WIFCON(demo)
Sign up

Cyber incident 72-hour reporting requirement & medium assurance certificate requirement (DFARS 252.204-7011)

Started by Guest · Aug 9, 2018 · 3 replies

  1. G

    Guest

    Aug 9, 2018 · 7y ago

    Original post

    Company needs to report a cyber security incident under DFARS 252.204-7011. Reporting is required within 72 hours.

    I have two questions:

    1. Are there penalties or other adverse consequences for late reporting?
    2. Before the Company can report, an employee must obtain a DoD-approved medium assurance certificate and this appears to take a couple days. That is a significant delay when you're sprinting toward a 72-hours deadline. Do most companies sign up for this certificate in advance? I did not see reference to it in the NIST SP 800-171.

    Thanks in advance for any insight!

    Best,

    Nena

  2. G

    Guest Vern Edwards

    Aug 9, 2018 · 7y ago

    NenaLenz said:

    Company needs to report a cyber security incident under DFARS 252.204-7011.

    NenaLenz said:

    Are there penalties or other adverse consequences for late reporting?

    Are you sure the clause is 252.204-7011? In the current DFARS that number is reserved. Do you mean 252.204-7012?

    You're a lawyer. The clause requires reporting of a cyber incident within 72 hours of discovery of the incident. Late reporting would be a breach of contract, wouldn't it? There are no "penalties" for breach, but there might be damages arising from untimely reporting, mightn't there? Might payment of compensation for damages be an adverse consequence, not to mention a poor past performance rating?

  3. G

    Guest

    Aug 9, 2018 · 7y ago

    Vern Edwards said:

    Are you sure the clause is 252.204-7011? In the current DFARS that number is reserved. Do you mean 252.204-7012?

    You're a lawyer. The clause requires reporting of a cyber incident within 72 hours of discovery of the incident. Late reporting would be a breach of contract, wouldn't it? There are no "penalties" for breach, but there might be damages arising from untimely reporting, mightn't there? Might payment of compensation for damages be an adverse consequence, not to mention a poor past performance rating?

    @Vern Edwards Thanks for the typo correction. Yes, it's 7012.

    Agreed on your statements of general contract breach risks to late reporting.

    I am not seeing any consequences specific or unique to late reporting. It sounds like there aren't any.

  4. G

    Guest Vern Edwards

    Aug 9, 2018 · 7y ago

    NenaLenz said:

    I am not seeing any consequences specific or unique to late reporting. It sounds like there aren't any.

    I don't know of any. The clause does not specify any. That's not good news for your client.

Sign in or sign up to post a reply.