Within Section 2, Cyber Incident Reporting, it is stated that, at a minimum, "contractual language shall ensure that all known or suspected cyber incidents involving the loss of confidentiality, integrity, or availability of data for systems operated on behalf of the Government are reported to the designated agency Computer Security Incident Response Team (CSIRT) or Security Operations Center (SOC) within the timeline agreed upon in the contract."
However, later in this section it stipulates that the contractor shall "also report the security incident to the:
Contracting Officer (CO);
Contracting Officer Representative (COR);
Chief Information Security Officer (CISO); and
Senior agency official for privacy (SAOP)."
This makes it unclear as to the minimum level of communication required for cyber incident reporting. Is the CSIRT / SOC the minimum level of reporting required, or is reporting to the CO, COR, CISO, and SAOP also required?
In addition, contractors will only report incidents to those points of contact (POCs) explicitly identified in contractual language. It is the responsibility of the agency to identify those POCs that require incident reporting, and to include this in contract language.
Within Section 2, Cyber Incident Reporting, it is stated that, at a minimum, "contractual language shall ensure that all known or suspected cyber incidents involving the loss of confidentiality, integrity, or availability of data for systems operated on behalf of the Government are reported to the designated agency Computer Security Incident Response Team (CSIRT) or Security Operations Center (SOC) within the timeline agreed upon in the contract."
However, later in this section it stipulates that the contractor shall "also report the security incident to the:
Contracting Officer (CO); Contracting Officer Representative (COR); Chief Information Security Officer (CISO); and Senior agency official for privacy (SAOP)."
This makes it unclear as to the minimum level of communication required for cyber incident reporting. Is the CSIRT / SOC the minimum level of reporting required, or is reporting to the CO, COR, CISO, and SAOP also required?
In addition, contractors will only report incidents to those points of contact (POCs) explicitly identified in contractual language. It is the responsibility of the agency to identify those POCs that require incident reporting, and to include this in contract language.