Scribd Logo
Upload

Welcome to Scribd!

  • DFARS CUI Cyber Incident Reporting Form 04-12-2018

    Uploaded by

    Tatiana Skripkar
    76 views4 pages
    Sample form incident responce

    Copyright

    © © All Rights Reserved

    Available Formats

    XLSX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Sample form incident responce

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    76 views4 pages

    DFARS CUI Cyber Incident Reporting Form 04-12-2018

    Uploaded by

    Tatiana Skripkar
    Sample form incident responce

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    https://dibnet.dod.

    mil/portal/intranet/Splashpage/ReportCyberIncident

    Reporting a Cyber Incident


    What is a cyber incident?
    A cyber incident is defined as actions taken through the use of computer networks that result in a compromise or an actual or
    and/or the information residing therein.

    Who should report and why?


    DoD contractors report cyber incidents in accordance with the DFARS Clause 252.204-7012
    DoD contractors report in accordance with other reporting requirements identified in a contract or other agreement.
    DoD Cloud Service Providers report cyber incidents in accordance with clause 252.239-7010, Cloud Computing Services
    DoD's DIB CS Participants report cyber incidents in accordance with the Framework Agreement (FA)

    What to report?
    DoD Contractors

    DoD contractors shall report as much of the following information as can be obtained to DoD within 72 hours of discovery of a

    1. Company name
    2. Company point of contact information (address, position, telephone, email)
    3. Data Universal Numbering System (DUNS) Number
    4. Contract number(s) or other type of agreement affected or potentially affected
    5. Contracting Officer or other type of agreement point of contact (address, position, telephone, email)
    6. USG Program Manager point of contact (address, position, telephone, email)
    7. Contract or other type of agreement clearance level (Unclassified, Confidential, Secret, Top Secret, Not applicable)
    8. Facility CAGE code
    9. Facility Clearance Level (Unclassified, Confidential, Secret, Top Secret, Not applicable)
    10. Impact to Covered Defense Information
    11. Ability to provide operationally critical support
    12. Date incident discovered
    13. Location(s) of compromise
    14. Incident location CAGE code
    15. DoD programs, platforms or systems involved
    16. Type of compromise (unauthorized access, unauthorized release (includes inadvertent release), unknown, not applicable)
    17. Description of technique or method used in cyber incident
    18. Incident outcome (successful compromise, failed attempt, unknown)
    19. Incident/Compromise narrative
    20. Any additional information

    DoD Contractors Providing Cloud Services


    1. Contract information to include contract number, USG Contracting Officer(s) contact information, contract clearance level, e
    2. Contact information for the impacted and reporting organizations as well as the MCND
    3. Details describing any vulnerabilities involved (i.e., Common Vulnerabilities and Exposures (CVE) identifiers)
    4. Date/Time of occurrence, including time zone
    5. Date/Time of detection and identification, including time zone
    6. Related indicators (e.g. hostnames, domain names, network traffic characteristics, registry keys, X.509 certificates, MD5 file
    7. Threat vectors, if known (see Threat Vector Taxonomy and Cause Analysis flowchart within the US-CERT Federal Incident No
    8. Prioritization factors (i.e. functional impact, information impact, and recoverability as defined flowchart within the US-CERT
    9. Source and Destination Internet Protocol (IP) address, port, and protocol
    10. Operating System(s) affected
    11. Mitigating factors (e.g. full disk encryption or two-factor authentication)
    12. Mitigation actions taken, if applicable
    13. System Function(s) (e.g. web server, domain controller, or workstation)
    14. Physical system location(s) (e.g., Washington DC, Los Angeles, CA)
    15. Sources, methods, or tools used to identify the incident (e.g., Intrusion Detection System or audit log analysis)
    16. Any additional information relevant to the incident and not included above

    DoD's DIB CS Program Participants

    Contractors are encouraged to report information to promote sharing of cyber threat indicators that they believe are valuable
    appropriate in order to better counter threat actor activity. Cyber incidents that are not compromises of covered defense info
    ability to perform operationally critical support may be of interest to the DIB and DoD for situational awareness purposes.

