A DoD-Approved Medium Assurance Certificate is required to report a cyber incident. However, if you do not yet have a DoD-approved Medium Assurance Certificate, please email DC3.DCISE@us.af.mil or call the DoD-Defense Industrial Base Collaborative Information Sharing Environment (DCISE) hotline at (410) 981-0104 for further assistance.

DoD contractors shall report as much of the following information as can be obtained to DoD within 72 hours of discovery of any cyber incident involving covered defense information (CDI) systems or CDI information contained therein. Also, if any additional information is obtained after the initial Incident Collection Format (ICF) is submitted, you can select the initial ICF in your submission history and report any new or updated information via a follow-on ICF.

1. Company name
2. Data Universal Numbering System (DUNS) Number
3. Facility CAGE code
4. Facility Clearance Level (Unclassified, Confidential, Secret, Top Secret, Not Applicable)
5. Company point of contact information (name, position, telephone, email)
6. U.S. Government Program Manager point of contact (name, position, telephone, email)
7. Contract number(s) or other type of agreement affected or potentially affected
8. Contracting Officer or other type of agreement point of contact (address, position, telephone, email)
9. Contract or other type of agreement clearance level (Unclassified, Confidential, Secret, Top Secret, Not Applicable)
10. Impact to Covered Defense Information
11. Ability to provide operationally critical support
12. Date incident discovered
13. Location(s) of compromise
14. Incident location CAGE code
15. DoD programs, platforms or systems involved
16. Type of compromise (unauthorized access, unauthorized release (includes inadvertent release), unknown, not applicable)
17. Description of technique or method used in cyber incident
18. Incident outcome (successful compromise, failed attempt, unknown)
19. Incident/Compromise narrative (Ex: Chronological explanation of event/incident, threat actor TTPs, indicators of compromise, targeting, mitigation strategies, and any other relevant information to assist in understanding what occurred)
20. Any additional information

See DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting for more information.

DoD Contractors shall report as much of the following information as can be obtained to the DoD within one business day of identifying or being notified by a subcontractor that a covered article was provided to the Government during contract performance.

1. Contract Number
2. Order Number(s), if applicable
3. Supplier Name
4. Brand
5. Model Number (Original Equipment Manufacturer (OEM) number, manufacturer part number, or wholesaler number)
6. Item Description
7. Any readily available information about mitigation actions undertaken or recommended

See FAR 52.204-23 Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities for more information.

See FAR 52.204-25 Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment for more information.

1. Contract information to include contract number, USG Contracting Officer(s) contact information, contract clearance level, etc.
2. Contact information for the impacted and reporting organizations as well as the MCND
3. Details describing any vulnerabilities involved (e.g., Common Vulnerabilities and Exposures (CVE) identifiers)
4. Date/Time of occurrence, including time zone
5. Date/Time of detection and identification, including time zone
6. Related indicators (e.g., hostnames, domain names, network traffic characteristics, registry keys, X.509 certificates, MD5 file signatures)
7. Threat vectors, if known (see Threat Vector Taxonomy and Cause Analysis flowchart within the US-CERT Federal Incident Notification Guidelines)
8. Prioritization factors (e.g., functional impact, information impact, and recoverability as defined flowchart within the US-CERT Federal Incident Notification Guidelines)
9. Source and Destination Internet Protocol (IP) address, port, and protocol
10. Operating System(s) affected
11. Mitigating factors (e.g., full disk encryption or two-factor authentication)
12. Mitigation actions taken, if applicable
13. System Function(s) (e.g., web server, domain controller, or workstation)
14. Physical system location(s) (e.g., Washington DC, Los Angeles, CA)
15. Sources, methods, or tools used to identify the incident (e.g., Intrusion Detection System or audit log analysis)
16. Any additional information relevant to the incident and not included above

See DFARS 252.239-7010 Cloud Computing Services for more information.

