Jump to content

Cyber incident 72-hour reporting requirement & medium assurance certificate requirement (DFARS 252.204-7011)


NenaLenz

Recommended Posts

Company needs to report a cyber security incident under DFARS 252.204-7011. Reporting is required within 72 hours.

I have two questions:

  1. Are there penalties or other adverse consequences for late reporting?
  2. Before the Company can report, an employee must obtain a DoD-approved medium assurance certificate and this appears to take a couple days. That is a significant delay when you're sprinting toward a 72-hours deadline. Do most companies sign up for this certificate in advance? I did not see reference to it in the NIST SP 800-171.

Thanks in advance for any insight!

Best,

Nena

Link to comment
Share on other sites

Guest Vern Edwards
1 hour ago, NenaLenz said:

Company needs to report a cyber security incident under DFARS 252.204-7011.

1 hour ago, NenaLenz said:

Are there penalties or other adverse consequences for late reporting?

Are you sure the clause is 252.204-7011? In the current DFARS that number is reserved. Do you mean 252.204-7012?

You're a lawyer. The clause requires reporting of a cyber incident within 72 hours of discovery of the incident. Late reporting would be a breach of contract, wouldn't it? There are no "penalties" for breach, but there might be damages arising from untimely reporting, mightn't there? Might payment of compensation for damages be an adverse consequence, not to mention a poor past performance rating?

Link to comment
Share on other sites

14 minutes ago, Vern Edwards said:

Are you sure the clause is 252.204-7011? In the current DFARS that number is reserved. Do you mean 252.204-7012?

You're a lawyer. The clause requires reporting of a cyber incident within 72 hours of discovery of the incident. Late reporting would be a breach of contract, wouldn't it? There are no "penalties" for breach, but there might be damages arising from untimely reporting, mightn't there? Might payment of compensation for damages be an adverse consequence, not to mention a poor past performance rating?

@Vern Edwards Thanks for the typo correction. Yes, it's 7012.

Agreed on your statements of general contract breach risks to late reporting.

I am not seeing any consequences specific or unique to late reporting. It sounds like there aren't any.  

 

Link to comment
Share on other sites

Guest Vern Edwards
7 minutes ago, NenaLenz said:

I am not seeing any consequences specific or unique to late reporting. It sounds like there aren't any.  

I don't know of any. The clause does not specify any. That's not good news for your client.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
×
×
  • Create New...