DoW-Approved certificates to enable secure communications between the USG and industry.

A DoW-Approved Medium Assurance Certificate is required to report a cyber incident. However, if you do not yet have a DoW-approved Medium Assurance Certificate and need to report a cyber incident, please email DC3.DCISE@us.af.mil or call the DoD-Defense Industrial Base Collaborative Information Sharing Environment (DCISE) hotline at (410) 981-0104 for further assistance.

DoW contractors shall report as much of the following information as can be obtained within 72 hours of discovery of any cyber incident involving covered defense information (CDI) or the information systems which store, process, or transmit CDI. If any additional information is obtained after the initial Incident Collection Format (ICF) is submitted, you should report it via a follow-on ICF.

1. Company name
2. Unique Entity Identifier (UEI)
3. Facility CAGE code
4. Facility Clearance Level (Unclassified, Confidential, Secret, Top Secret, Not Applicable)
5. Contract Number (Procurement Instrument Identifier (PIID))
6. Company point of contact information (name, position, telephone, email)
7. U.S. Government Program Manager point of contact (name, position, telephone, email)
8. Contract number(s) or other type of agreement affected or potentially affected
9. Contracting Officer or other type of agreement point of contact (address, position, telephone, email)
10. Contract or other type of agreement clearance level (Unclassified, Confidential, Secret, Top Secret, Not Applicable)
11. Impact to Covered Defense Information
12. Ability to provide operationally critical support
13. Date incident discovered
14. Location(s) of compromise
15. Incident location CAGE code
16. DoW programs, platforms or systems involved
17. Type of compromise (unauthorized access, unauthorized release (includes inadvertent release), unknown, not applicable)
18. Description of technique or method used in cyber incident
19. Incident outcome (successful compromise, failed attempt, unknown)
20. Incident/Compromise narrative (Ex: Chronological explanation of event/incident, threat actor TTPs, indicators of compromise, targeting, mitigation strategies, and any other relevant information to assist in understanding what occurred)
21. Any additional information

See DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting for more information.

DoW Contractors shall report as much of the following information as can be obtained to the DoW within one business day of identifying or being notified by a subcontractor that a covered article was provided to the Government during contract performance.

1. Contract Number
2. Order Number(s), if applicable
3. Supplier Name
4. Brand
5. Model Number (Original Equipment Manufacturer (OEM) number, manufacturer part number, or wholesaler number)
6. Item Description
7. Any readily available information about mitigation actions undertaken or recommended

See FAR 52.204-23 Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities for more information.

See FAR 52.204-25 Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment for more information.

1. Contract information to include contract number, USG Contracting Officer(s) contact information, contract clearance level, etc.
2. Contact information for the impacted and reporting organizations as well as the MCND
3. Details describing any vulnerabilities involved (e.g., Common Vulnerabilities and Exposures (CVE) identifiers)
4. Date/Time of occurrence, including time zone
5. Date/Time of detection and identification, including time zone
6. Related indicators (e.g., hostnames, domain names, network traffic characteristics, registry keys, X.509 certificates, MD5 file signatures)
7. Threat vectors, if known (see Threat Vector Taxonomy and Cause Analysis flowchart within the US-CERT Federal Incident Notification Guidelines)
8. Prioritization factors (e.g., functional impact, information impact, and recoverability as defined flowchart within the US-CERT Federal Incident Notification Guidelines
9. Source and Destination Internet Protocol (IP) address, port, and protocol
10. Operating System(s) affected
11. Mitigating factors (e.g., full disk encryption or two-factor authentication)
12. Mitigation actions taken, if applicable
13. System Function(s) (e.g., web server, domain controller, or workstation)
14. Physical system location(s) (e.g., Washington DC, Los Angeles, CA)
15. Sources, methods, or tools used to identify the incident (e.g., Intrusion Detection System or audit log analysis)
16. Any additional information relevant to the incident and not included above

See DFARS 252.239-7010 Cloud Computing Services for more information.

1. Company Name
2. Unique Entity ID (UEI)
3. Facility Commercial and Government Entity (CAGE) Code
4. Facility clearance (If Applicable)
5. Contract number(s), award date(s), submission number(s)
6. Order number(s)
7. Name of product or service provided to Government
8. Name of covered article subject to exclusion order
9. Name of vendor(s)
10. Brand of covered article
11. Model number of covered article
12. Item description
13. Mitigation actions
14. Time of item prohibition in relation to contract award

See FAR Subpart 4.23 Federal Acquisition Security Council and FAR 52.204-30 Federal Acquisition Supply Chain Security Act Orders--Prohibition for more information.