DIB participants are encouraged to VOLUNTARILY report information to promote sharing of cyber threat information and indicators that they believe are valuable in alerting the U.S. Government and others, as appropriate in order to better counter threat actor activity. Cyber activity other than compromises of covered defense information (CDI) or do not adversely affect the contractor’s ability to perform operationally critical support may be of interest to the DIB and DoD for situational awareness purposes. Cyber threat activity recommended to be submitted as a voluntary report includes but is not limited to:

• Suspected APT activity
• Reconnaissance activities such as vulnerability scanning, exploitation attempts, etc.
• Threat actor infrastructure
• Network compromises NOT impacting DoD information
• Phishing email messages
• Suspicious files, activity, or network traffic

DFARS 252.204-7012 requires contractors to isolate and submit malicious files, if available, to DoD Cyber Crime Center (DC3) as part of the mandatory reporting requirements for cyber incidents. If you have a PKI certificate, you can get an Electronic Malware Submission (EMS) portal account where you will be able to submit malicious files and download the associated report once complete. Submit malicious files to EMS at https://ems.dc3on.gov. You may also request a DoD Safe link drop via emailing DC3.DCISE@us.af.mil and including your ICF number in the subject line, or by calling (410) 981-0104. DO NOT email malicious files to this email address.

DoD established the Defense Industrial Base (DIB) Cybersecurity (CS) Program to enhance and supplement DIB participants' capabilities to safeguard DoD information that resides on or transits DIB unclassified networks or information systems. This public-private cybersecurity partnership is designed to improve DIB network defenses, reduce damage to critical programs, and increase DoD and DIB cyber situational awareness. Under the DIB CS Program, DoD and DIB participants share unclassified and classified cyber threat information.

See 32 Code of Federal Regulations (CFR) Part 236, DoD's DIB Cybersecurity Activities for more information.

Learn more about the DoD's DIB Cybersecurity efforts here

Contact the DIB Cybersecurity Program: OSD.DIBCSIA@mail.mil, Hotline: (703) 604-3167, or Toll Free: (855) DoD-IACS

• Actionable information, mitigation, and remediation strategies
• Increases industry understanding of cyber threats as well as USG's role
• Enables Partners to better protect unclassified defense information
• Engagement opportunities at many levels between USG and DIB from the C-suite to analyst level
• Indicators and threat products informed from DIB reporting, multiple USG data streams, and industry cyber threat reports
• Collaborative partnership with USG and almost 1,000 DIB Partners
• Quarterly Program Working Groups, including Policy and Operations and Technology and Architecture, and bi-annual Technical Exchanges
• Virtual Industry Partner Exchanges (VIPEX)
• Regional Partner Exchanges (RPEX)
• Sub-Working Groups for Small Business, Cloud, and Cyber Best Practices
• One-on-One Meetings for Analyst to Analyst (A2A) and Business to Business (B2B)
• Malware analysis and Cyber Resilience Analysis (CRA)
• DCISE³ - A Free Advanced Threat Protection service to receive consolidated visibility into network traffic with cutting-edge threat intelligence integration. DCISE³ provides simple, timely, and fully automated approach to anonymous sharing and analysis of threat indicators.
• DIB-VDP - Leverages crowd-sourced white hat vulnerability researchers to identify vulnerabilities in DIB company internet-facing information systems that may otherwise have gone unnoticed and unmitigated.

Cleared DoD contractors may submit an application by clicking here. Access to DoD's DIB Cybersecurity Program application requires a DoD-approved medium assurance certificate. For information on obtaining a DoD-approved medium assurance certificate, please visit http://public.cyber.mil/eca. Also note that the online application process will only permit one application account per company. The company applicant must be a U.S. citizen and authorized to act on behalf of the company during the application process.

To be eligible to participate in this Program DoD contractors must be a cleared defense contractor (CDC) and shall:

• Have an existing Facility Clearance (FCL) granted under NISPOM (DoD 5220.22-M)
• Execute the standardized Framework Agreement (FA) with the Government

The Manufacturing Overlay was created to help secure information systems supporting manufacturing processes and was developed through a partnership with cybersecurity experts from the Defense Industrial Base (DIB) Cybersecurity (CS) Program and USG. The Manufacturing Overlay is intended to complement (and further refine) existing security control baselines; further tailoring of controls may be required for systems with additional security or operational considerations.

• Manufacturing Overlay (PDF)

The DIB Guide to Implementing the Cybersecurity Framework supports DoD's critical infrastructure responsibilities for the DIB. This Guide was developed working with our private sector partners to implement the Framework, while also incorporating the security requirements of NIST SP 800-171.

• DIB Guide to Implementing the Cybersecurity Framework (PDF)
• DIB Guide Template for Implementing Cybersecurity Framework (XLSX)