Jump to content
The Wifcon Forums and Blogs
NenaLenz

Cyber incident 72-hour reporting requirement & medium assurance certificate requirement (DFARS 252.204-7011)

Recommended Posts

Company needs to report a cyber security incident under DFARS 252.204-7011. Reporting is required within 72 hours.

I have two questions:

  1. Are there penalties or other adverse consequences for late reporting?
  2. Before the Company can report, an employee must obtain a DoD-approved medium assurance certificate and this appears to take a couple days. That is a significant delay when you're sprinting toward a 72-hours deadline. Do most companies sign up for this certificate in advance? I did not see reference to it in the NIST SP 800-171.

Thanks in advance for any insight!

Best,

Nena

Share this post


Link to post
Share on other sites
1 hour ago, NenaLenz said:

Company needs to report a cyber security incident under DFARS 252.204-7011.

1 hour ago, NenaLenz said:

Are there penalties or other adverse consequences for late reporting?

Are you sure the clause is 252.204-7011? In the current DFARS that number is reserved. Do you mean 252.204-7012?

You're a lawyer. The clause requires reporting of a cyber incident within 72 hours of discovery of the incident. Late reporting would be a breach of contract, wouldn't it? There are no "penalties" for breach, but there might be damages arising from untimely reporting, mightn't there? Might payment of compensation for damages be an adverse consequence, not to mention a poor past performance rating?

Share this post


Link to post
Share on other sites
14 minutes ago, Vern Edwards said:

Are you sure the clause is 252.204-7011? In the current DFARS that number is reserved. Do you mean 252.204-7012?

You're a lawyer. The clause requires reporting of a cyber incident within 72 hours of discovery of the incident. Late reporting would be a breach of contract, wouldn't it? There are no "penalties" for breach, but there might be damages arising from untimely reporting, mightn't there? Might payment of compensation for damages be an adverse consequence, not to mention a poor past performance rating?

@Vern Edwards Thanks for the typo correction. Yes, it's 7012.

Agreed on your statements of general contract breach risks to late reporting.

I am not seeing any consequences specific or unique to late reporting. It sounds like there aren't any.  

 

Share this post


Link to post
Share on other sites
7 minutes ago, NenaLenz said:

I am not seeing any consequences specific or unique to late reporting. It sounds like there aren't any.  

I don't know of any. The clause does not specify any. That's not good news for your client.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×