DIB companies are encouraged to VOLUNTARILY report cyber threat activity they believe is valuable for the U.S. Government to analyze and share with other agencies and DIB companies. Voluntary reports enable the DoW and the DIB to better counter threat actor activity. Cyber activity other than compromises of covered defense information (CDI) and which do not adversely affect the contractor's ability to perform operationally critical support may be of interest to the DIB and DoW for situational awareness. Cyber threat activity recommended to be submitted as a voluntary report includes but is not limited to:

• Suspected APT activity
• Reconnaissance activities such as vulnerability scanning, exploitation attempts, etc.
• Threat actor infrastructure
• Network compromises NOT impacting DoW information
• Phishing email messages
• Suspicious files, activity, or network traffic

DFARS 252.204-7012 requires contractors to isolate and submit malicious files, if available, to DoD Cyber Crime Center (DC3) as part of the mandatory reporting requirements for cyber incidents. If you have a PKI certificate, you can get an Electronic Malware Submission (EMS) portal account where you will be able to submit malicious files and download the associated report once complete. Submit malicious files to EMS at https://ems.dc3on.gov. You may also request a one-time link for uploading malware by emailing DC3.DCISE@us.af.mil and including your ICF number in the subject line, or by calling (410) 981-0104. DO NOT use email to submit malicious files to DoW.

You may also request a DoD SAFE link drop via emailing DC3.DCISE@us.af.mil and including your ICF number in the subject line, or by calling (410) 981-0104.

DO NOT use email to submit malicious files to DoW.

The Department of War finalized the CMMC 2.0 Rule, effective November 10, 2025. Starting this date, new solicitations and contracts may include CMMC requirements based on whether your organization handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).

• Level 1 – Foundational: Basic safeguarding (15 practices per FAR 52.204-21).
• Level 2 – Advanced: 110 NIST SP 800-171 requirements; protects CUI.
• Level 3 – Expert: Adds NIST SP 800-172 enhancements for high-priority CUI.
• The full crosswalk between CMMC 2.0 and NIST standards: CMMC Alignment to NIST Standards (PDF)

• Phase 1 (Nov 2025): CMMC clauses began appearing in select solicitations.
• Phase 2 (Nov 2026): Third-party assessments expand.
• Phase 3 (Nov 2027): Level 3 introduced for critical programs.
• Phase 4 (Nov 2028): Full implementation across eligible contracts.

• Identify systems handling FCI/CUI.
• Determine required CMMC level.
• Conduct gap analysis and develop POA&M.
• Record self-assessment scores in SPRS.
• Plan for C3PAO or government assessment.
• Flow-down clauses to subcontractors.

• CMMC 2.0 aligns with NIST SP 800-171 Rev 2 and NIST SP 800-172. CMMC Alignment to NIST Standards (PDF)

• Department of War Chief Information Officer (DoW CIO) CMMC Program Overview: https://dodcio.defense.gov/CMMC/
• Supplier Performance Risk System (SPRS) Portal: https://www.sprs.csd.disa.mil/
• DFARS Clause 252.204-7021: https://www.acquisition.gov/dfars/252.204-7021-contractor-compliance-cybersecurity-maturity-model-certification-level-requirements
• Full list of DoW CIO CMMC Resources and Documentation: https://dodcio.defense.gov/cmmc/Resources-Documentation/

• 32 CFR Part 236: Department of War (DoW) Defense Industrial Base (DIB) Cybersecurity (CS) Activities
• 32 CFR Part 2002: Controlled Unclassified Information (CUI)
• DFARS 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting
• DFARS 252.239-7010: Cloud Computing Services
• DFARS 252.204-7018: Prohibition on the Acquisition of Covered Defense Telecommunications Equipment or Services
• DFARS 252.204-7019: Notice of NIST SP 800-171 DoD Assessment Requirements
• FAR 52.204-23: Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab
• FAR 52.204-25: Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment
• FAR 52.204-30: Federal Acquisition Supply Chain Security Act Orders—Prohibition

Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)

• DIBCAC Main Page

Supplier Performance Risk System (SPRS)

• SPRS Main Page
• SPRS Reference Material
•  SPRS Evaluation Criteria Manual (PDF)
• SPRS FAQs
•  Reporting NIST SP 800-171 Scores in SPRS (PDF)

NIST SP 800-171 Rev. 2: "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations"
(Note the DoW is assessing compliance against Rev 2. A transition to Rev 3 will be announced by DoW in the future.)

NIST SP 800-172: "Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171"

The DoW recognizes the need to help DIB organizations improve their cybersecurity posture and operational resilience and to help the DIB protect DoW information that resides on and transits DIB information systems. A variety of services are available based on your specific needs. Visit the websites below for information about cybersecurity training, services, and products. You may also email DCISE DC3.DCISE@us.af.mil to request additional details about these to request additional details about these services.

DoD Defense Industrial Base Collaborative Information Sharing Environment (DCISE)

DCISE³:

DCISE has partnered with a service provider to offer real-time monitoring of your organization's firewall traffic, threat detection, and alerts as well as the option to block malicious traffic.

This service includes real-time network traffic monitoring for malicious sources and destinations and shares data anonymously. Malicious traffic is alerted on and, if desired, can be automatically blocked.

Email DC3.DCISE@us.af.mil for more information.

DIB-VDP:

A voluntary program for DIB companies that provides vulnerability discovery, triaging, and validation. DIB-VDP researchers reduce cyber risk by facilitating timely vulnerability remediation by the system owner. DIB-VDP leverages the proven model of DoW’s own VDP, and is a powerful way to discover vulnerabilities discovery on DIB companies' publicly accessible information systems.

