Breaches must be reported within 72 hours of discovery per DFARS 7012!
The catch? breaches must be reported to the Dibnet Portal. You must either be registered or utilize a registered Dibnet Service Provider. Both options require a proper clearance level. That is why Techni-Core has built a responsive program called Managed Compliance and Managed Cloud Compliance Services. It combines the features of Managed Services – automatic security patching and monitoring, with compliance services such as Log Data analysis, Incident Response, Dibnet portal management. Plus, we are a REGISTERED 3rd Party Service Provider with the appropriate security credentials to represent our customers on the Dibnet portal and report on their behalf. Our Managed Compliance and Managed Cloud Compliance Service packages will ensure you have eyes on your systems daily, actively managing your continuous monitoring and security logs for anomalies and vulnerabilities. If found, a technician will take immediate action to mitigate the threat and capture the required evidence for reporting to Dibnet.
We say this time and time again in all of our publications, why over-burden your already burdened IT staff? If you don’t have in-house IT staff, why burden your already burdened FSO? Compliance consultants, like Techni-Core, ensure your business operations continue as normal and your systems remain in compliance – it’s like having your own in-house IT, but without paying for benefits!
After a Cyber Incident has Occurred
After a cyber incident is discovered, have an ISSO perform a thorough forensic examination. They should be looking for any compromise of CDI including the identification the compromised information systems, logged data, and users involved. DFARS 7012 cyber incidents are to be reported via the Dibnet portal to the Defense Cyber Crime Center (DC3). Dibnet is a web portal for sharing threat information between DoD and DIB companies.
The contractor must rapidly report the cyber incident within 72 hours to the DoD via the Dibnet portal via http://Dibnet.dod.mil (and must additional contact the FBI as well to make a separate report).
From the date of submission of the Cyber Incident Report to DIB, and for a continued 90 days, the Contractor must preserve and secure images of any identified affected information systems. The Contractor must also provide, if requested by the DoD, access to all contractor information systems to comply with DoD-initiated forensic analysis.
If the contractor does not have sufficient details to adequately report the cyber incident to Dibnet, then the contractor must report what details available at the time the report was submitted. All forthcoming information can be updated as revealed into the Dibnet portal.
Access to the DFARS 7012 cyber incident reporting site, Dibnet, requires a DoD-approved medium assurance certificate. Obtaining this certificate takes time and costs money. It is best to have a designated POC who has already obtained a certificate and is pre-registered with Dibnet. DoD-approved Certification Authorities include IdenTrust and ORC. You can contract a 3rd Party Service Provider like Techni-Core – but they must have proper personnel security clearance per the DIB framework!
Compliance as a Living Entity
While we understand that achieving your DFARS 7012 compliance was a long and expensive road, you must understand that it doesn’t end there. Security patches are a daily requirement and the first line of defense against threats seeking to exploit vulnerabilities and security holes. Changes to security procedures must be maintained and updated consistently. Security log data must be logged and actively analyzed. Incidents must be immediately reported to both the FBI and DIB.
Compliance is a living, breathing organism. Cyber threats don’t stop – and they don’t disappear. They become more vigilant day by day to find security holes and vulnerabilities. Because they don’t stop, you can’t either.
The Insider Threat
It might be a strange thought – but when we speak of Insider Threats, what/who do you think of? Likely, not an employee, but that is exactly how an Insider Threat is defined. A better question is, have you ever thought that having an internal employee reviewing your security logs might be an insider threat? How so, you ask?
Imagine an employee, typically the same one responsible for maintaining the IT infrastructure of your corporation’s security posture, finds that a Cyber Incident may have occurred. Suppose this employee is concerned that reporting such an incident would cost them their job? Ah yes, my friend, that is a potential insider threat. If said employee chooses not to report this threat – or worse yet – covers the trail of a Cyber Incident, your employee, potentially unknowingly, has made themselves an insider threat to the company.
Mitigating The Insider Threat: Separation of Duties
Separation of duties helps to mitigate the potential for abuse of authorized privileges and may reduce the risk of malevolent activity without collusion. In order to mitigate an “insider threat” who may be responsible for reporting Cyber Data, we strongly recommend you hire an independent 3rd Part Service Provider, like Techni-Core, to oversee the log review process and provide co-registration and representation with the sponsoring company to provide reporting authority to Dibnet on behalf of the sponsoring company.
Examples of separation of duties include:
- Dividing mission functions and information support functions among different individuals and/or roles,
- Conducting information system support functions with different individuals
- Ensuring security personnel administering access control functions do not also administer audit functions.