Professional Documents
Culture Documents
mil/portal/intranet/Splashpage/ReportCyberIncident
What to report?
DoD Contractors
DoD contractors shall report as much of the following information as can be obtained to DoD within 72 hours of discovery of a
1. Company name
2. Company point of contact information (address, position, telephone, email)
3. Data Universal Numbering System (DUNS) Number
4. Contract number(s) or other type of agreement affected or potentially affected
5. Contracting Officer or other type of agreement point of contact (address, position, telephone, email)
6. USG Program Manager point of contact (address, position, telephone, email)
7. Contract or other type of agreement clearance level (Unclassified, Confidential, Secret, Top Secret, Not applicable)
8. Facility CAGE code
9. Facility Clearance Level (Unclassified, Confidential, Secret, Top Secret, Not applicable)
10. Impact to Covered Defense Information
11. Ability to provide operationally critical support
12. Date incident discovered
13. Location(s) of compromise
14. Incident location CAGE code
15. DoD programs, platforms or systems involved
16. Type of compromise (unauthorized access, unauthorized release (includes inadvertent release), unknown, not applicable)
17. Description of technique or method used in cyber incident
18. Incident outcome (successful compromise, failed attempt, unknown)
19. Incident/Compromise narrative
20. Any additional information
Contractors are encouraged to report information to promote sharing of cyber threat indicators that they believe are valuable
appropriate in order to better counter threat actor activity. Cyber incidents that are not compromises of covered defense info
ability to perform operationally critical support may be of interest to the DIB and DoD for situational awareness purposes.
1. Company name
2. Company point of contact information (address, position, telephone, email)
3. Date incident discovered
4. Location(s) of incident
5. Incident location CAGE Code
6. Incident outcome (successful compromise, failed attempt, unknown)
7. Incident Resolution Date/Time
8. Detection Method
9. Type of incident (unauthorized access, unauthorized release, includes inadvertent release, unknown, not applicable)
10. Incident/Indicator Details/Narrative (including insertion of relevant indicators)
11. PII compromised or potentially compromised in the occurrence
12. Description of technique or method used
13. Was known APT involved
14. Was the incident detected by DC3/DCISE Indicator
15. Any additional information relevant to the incident
4.3.3 APPENDIX F. INCIDENT COLLECTION FORMAT (ICF) TEMPLATE
1.) UNCLASSIFIED//FOR OFFICIAL USE ONLY (when filled in)
2.) FOR INTERNAL USE ONLY
3.) Report ID: xxx-xxxxx
4.) Company Name: xxxxx
5.) DUNS Number: xxxxx
6.) Contract Number Affected (Additional contract numbers can be added on a subsequent page): xxxxxx-xx-x-xxxx
7.) Contract Clearance Level: xxxxxx
8.) Facility CAGE Code: xxxxx
9.) Does this incident affect cloud services provided to DoD?: xx
10.) Does this incident impact unclassified controlled technical information as defined in DFARS clause 252.204-7012?: xxx
11.) Last Name: Xxxxxxx
12.) First Name: Xxxxxx
13.) Position/Title: xxxxxxxxxx
14.) Location: xxxxxxxxxxxxxxx
15.) City: xxxxxxxxxx
16.) State: xxxxxxxxxxxxx
17.) Postal Code: xxxxx
18.) Telephone: xxx-xxx-xxxx
19.) E-mail Address: xxxxxx.xxxxx@xxxxxx.xxxx
20.) Subcontractor Name [if incident was on a subcontractor network]: xxxxx
21.) Subcontractor CAGE Code: xxxxxx
22.) DoD Programs, Platforms, or Systems Involved: xxxxxxxxxxxxxxxxxxxxxx
23.) Location(s) of Compromise: xxxxxxxxxxxxxxxx 1234 Main St Anywhere, USA xxxxxx
24.) Date Incident Discovered: xx Xxxx xxxx
25.) Description of Technical Information Compromised: xxxxxxxxxxxxxxxxxxxx
26.) Additional Information Relevant to the Information Compromised: xxxxxxxxxxxxxxxxxx
27.) Add additional contract numbers: xxxxxx
28.) Add additional Point of Contact: xxxxxx
29.) Last Name: Xxxxxxx
30.) First Name: Xxxxxxxx
31.) Location: Xxxxxxxxxx
32.) City: Xxxxxxxxx
33.) State: Xxxxxxx
34.) Postal Code: xxxxx
35.) Telephone: xxx-xx-xxxx
36.) E-mail Address: xxxxxxxxxxxxxxx@xxx.xxx
37.) Add additional contract numbers: xxxxxxxxxx
38.) Add additional Point of Contact: xxxxxx
39.) NOTICE: DFARS Rule 252.204-7012 requires the preservation of all media associated with all identified targeted systems, f
40.) UNCLASSIFIED//FOR OFFICIAL USE ONLY (when filled in)
4.4.4 APPENDIX E. INSTRUCTIONS FOR SUBMITTING MEDIA
1) For those instances when the contractor can identify all the files containing unclassified controlled technical information (CT
of each file containing unclassified CTI associated with the compromise.
2) If the contractor cannot identify all the files containing unclassified CTI associated with the compromise, then the contracto
the preparation of the drive image(s) should be as follows for submission: create the image on a separate wiped hard drive, w
application or hardware that overwrites previous data with a pattern of binary data. The hard drive can be wiped with utilities
commercially available hard drive duplicators with a drive wiping feature. Suitable applications for creating drive images includ