1. LawStack
  2. Title 48 - Federal Acquisition Regulations System
  3. Chapter 2 - DEFENSE ACQUISITION REGULATIONS SYSTEM, DEPARTMENT OF DEFENSE
  4. Subchapter A - GENERAL
  5. Part 204 - ADMINISTRATIVE AND INFORMATION MATTERS
  6. Subpart 204.73 - Safeguarding Covered Defense Information and Cyber Incident Reporting
  7. 48 CFR § 204.7302
48 CFR § 204.7302
Policy
November 17, 2020
CFR

(a) Contractors and subcontractors are required to provide adequate security on all covered contractor information systems.

(b) Contractors and subcontractors are required to rapidly report cyber incidents directly to DoD at http://dibnet.dod.mil. Subcontractors provide the incident report number automatically assigned by DoD to the prime contractor. Lower-tier subcontractors likewise report the incident report number automatically assigned by DoD to their higher-tier subcontractor, until the prime contractor is reached.

(1) If a cyber incident occurs, contractors and subcontractors submit to DoD—

(i) A cyber incident report;

(ii) Malicious software, if detected and isolated; and

(iii) Media (or access to covered contractor information systems and equipment) upon request.

(2) Contracting officers shall refer to PGI 204.7303-4(c) for instructions on contractor submissions of media and malicious software.

(c) Information shared by the contractor may include contractor attributional/proprietary information that is not customarily shared outside of the company, and that the unauthorized use or disclosure of such information could cause substantial competitive harm to the contractor that reported the information. The Government shall protect against the unauthorized use or release of information that includes contractor attributional/proprietary information.

(d) A cyber incident that is reported by a contractor or subcontractor shall not, by itself, be interpreted as evidence that the contractor or subcontractor has failed to provide adequate security on their covered contractor information systems, or has otherwise failed to meet the requirements of the clause at 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. When a cyber incident is reported, the contracting officer shall consult with the DoD component Chief Information Officer/cyber security office prior to assessing contractor compliance (see PGI 204.7303-3(a)(3)). The contracting officer shall consider such cyber incidents in the context of an overall assessment of a contractor's compliance with the requirements of the clause at 252.204-7012.

(e) Support services contractors directly supporting Government activities related to safeguarding covered defense information and cyber incident reporting (e.g., forensic analysis, damage assessment,, or other services that require access to data from another contractor) are subject to restrictions on use and disclosure of reported information.

[80 FR 51742, Aug. 26, 2015, as amended at 81 FR 72998, Oct. 21, 2016]

Previous
§ 204.7301 Definitions
Next
§ 204.7302 [Amendment] Policy

Tried the LawStack mobile app?

Join thousands and try LawStack mobile for FREE today.

  • Carry the law offline, wherever you go.
  • Download CFR, USC, rules, and state law to your mobile device.

Designed and built by Tekk Innovations LLC, the makers of the LawStack iPhone app or Android app.

© 2020 Tekk Innovations LLC