RegDOX Position on Cyber Incident Reporting
RegDOX provides a specialized, secure file sharing application that is hosted on Amazon’s AWS GovCloud and meets or exceeds all DoD requirements, including NIST SP 800-171a, CC SRG Impact Level 4, and the FedRAMP Moderate Baseline. RegDOX will assist in every way we can with any cyber incident reporting, including immediately responding to and tracking events, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment. All of this will be reported to affected customers.
DFARS clause 252.204-7009 specifically provides certain use and confidentiality restrictions on information obtained from a third-party’s report of a cyber incident under DFARS clause 252.204-7012. DFARS clause 252.239.7010 also requires that RegDOX’s cloud service satisfies the requirements of that clause and NIST SP 800-171, which it certainly does.
The substance of the DFARS reporting requirement is contained in DFARS clause 252.204-7012. RegDOX’s System Security Policy is a comprehensive document detailing all contingency planning.
This is the portion specifically dealing with Cyber Incident Reporting:
If and when RegDOX (or any client) discovers a cyber incident that affects client information, our protocols dictate that we do the following:
Reporting: Coordinate with the client to rapidly report cyber incidents to DoD at https://dibnet.dod.mil, abiding at all times by any government or client Non-Disclosure Agreements.
Notification of Third-Party Access Requests: To the extent permitted under law, RegDOX will notify a customer promptly of any requests from a third party not licensed by that customer for access to the customer’s account, including any warrants, seizures, or subpoenas it receives, including those from another Federal, State, or local agency. RegDOX shall cooperate with the customer to take all measures to protect the customer’s data from any unauthorized disclosure.
Review and Analysis: Conduct a review for evidence of compromise of information, including, but not limited to, identifying compromised computers, servers, specific data, and user accounts in accordance with applicable laws and regulations on the interception, monitoring, access, use, and disclosure of electronic communications and data.
This review shall include analyzing all information system(s) that were part of the cyber incident. The cyber incident report shall be treated as information created by or for DoD and shall include, at a minimum, the required elements at https://dibnet.dod.mil.
Preservation: We will preserve and protect images of all known affected information systems identified and all relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report to allow DoD to request the media or decline interest.
Remedial Actions: If and when we (or any client) discover malicious software in connection with a reported cyber incident, we shall immediately isolate the malware, and coordinate with the client to submit the malicious software to DoD Cyber Crime Center (DC3) in accordance with instructions provided by the client and DoD SOP. We will provide permission and access to additional information or equipment that is necessary to conduct a forensic analysis.
Cooperation: If the client or the DoD elects to conduct a damage assessment or any other information needed, we will provide all of the information we can. Upon notification by the Government of spillage, or upon a customer’s discovery of a spillage, RegDOX shall cooperate with the Government and the customer to address the spillage in compliance with agency procedures.
As a reflection, due to the robust security protections incorporated into the RegDOX system (among other protections), there have been no cyber incidents in the history of the company. This statement however stands as the standard by which RegDOX will support its clients and meet the DFARS requirements for any such incident.
About RegDOX Solutions Inc.
RegDOX Solution’s first-to-market ITAR and NIST 800-171 (DFARS) compliant online storage and collaboration product has redefined how export-controlled and CUI documents and electronic files can be handled within regulatory requirements. This was recognized by the formal opinion of compliance provided by the US State Department’s Directorate of Defense Trade Control (DDTC). RegDOX’s unique capabilities were confirmed on August 20, 2019 when the US Patent and Trademark Office issued a patent covering RegDOX’s system to store and manage export-controlled documents in the cloud. (Patent No. 10,389,716). The RegDOX® ITAR/EAR solution provides ground-breaking and unsurpassed technology enabling the efficiency and flexibility of a cloud solution to allow multiple users located at numerous locations to collaborate using controlled data while remaining fully in compliance with the strict regulatory and licensing requirements of the ITAR and DFARS.
 Vol. 1, Release 3, Department of Defense Cloud Computing Security Requirements Guide (March 6, 2017).
 DFARS clause 252.204-7009(b) Restrictions.