Well, it finally happened. Despite all your efforts in security awareness training and the latest in hardware and software technology, somehow something bad happened: You got breached. Do not freak out or feel too bad.
So, what to do?
What CAN you do?
What SHOULD you do, and what should you NOT do?
WHY DO THIS?
DFARS requires defense contractors and subcontractors to report to the DoD within 72 hours of a cyber incident involving “Controlled Unclassified information (or the equivalent)” and to have a system to retain and to maintain detailed records of the incident(s) for analysis.
As part of the DoD-DIB reporting program, the US Government and each contractor are supposed to execute an agreement, referred to as a Framework Agreement (FA). This framework is designed to share “cybersecurity information”, in a timely and secure manner, regularly, and to the greatest extent possible.
There is also a great emphasis on the importance of informing DoD of potential or real incidents involving export-controlled information. Now we have ITAR and EAR regulations as well to be concerned about.
The regulations also state that “cyber incident reporting requirements for other important types of controlled unclassified information (CUI) (e.g., personally identifiable information (PII), budget or financial information) are more specifically addressed through other regulatory mechanisms, and thus are outside the scope of this rule.” So, let’s hope the bad guys didn’t get anything that requires state disclosures.
Luckily, there is specific information about where to report, how to obtain the credentials to report, and also states that third-party service providers (SP) that assist contractors with cybersecurity can also report on behalf of those contractors. We will leave the ethical and legal questions of should they report for another time.
DO NOT DO THIS:
Let us just get this right out of the way first – you can NOT ignore it, hope no one will find out or wish it away. Do not think about it, don’t even consider it. You will get caught, get in trouble, face fines (yes YOU, as well as the company), and you could go to jail. And everyone says that you’re way too pretty to go to jail. Just like you can’t break up with someone by text message, you have to face the music head-on, and take it like a champ.
If you don’t think I’m right…. how about these penalties:
- Very large (multi-million, 9 figure) penalties.
- Prevention of doing future business with the DoD.
- Forced monitoring (which you pay for).
- Criminal charges = jail time.
WHAT SHOULD YOU DO?
Before you can go and report an incident, you need to be vetted to submit an incident. I agree this is borderline insane and counterproductive, but I don’t make the rules. You will need to obtain a Secure Certificate – like an SSL for a website, the Certificate both identifies and authenticates you to the Defense Industrial Base’s Network (DIB Net) -the website at https://dibnet.dod.mil/portal/intranet/.
Visiting this website shows that there are two options:
- On the left side: Cyber Reports – Report a Cyber Incident.
- On the right side: DoD’s DIB Cybersecurity Program.
The Cyber Reports area on the left is the one we need to use (the CS Program is for anyone – public, private, or governmental to share information about threats, and ways to address these threats).
You can see that right beneath the button that says, “Report a Cyber Incident”, there is some text explaining that “A Medium Assurance Certificate is required to report a Cyber Incident”. So at least there is some information here to help us. Clicking the underlined text will take us to the DoD Cyber Exchange’s External Certification Authorities (ECA) page – https://public.cyber.mil/eca/.
There is a bunch of text that explains that the DoD needs to have a secure certificate to accept a cyber report. However, the key thing here is the Medium Assurance Certificate, which satisfies FIPS 140 Level 1 requirements.
Reading the tiny print will tell you that you/your company can only have ONE application. Got 10,000 employees across the globe? Too bad. You get ONE. The person is sick, or leaves the organization? No clue what you do then. I’m sure it’s never happened….
Of course, you need to be a U.S. citizen and “authorized to act on behalf of the company during the application process”. It isn’t going to hurt if you understand certificates and technology, but…you’ll figure that out.
As stated, the certificate installation is tied to one machine, for one user. Luckily, the process is the same as importing any other Certificate.
Since there are several types of servers, operating systems, and other variables, the best resource I could find was here: https://www.digicert.com/kb/ssl-certificate-installation.htm
If all else fails, send an email to email@example.com
And PLEASE make a backup copy of the Certificate, even if you can re-download it. “Things” happen. Just do it. You will thank me later.
Now comes the fun stuff. Go back to the website here: https://dibnet.dod.mil/portal/intranet/, and click that button to Report a Cyber Incident’. If you did everything right, you’ll get a form and all sorts of fun questions to fill out. If you did it wrong, you’ll get a “This site can’t be reached” error.
