You’re more than aware of CMMC’s ever-changing nature—we sure are! From publication dates, commentary periods, and everything between, it’s hard to keep up. That’s why we wanted to give you a heads up on the latest in DoD Land.  

On top of CMMC-specific changes, certain updates in the Department of Defense (DoD) can understandably have a direct impact on Defense Industrial Base (DIB) organizations. Especially when it comes to CMMC.  Recently, some changes have been made to a critical requirement of CMMC, incident reporting. DIB organizations have had to say goodbye to DIBNet, so what’s here to take it’s place? And how could it impact your organization? Check out the rundown we put together of everything you need to know!

First, What is DIBNet? 

DIBNet functioned as the 24/7 support platform for cyber incident reporting for DoD contractors. In accordance with DFARS 252.204-7012, the Defense Industrial Base (DIB) Collaborative Information Share Environment (DCISE) remained the designated lead for receiving incident reports. However, due to the growing complexity of cyber threats in general and a surge in reporting activity, the department has now introduced a new reporting process.  

The Latest on DIBNet and Incident Reporting 

Back in early June, the DoD Cyber Crime Center (DC3) announced that the department’s primary portal for reporting cyber incidents, DIBNet, would officially be decommissioned on Friday, June 6^th. This was a result of a broader cost-reduction initiative, but had clear impacts on NIST 800-171, CMMC, and other related frameworks.  

Implications for CMMC 

With incident reporting being a pivotal requirement for mulitple CMMC controls, there was a clear need to establish updated procedures and processes. Since DIBNet’s initial decommissioning, organizations need to follow a new link to be directed to the proper page for reporting cyber incidents. The link can be found here on the DC3’s website.   

How to Submit a Cyber Incident Report 

From the “Report a Cyber Incident” link you’ll need to login using a PKI certificate. You’ll go through a process that generates a standardized .xml file. This file must be submitted via a secure channel to DC3 using either an encrypted email or through the DoD SAFE platform. A DoD SAFE link can be requested by email or calling these numbers: 
 
Email: [email protected]
Phone: 410-981-0104 
Toll Free: 1-877-838-2174 

Information Needed to Submit a Cyber Incident Report 

Now that you know how to submit a cyber incident report, here’s the information you’ll need to include in said report:

1. Company name 
2. Unique Entity Identifier (UEI) 
3. Facility CAGE code 
4. Facility Clearance Level (Unclassified, Confidential, Secret, Top Secret, Not Applicable) 
5. Contract Number (Procurement Instrument Identifier (PIID)) 
6. Company point of contact information (name, position, telephone, email) 
7. U.S. Government Program Manager point of contact (name, position, telephone, email) 
8. Contract number(s) or other type of agreement affected or potentially affected 
9. Contracting Officer or other type of agreement point of contact (address, position, telephone, email) 
10. Contract or other type of agreement clearance level (Unclassified, Confidential, Secret, Top Secret, Not Applicable) 
11. Impact to Covered Defense Information 
12. Ability to provide operationally critical support 
13. Date incident discovered 
14. Location(s) of compromise 
15. Incident location CAGE code 
16. DoD programs, platforms, or systems involved 
17. Type of compromise (unauthorized access, unauthorized release (includes inadvertent release), unknown, not applicable) 
18. Description of technique or method used in cyber incident 
19. Incident outcome (successful compromise, failed attempt, unknown) 
20. Incident/Compromise narrative (Ex: Chronological explanation of event/incident, threat actor TTPs, indicators of compromise, targeting, mitigation strategies, and any other relevant information to assist in understanding what occurred 

Conclusion 

While this is a significant change in the incident reporting process for DIB organizations, with the right information and preparation it doesn’t have to negatively impact your CMMC journey. For more insights into the processes and steps to achieving CMMC compliance, get in touch with one of our Certified CMMC Assessors today!