32 CFR § 236.4 - Mandatory cyber incident reporting procedures.

§ 236.4 Mandatory cyber incident reporting procedures.

(a) Applicability and order of precedence. The requirement to report cyber incidents shall be included in all forms of agreements (e.g., contracts, grants, cooperative agreements, other transaction agreements, technology investment agreements, and any other type of legal instrument or agreement) between the Government and the contractor in which covered defense information resides on, or transits covered contractor information systems or under which a contractor provides operationally critical support, and shall be identical to those requirements provided in this section (e.g., by incorporating the requirements of this section by reference, or by expressly setting forth such reporting requirements consistent with those of this section). Any inconsistency between the relevant terms and condition of any such agreement and this section shall be resolved in favor of the terms and conditions of the agreement, provided and to the extent that such terms and conditions are authorized to have been included in the agreement in accordance with applicable laws and regulations.

(b) Cyber incident reporting requirement. When a contractor discovers a cyber incident that affects a covered contractor information system or the covered defense information residing therein or that affects the contractor's ability to provide operationally critical support, the contractor shall:

(1) Conduct a review for evidence of compromise of covered defense information including, but not limited to, identifying compromised computers, servers, specific data, and user accounts. This review shall also include analyzing covered contractor information system(s) that were part of the cyber incident, as well as other information systems on the contractor's network(s), that may have been accessed as a result of the incident in order to identify compromised covered defense information, or that affect the contractor's ability to provide operationally critical support; and

(2) Rapidly report cyber incidents to DoD at https://dibnet.dod.mil.

(c) Cyber incident report. The cyber incident report shall be treated as information created by or for DoD and shall include, at a minimum, the required elements at https://dibnet.dod.mil.

(d) Subcontractor reporting procedures. Contractors shall flow down the cyber incident reporting requirements of this part to their subcontractors that are providing operationally critical support or for which subcontract performance will involve a covered contractor information system. Contractors shall require sub contractors to rapidly report cyber incidents directly to DoD at https://dibnet.dod.mil and the prime contractor. This includes providing the incident report number, automatically assigned by DoD, to the prime contractor (or next higher-tier subcontractor) as soon as practicable.

(e) Procurement Integrated Enterprise Environment (PIEE) account requirement. To report cyber incidents in accordance with this section, the contractor or subcontractor shall have a PIEE account to access https://dibnet.dod.mil. For information on obtaining a PIEE account, see https://piee.eb.mil/.

(f) Third-party service provider support. If the contractor utilizes a third-party service provider (SP) for information system security services, the contractor may authorize the SP to report cyber incidents on behalf of the contractor.

(g) Voluntary information sharing. Contractors are encouraged to report information to promote sharing of cyber threat indicators that they believe are valuable in alerting the Government and others, as appropriate, in order to better counter threat actor activity. Cyber incidents that are not compromises of covered defense information or do not adversely affect the contractor's ability to perform operationally critical support may be of interest to the DIB and DoD for situational awareness purposes.

(h) Malicious software. Malicious software discovered and isolated by the contractor will be submitted to the DoD Cyber Crime Center (DC3) for forensic analysis.

(i) Media preservation and protection. When a contractor discovers a cyber incident has occurred, the contractor shall preserve and protect images of known affected information systems identified in paragraph (b) of this section and all relevant monitoring/packet capture data for at least 90 days from submission of the cyber incident report to allow DoD to request the media or decline interest.

(j) Access to additional information or equipment necessary for forensics analysis. Upon request by DoD, the contractor shall provide DoD with access to additional information or equipment that is necessary to conduct a forensic analysis.

(k) Cyber incident damage assessment activities. If DoD elects to conduct a damage assessment, DoD will request that the contractor provide all of the damage assessment information gathered in accordance with paragraph (i) of this section.

(l) DoD safeguarding and use of contractor attributional/proprietary information. The Government shall protect against the unauthorized use or release of information obtained from the contractor (or derived from information obtained from the contractor) under this part that includes contractor attributional/proprietary information, including such information submitted in accordance with paragraph (b) of this section. To the maximum extent practicable, the contractor shall identify and mark attributional/proprietary information. In making an authorized release of such information, the Government will implement appropriate procedures to minimize the contractor attributional/proprietary information that is included in such authorized release, seeking to include only that information that is necessary for the authorized purpose(s) for which the information is being released.

(m) Use and release of contractor attributional/proprietary information not created by or for DoD. Information that is obtained from the contractor (or derived from information obtained from the contractor) under this part that is not created by or for DoD is authorized to be released outside of DoD:

(1) To entities with missions that may be affected by such information;

(2) To entities that may be called upon to assist in the diagnosis, detection, or mitigation of cyber incidents;

(3) To Government entities that conduct LE/CI investigations;

(4) For national security purposes, including cyber situational awareness and defense purposes (including sharing non-attributional cyber threat information with defense contractors participating in the DIB CS Program authorized by this part); or

(5) To a support services contractor (“recipient”) that is directly supporting Government activities related to this part and is bound by use and non-disclosure restrictions that include all of the following conditions:

(i) The recipient shall access and use the information only for the purpose of furnishing advice or technical assistance directly to the Government in support of the Government's activities related to this part, and shall not be used for any other purpose;

(ii) The recipient shall protect the information against unauthorized release or disclosure;

(iii) The recipient shall ensure that its employees are subject to use and non-disclosure obligations consistent with this part prior to the employees being provided access to or use of the information;

(iv) The third-party contractor that reported the cyber incident is a third-party beneficiary of the non-disclosure agreement between the Government and the recipient, as required by paragraph (m)(5)(iii) of this section;

(v) That a breach of these obligations or restrictions may subject the recipient to:

(A) Criminal, civil, administrative, and contractual actions in law and equity for penalties, damages, and other appropriate remedies by the United States; and

(B) Civil actions for damages and other appropriate remedies by the third party that reported the incident, as a third party beneficiary of the non-disclosure agreement.

(n) Use and release of contractor attributional/proprietary information created by or for DoD. Information that is obtained from the contractor (or derived from information obtained from the contractor) under this part that is created by or for DoD (including the information submitted pursuant to paragraph (b) of this section) is authorized to be used and released outside of DoD for purposes and activities authorized by this section, and for any other lawful Government purpose or activity, subject to all applicable statutory, regulatory, and policy based restrictions on the Government's use and release of such information.

(o) Contractor activities. Contractors shall conduct their respective activities under this part in accordance with applicable laws and regulations on the interception, monitoring, access, use, and disclosure of electronic communications and data.

(p) Freedom of Information Act (FOIA). Agency records, which may include qualifying information received from non-Federal entities, are subject to request under the Freedom of Information Act (5 U.S.C. 552). The Government will notify the non-Government source or submitter (e.g., contractor or DIB CS Program participant) of the information in accordance with the procedures in 32 CFR 286.10.

(q) Other reporting requirements. Cyber incident reporting required by this part in no way abrogates the contractor's responsibility for other cyber incident reporting pertaining to its unclassified information systems under other clauses that may apply to its contract(s), or as a result of other applicable U.S. Government statutory or regulatory requirements, including Federal or DoD requirements for Controlled Unclassified Information as established by Executive Order 13556, as well as regulations and guidance established pursuant thereto.

[80 FR 59584, Oct. 2, 2015, as amended at 81 FR 68317, Oct. 4, 2016; 89 FR 17747, Mar. 12, 2024]