DoD contractors shall report as much of the following information as can be obtained to DoD within 72 hours of discovery of any cyber incident.

1. Company name
2. Company point of contact information (address, position, telephone, email)
3. Data Universal Numbering System (DUNS) Number
4. Contract number(s) or other type of agreement affected or potentially affected
5. Contracting Officer or other type of agreement point of contact (address, position, telephone, email)
6. USG Program Manager point of contact (address, position, telephone, email)
7. Contract or other type of agreement clearance level (Unclassified, Confidential, Secret, Top Secret, Not applicable)
8. Facility CAGE code
9. Facility Clearance Level (Unclassified, Confidential, Secret, Top Secret, Not applicable)
10. Impact to Covered Defense Information
11. Ability to provide operationally critical support
12. Date incident discovered
13. Location(s) of compromise
14. Incident location CAGE code
15. DoD programs, platforms or systems involved
16. Type of compromise (unauthorized access, unauthorized release (includes inadvertent release), unknown, not applicable)
17. Description of technique or method used in cyber incident
18. Incident outcome (successful compromise, failed attempt, unknown)
19. Incident/Compromise narrative
20. Any additional information

1. Contract information to include contract number, USG Contracting Officer(s) contact information, contract clearance level, etc.
2. Contact information for the impacted and reporting organizations as well as the MCND
3. Details describing any vulnerabilities involved (i.e., Common Vulnerabilities and Exposures (CVE) identifiers)
4. Date/Time of occurrence, including time zone
5. Date/Time of detection and identification, including time zone
6. Related indicators (e.g. hostnames, domain names, network traffic characteristics, registry keys, X.509 certificates, MD5 file signatures)
7. Threat vectors, if known (see Threat Vector Taxonomy and Cause Analysis flowchart within the US-CERT Federal Incident Notification Guidelines)
8. Prioritization factors (i.e. functional impact, information impact, and recoverability as defined flowchart within the US-CERT Federal Incident Notification Guidelines)
9. Source and Destination Internet Protocol (IP) address, port, and protocol
10. Operating System(s) affected
11. Mitigating factors (e.g. full disk encryption or two-factor authentication)
12. Mitigation actions taken, if applicable
13. System Function(s) (e.g. web server, domain controller, or workstation)
14. Physical system location(s) (e.g., Washington DC, Los Angeles, CA)
15. Sources, methods, or tools used to identify the incident (e.g., Intrusion Detection System or audit log analysis)
16. Any additional information relevant to the incident and not included above

Contractors are encouraged to report information to promote sharing of cyber threat indicators that they believe are valuable in alerting the Government and others, as appropriate in order to better counter threat actor activity. Cyber incidents that are not compromises of covered defense information or do not adversely affect the contractor’s ability to perform operationally critical support may be of interest to the DIB and DoD for situational awareness purposes.

1. Company name
2. Company point of contact information (address, position, telephone, email)
3. Date incident discovered
4. Location(s) of incident
5. Incident location CAGE Code
6. Incident outcome (successful compromise, failed attempt, unknown)
7. Incident Resolution Date/Time
8. Detection Method
9. Type of incident (unauthorized access, unauthorized release, includes inadvertent release, unknown, not applicable)
10. Incident/Indicator Details/Narrative (including insertion of relevant indicators)
11. PII compromised or potentially compromised in the occurrence
12. Description of technique or method used
13. Was known APT involved
14. Was the incident detected by DC3/DCISE Indicator
15. Any additional information relevant to the incident