One thing is hard to argue in today’s complex cyber world:

 

Cyber incidents are part of doing business.

 

Chances are, your organization’s data will be—or already has been—breached.

 

With 92% of malware is delivered by email, it’s no surprise that cyber incidents that expose sensitive data are spreading like wildfire.

 

Most organizations focus on mitigation: you remove viruses, launch employee “don’t click” training programs, and try to secure your network from hackers.

 

Free Download: NIST 800-171 Incident Response Plan Template

 

But what is your organization doing to be ready when the inevitable happens?

 

In this article, I’m going to explain what an incident response plan is and discuss NIST incident response requirements.

 

By the end, you’ll have a better understanding of incident reporting and compliance requirements, how they apply to NIST, and what DoD contractors are required to report in the event of a cyber incident.

 

Article Navigation

 

• What Is An Incident Response Plan?
• NIST Incident Response Requirements
• What Is A Cyber Incident?
• Incident Reporting Compliance Requirements
• Who Should Report And Why?
• What Do DoD Contractors Need To Report?
• Report The Fire Before It Spreads

 

 

What Is An Incident Response Plan?

 

Are you prepared to successfully respond to incidents, whether they stem from malware, denial-of-service (DoS) attacks, stolen passwords, or lost laptops?

 

It’s one thing to have security efforts in place to protect your data, but it’s another to have incident response planning in place.

 

An incident response plan is a set of instructions designed to help IT staff identify, respond to, and recover from a security incident.

 

This plan refers to the scope of measures to be taken during an incident, not to the details of the incident itself.

 

A response plan for an incident is the instruction that the response team follows when an event occurs.

 

The purpose of an incident response plan is to protect sensitive data from a security breach, just as contingency plans are used to ensure the continuity of business processes and services during a malfunction.

 

NIST Incident Response Requirements

 

Incident response is one of the 14 requirements outlined in the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-171—Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations, and enforced by the U.S. Department of Defense (DoD).

 

If your organization contracts for the government, you must implement all 14 of these requirements and security controls.

 

Simply put, if you do not comply, you risk losing your contracts, costing your organization millions of dollars in lost revenue.

 

In the article Are You Ready for NIST 800-171 Compliance Marathon?, I walked through the NIST 800-171 security requirements. Now, I will tackle what compliance requirements are required for incident reporting.

 

What Is A Cyber Incident?

 

A cyber incident is defined as actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.

 

Incident Reporting Compliance Requirements

 

According to NIST SP 800-171 section 3.6, the Incident Response family of security requirements focuses on establishing an operational incident-handling capability for organizational information systems that includes adequate:

 

• Preparation
• Detection
• Analysis
• Containment
• Recovery
• User response

 

You must acquire a medium assurance certificate to access the reporting site. So, this is the first step.

 

• Link to External Certification Authority Program 
• DoD’s Cyber Incident Reporting Page

 

Cyber incidents that impact a system within the scope of Defense Acquisition Regulations System (DFARS) must be reported within 72 hours of detection.

 

To report cyber incidents, you must have a medium assurance certificate. A review must be conducted so that the scope of the compromise can be understood.

 

At a minimum, this review must cover:

 

• Identification of affected systems
• Affected users accounts
• Affected data
• Other systems that might have been compromised

 

Who Should Report And Why?

 

• DoD contractors report cyber incidents in accordance with the DFARS Clause 252.204-7012
• DoD contractors report in accordance with other reporting requirements identified in a contract or other agreement
• DoD Cloud Service Providers report cyber incidents in accordance with clause 252.239-7010, Cloud Computing Services
• DoD’s Defense Industrial Base Cybersecurity Program (DIB CS) Participants report cyber incidents in accordance with the Framework Agreement (FA)

The DoD has the right to request further information in order to investigate the cyber incident.

 

To this end, the contractor:

 

• Should take images of affected systems and any relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report to allow the DoD to request the media or decline interest.
• Provide access to the DoD in order to carry out forensic analysis.
• Work with the DoD to provide any additional information that is required to complete the investigation.

 

What Do DoD Contractors Need To Report?

 

DoD contractors shall report as much of the following information as can be obtained to DoD within 72 hours of discovery of any cyber incident:

 

1. Company name
2. Company point of contact information (address, position, telephone, email)
3. Data Universal Numbering System (DUNS) Number
4. Contract number(s) or other type of agreement affected or potentially affected
5. Contracting Officer or other type of agreement point of contact (address, position, telephone, email)
6. USG Program Manager point of contact (address, position, telephone, email)
7. Contract or other type of agreement clearance level (Unclassified, Confidential, Secret, Top Secret, Not applicable)
8. Facility CAGE code
9. Facility Clearance Level (Unclassified, Confidential, Secret, Top Secret, Not applicable)
10. Impact to Covered Defense Information
11. Ability to provide operationally critical support
12. Date incident discovered
13. Location(s) of compromise
14. Incident location CAGE code
15. DoD programs, platforms or systems involved
16. Type of compromise (unauthorized access, unauthorized release (includes inadvertent release), unknown, not applicable)
17. Description of technique or method used in cyber incident
18. Incident outcome (successful compromise, failed attempt, unknown)
19. Incident/Compromise narrative
20. Any additional information

 

Report the Fire Before It Spreads

 

While you may be doing what you can to prevent cyber fires from spreading and causing damage, there are procedures to follow to report the fire. If your clothes catch on fire, we all know about “Stop, Drop, and Roll.” In the case of cyber incidents, it’s more like “Stop, Assess, and Report.”

 

Knowing and implementing the NIST 800-171 requirements—all 14 of them including incident response —is not only a good way to mitigate risk and minimize data exposure but critical to maintaining your organization’s compliance and status with the federal government.

 

Related Articles

 

• How To Prevent The Top Cyber Attacks In 2020 And Beyond
• 14 Essential Network Security Policies (With Templates)
• What Is Endpoint Detection And Response (EDR)?
• Data Loss Prevention: Strategies, Best Practices, & Software
• What Is A SIEM Solution? Benefits, Tools, & Strategies