Company needs to report a cyber security incident under DFARS 252.204-7011. Reporting is required within 72 hours.
I have two questions:
Are there penalties or other adverse consequences for late reporting?
Before the Company can report, an employee must obtain a DoD-approved medium assurance certificate and this appears to take a couple days. That is a significant delay when you're sprinting toward a 72-hours deadline. Do most companies sign up for this certificate in advance? I did not see reference to it in the NIST SP 800-171.
Thanks in advance for any insight!
Best,
Nena