OK, NOW WHAT DO I HAVE TO KNOW TO REPORT
According to the regulations, you now get to play twenty questions! Luckily, we have a home version of the game as a consolation prize.
Get ready to provide as much of the following information as you can gather within 72 hours of the discovery of any cyber incident:
1. Company name
2. Company point of contact information (address, position, telephone, email)
Psshhht…you got this, it’s easy!
3. Data Universal Numbering System (DUNS) Number
4. Contract number(s) or other types of agreement affected or potentially affected
5. Contracting Officer or other types of agreement point of contact (address, position, telephone, email)
6. USG Program Manager point of contact (address, position, telephone, email)
7. Contract or other types of agreement clearance level (Unclassified, Confidential, Secret, Top Secret, Not applicable)
8. Facility CAGE code
9. Facility Clearance Level (Unclassified, Confidential, Secret, Top Secret, Not applicable)
Sure, you have this information memorized by now, right? Right now, these are the important things to gather, right?
10. Impact to Covered Defense Information
Yeah, this is the big one, please indicate how your breach is going to affect the US defense strategy. Don’t be shy! Lay out some worst-case scenarios for them. Get creative!
11. Ability to provide operationally critical support
12. Date incident discovered
13. Location(s) of compromise
Hopefully, these are ‘Yes’, the date (within 72 hours), and the location(s) of…your network? Your headquarters? Your business addresses? It may be the location of the PC that found the malicious code! Or is it your bathroom where you got the email? I seriously don’t know. Good luck.
14. Incident location CAGE code
I don’t know if this should be the same as the Facility CAGE code or not. I don’t. It should be looked at on a case-by-case basis.
15. DoD programs, platforms, or systems involved
This question is also going to require a bit of searching and discussion. Be as comprehensive as possible, but frankly, you really can’t nor don’t know.
16. Type of compromise (unauthorized access, unauthorized release (includes inadvertent release), unknown, not applicable)
I want to read a few of these for a laugh sometime. Apparently, “They got in and got our data” is NOT sufficient here. You’re going to need a good team effort here. This is going to require some forensic investigation and analysis. The reality is you may NOT be able to determine the type of compromise. These guys (and women) are good at what they do, they don’t leave a lot of clues or signs behind. It’s pretty much standard practice to erase log files and other evidence of entry into a system.
And what is ‘non-applicable’!? Since when is the type of compromise not applicable?
17. Description of technique or method used in cyber incident
If you knew this, wouldn’t you have prevented it from happening in the first place? But please, tell us how this could have been avoided.
18. Incident outcome (successful compromise, failed attempt, unknown)
“Well, the outcome was that we reported it to you”. Next question?
19. Incident/Compromise narrative
This is basically going to be the story of what happened. You should be complete and make sure that you understand what occurred, when it occurred, and how it showed up.
20. Any additional information
This is your opportunity, for good or bad, to put the incident in context by providing information that isn’t requested elsewhere.
REAL QUESTIONS THAT NEED TO BE ANSWERED
#1 Why should you need to go through a lengthy process, pay several hundred dollars just to be able to report a cyber incident? Why make it more difficult to report incidents?
#2 Why are there only two vendors that can issue this certificate (IdenTrust and WidePoint)?
#3 Why isn’t a High Assurance SSL from another vendor (at a lower price and less expensive) acceptable?
#4 Why do you only get ONE account?
#5 Why are you putting up barriers to people reporting cyber incidents?!
Follow the rules, do your best, and keep on trying to fight the good fight. RegDOX is always looking for good people…
About RegDOX Solutions Inc.
RegDOX Solution’s first-to-market ITAR and NIST 800-171 (DFARS) compliant online storage and collaboration product has redefined how export-controlled and CUI documents and electronic files can be handled within regulatory requirements. This was recognized by the formal opinion of compliance provided by the US State Department’s Directorate of Defense Trade Control (DDTC). RegDOX’s unique capabilities were confirmed on August 20, 2019 when the US Patent and Trademark Office issued a patent covering RegDOX’s system to store and manage export-controlled documents in the cloud. (Patent No. 10,389,716). The RegDOX® ITAR/EAR solution provides ground-breaking and unsurpassed technology enabling the efficiency and flexibility of a cloud solution to allow multiple users located at numerous locations to collaborate using controlled data while remaining fully in compliance with the strict regulatory and licensing requirements of the ITAR and DFARS.