    1. Company name
    2. Company point of contact information (address, position, telephone, email)
    3. Date incident discovered
    4. Location(s) of incident
    5. Incident location CAGE Code
    6. Incident outcome (successful compromise, failed attempt, unknown)
    7. Incident Resolution Date/Time
    8. Detection Method
    9. Type of incident (unauthorized access, unauthorized release, includes inadvertent release, unknown, not applicable)
    10. Incident/Indicator Details/Narrative (including insertion of relevant indicators)
    11. PII compromised or potentially compromised in the occurrence
    12. Description of technique or method used
    13. Was known APT involved
    14. Was the incident detected by DC3/DCISE Indicator
    15. Any additional information relevant to the incident
    4.3.3 APPENDIX F. INCIDENT COLLECTION FORMAT (ICF) TEMPLATE
    1.) UNCLASSIFIED//FOR OFFICIAL USE ONLY (when filled in)
    2.) FOR INTERNAL USE ONLY
    3.) Report ID: xxx-xxxxx
    4.) Company Name: xxxxx
    5.) DUNS Number: xxxxx
    6.) Contract Number Affected (Additional contract numbers can be added on a subsequent page): xxxxxx-xx-x-xxxx
    7.) Contract Clearance Level: xxxxxx
    8.) Facility CAGE Code: xxxxx
    9.) Does this incident affect cloud services provided to DoD?: xx
    10.) Does this incident impact unclassified controlled technical information as defined in DFARS clause 252.204-7012?: xxx
    11.) Last Name: Xxxxxxx
    12.) First Name: Xxxxxx
    13.) Position/Title: xxxxxxxxxx
    14.) Location: xxxxxxxxxxxxxxx
    15.) City: xxxxxxxxxx
    16.) State: xxxxxxxxxxxxx
    17.) Postal Code: xxxxx
    18.) Telephone: xxx-xxx-xxxx
    19.) E-mail Address: xxxxxx.xxxxx@xxxxxx.xxxx
    20.) Subcontractor Name [if incident was on a subcontractor network]: xxxxx
    21.) Subcontractor CAGE Code: xxxxxx
    22.) DoD Programs, Platforms, or Systems Involved: xxxxxxxxxxxxxxxxxxxxxx
    23.) Location(s) of Compromise: xxxxxxxxxxxxxxxx 1234 Main St Anywhere, USA xxxxxx
    24.) Date Incident Discovered: xx Xxxx xxxx
    25.) Description of Technical Information Compromised: xxxxxxxxxxxxxxxxxxxx
    26.) Additional Information Relevant to the Information Compromised: xxxxxxxxxxxxxxxxxx
    27.) Add additional contract numbers: xxxxxx
    28.) Add additional Point of Contact: xxxxxx
    29.) Last Name: Xxxxxxx
    30.) First Name: Xxxxxxxx
    31.) Location: Xxxxxxxxxx
    32.) City: Xxxxxxxxx
    33.) State: Xxxxxxx
    34.) Postal Code: xxxxx
    35.) Telephone: xxx-xx-xxxx
    36.) E-mail Address: xxxxxxxxxxxxxxx@xxx.xxx
    37.) Add additional contract numbers: xxxxxxxxxx
    38.) Add additional Point of Contact: xxxxxx
    39.) NOTICE: DFARS Rule 252.204-7012 requires the preservation of all media associated with all identified targeted systems, f
    40.) UNCLASSIFIED//FOR OFFICIAL USE ONLY (when filled in)
    4.4.4 APPENDIX E. INSTRUCTIONS FOR SUBMITTING MEDIA
    1) For those instances when the contractor can identify all the files containing unclassified controlled technical information (CT
    of each file containing unclassified CTI associated with the compromise.

    2) If the contractor cannot identify all the files containing unclassified CTI associated with the compromise, then the contracto
    the preparation of the drive image(s) should be as follows for submission: create the image on a separate wiped hard drive, w
    application or hardware that overwrites previous data with a pattern of binary data. The hard drive can be wiped with utilities
    commercially available hard drive duplicators with a drive wiping feature. Suitable applications for creating drive images includ

    (A) Guidance Software’s EnCase (software)


    (B) Access Software’s FTK Imager (software)
    (C) Open source dd application (software)
    (D) Hard Drive Duplicator (hardware)
    3) Submission of Media (as described in (1) and (2) above)
    (A) Create a cover letter that includes the following information:
    (i) Incident collection form report number.
    (ii) Description of the type and number of media being submitted, along with make, model, and serial numbers and/or other id
    (iii) Explanation of how the media relate to the cyber incident. This description should provide context to the media submissio
    reported in the incident report.
    (iv) MD5 hash results for each item submitted.
    (B) Send the cover letter and media via registered USPS mail, FedEx, UPS, or agency drop to:
    DIBCERT (DCISE MAC)
    911 Elkridge Landing Rd
    Linthicum, MD 21090-2993

    You might also like