reporting. If you are also doing classified work, include your DPO and ITPSO in the advance informational triage.

Also evaluate the actual need for CUI and CDI, its uses and locations – and create a “Data Map” of all such information. It is also helps to document procedures for tracking and maintaining physical and cybersecurity of CUI and CDI.

There are also operational considerations that can reduce risk, such as including cyber-protection provisions in employment, proprietary rights, non-disclosure and customer agreements, as well as in Employee Handbooks and Codes of Conduct, teaming and joint development agreements.

Start your advance informational triage with the following checklist:

  • Evaluate systems and facility security
  • Review of policies and procedures
  • Develop description of CUI and CDI in possession
  • Implement required safeguards for CUI and CDI
  • Develop capability for rapid detection data and network threats
  • Develop procedures for incident response, document retention and audits
  • Develop awareness and training programs
  • Maintain accurate contact information for customers and employees
  • Prepare mitigation plans for possible breaches
  • Predetermine resources for incident response

Additional information is also available at: http://www.dss.mil/it/index.html