(a) DoD and its contractors and subcontractors will provide adequate security to safeguard covered defense information on their unclassified information systems from unauthorized access and disclosure.
(1) Contractors and subcontractors are required to submit to DoD--
(i) A cyber incident report;
(ii) Malicious software, if detected and isolated; and
(iii) Media (or access to covered contractor information systems and equipment) upon request.
(2) Contracting officers shall refer to PGI 204.7303-4(a)(1)(ii) for instructions on contractor submissions of media and malicious software.
(b) Subcontractors are required to rapidly report cyber incidents directly to DoD at http://dibnet.dod.mil and to the prime contractor. Subcontractors shall provide the incident report number from DoD to the prime contractor. Lower-tier subcontractors are required to likewise report the same information to their higher-tier subcontractor, until the prime contractor is reached.
(c) The Government acknowledges that information shared by the contractor under these procedures may include contractor attributional/proprietary information that is not customarily shared outside of the company, and that the unauthorized use or disclosure of such information could cause substantial competitive harm to the contractor that reported the information. The Government shall protect against the unauthorized use or release of information that includes contractor attributional/proprietary information.
(d) A cyber incident that is reported by a contractor or subcontractor shall not, by itself, be interpreted as evidence that the contractor or subcontractor has failed to provide adequate information safeguards for covered defense information on their unclassified information systems, or has otherwise failed to meet the requirements of the clause at 252.204-7012. When a cyber incident is reported, the contracting officer shall consult with the DoD component CIO/cyber security office prior to assessing contractor compliance (see PGI 204.7303-3(a)(2)). The contracting officer shall consider such cyber incidents in the context of an overall assessment of a contractor's compliance with the requirements of the clause at 252.204-7012.
(e) Support services contractors directly supporting Government activities related to safeguarding covered defense information and cyber incident reporting (e.g., providing forensic analysis services, damages assessment services, or other services that require access to data from another contractor) are subject to restrictions on use and disclosure. [80 FR 51742, Aug. 26, 2015]