(a) Contractors and subcontractors are required to provide adequate security on all covered contractor information systems.
(b) Contractors and subcontractors are required to rapidly report cyber incidents directly to DoD at http://dibnet.dod.mil. Subcontractors provide the incident report number automatically assigned by DoD to the prime contractor. Lower-tier subcontractors likewise report the incident report number automatically assigned by DoD to their higher-tier subcontractor, until the prime contractor is reached.
(1) If a cyber incident occurs, contractors and subcontractors submit to DoD—
(i) A cyber incident report;
(ii) Malicious software, if detected and isolated; and
(iii) Media (or access to covered contractor information systems and equipment) upon request.
(2) Contracting officers shall refer to PGI 204.7303-4 (c) for instructions on contractor submissions of media and malicious software.
(c) Information shared by the contractor may include contractor attributional/ proprietary information that is not customarily shared outside of the company, and that the unauthorized use or disclosure of such information could cause substantial competitive harm to the contractor that reported the information. The Government shall protect against the unauthorized use or release of information that includes contractor attributional/proprietary information.
(d) A cyber incident that is reported by a contractor or subcontractor shall not, by itself, be interpreted as evidence that the contractor or subcontractor has failed to provide adequate security on their covered contractor information systems, or has otherwise failed to meet the requirements of the clause at 252.204-7012 , Safeguarding Covered Defense Information and Cyber Incident Reporting. When a cyber incident is reported, the contracting officer shall consult with the DoD component Chief Information Officer/cyber security office prior to assessing contractor compliance (see PGI 204.7303-3 (a)(3)). The contracting officer shall consider such cyber incidents in the context of an overall assessment of a contractor’s compliance with the requirements of the clause at 252.204-7012 .
(e) Support services contractors directly supporting Government activities related to safeguarding covered defense information and cyber incident reporting (e.g., forensic analysis, damage assessment, or other services that require access to data from another contractor) are subject to restrictions on use and disclosure of reported information.