Participation does not require DoW DIB CS Program enrollment.

Email AFOSI.DC3.DIB-VDP@us.af.mil for more information.

DC3 ENSITE:

Delivers real-time threat intelligence and AI/ML-powered detection through a centralized dashboard, enabling partners to inspect traffic and strengthen enterprise awareness. DC3 analysis can enable DIB companies prevent data exfiltration and ransomware detonation before it’s too late.

Email DC3.DCISE@us.af.mil for more information.

NSA Cybersecurity Collaboration Center (CCC)

Learn more about the NSA CCC here.

Protective Domain Name System (PDNS+):

The PDNS service combines commercial cyber threat feeds and unique insights to filter external DNS queries and block known malicious or suspicious website traffic, mitigating nation-state malware, spear phishing, botnets, and more.

Attack Surface Management:

This service helps DIB customers find and fix issues before they become compromises by identifying DIB internet-facing assets, then leveraging commercial scanning services to find vulnerabilities or misconfigurations on these networks. Each customer receives a tailored report with issues to remediate, prioritized based on both severity of the vulnerability and whether or not it is being exploited.

Continuous Autonomous Penetration Testing:

Run rapid, machine-driven pen-tests against internal networks and receive tailored mitigations guidance.

Threat Intelligence Collaboration:

Stay one step ahead of the adversary through threat intelligence shared by NSA analysts.

• Stop Ransomware Guide - Cybersecurity & Infrastructure Security Agency (CISA)
• Ransomware Protection and Response - National Institute of Standards and Technology (NIST)
• Internet Crime Complaint Center (IC3) - Federal Bureau of Investigation (FBI)
•  #StopRansomware Guide (PDF) - Multi-State Information Sharing & Analysis Center (MS-ISAC)

• APEX Accelerators: No-cost guidance and support for small business (formerly Procurement Technical Assistance Program (PTAP))
• CISA Cybersecurity Evaluation Tool (CSET)
• Defense Pricing, Contacting, and Acquisition Policy (DPCAP)
• DoD Procurement Toolbox
• ND-ISAC: C3PAO Shopping Guide
•  ND-ISAC: SMB Supply Chain Handbook (PDF)
• NIST Manufacturing Extension Partnership (MEP)
• Cyber Resilient Weapon Systems Body of Knowledge (CRWS-BOK) Portal

A DoW-approved Medium Assurance Certificate is required to access these capabilities. ECA Certificates are obtained directly from the vendors please visit IdenTrust, Inc. or WidePoint (formerly ORC)

If you do not yet have a DoW-approved Medium Assurance Certificate, please email DCISE DC3.DCISE@us.af.mil or call the DCISE hotline at (410) 981-0104 for further assistance.

Please DO NOT send any malicious files to the email address.

The DoW has established the External Certification Authority (ECA) Program to support the issuance of DoW-approved identification certificates to industry partners and other external entities and organizations. DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) requires contractors and subcontracts to obtain a DoW-Approved Medium Assurance Certificate in order to report cyber incidents.

The ECA Program is designed to provide the mechanism for these entities to securely communicate with the DoW and authenticate to DoW Information Systems. ECA Certificates are obtained directly from the vendors: IdenTrust or WidePoint (formerly ORC).

The DCISE hotline (410) 981-0104 operates 24/7. Normal, in-office operating hours for DCISE are Monday-Friday from 6:00A.M. to 6:00 P.M. ET.

Mandatory incident reporting under DFARS 252.204-7012 (Safeguarding Covered Defense Information (CDI) and Cyber Incident Reporting) is required by most DoW contracts and subcontracts that involve CDI and/or operationally critical support to DoW. Contractors must report cyber incidents that affect information systems which store, process, or transmit CDI, or the CDI information residing therein, to https://icf.dcise.cert.org/ within 72 hours of discovery. Malicious software, affected system images, packet capture, and other data relevant to the reported cyber incident must be preserved for 90 days to allow time for DoW to request the data in order to conduct a damage assessment or decline interest.

DFARS 252.204-7012 defines CDI as:

Any unclassified controlled technical information (CTI) OR other information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, and is:

1. Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoW in support of the performance of the contract; or
2. Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

Voluntary reporting is the primary channel for DIB Participants to share cyber threat information and indicators of compromise (IoCs) that may help the cybersecurity posture of other DIB Participants. Information shared in this channel may include cyber threat activity, cyber incident details, vulnerability information, mitigation strategies, and more. Cyber threat activity recommended to be submitted as a voluntary report includes but is not limited to:

• Suspected Advance Persistent Threat (APT) activity
• Compromise not impacting DoW information
• Targeted activity
• Vulnerability scanning and exploitation attempts
• Phishing email messages
• Suspicious files, activity, or network traffic

No. DFARS 252.204-7012 requires the impacted company to submit a report on the specific cyber incident. Additionally, if a sub-contractor experiences a reportable cyber incident, the sub-contractor is required to provide the incident report number, automatically assigned by DoW, to the prime Contractor (or next higher-tier subcontractor) as soon as possible.

Contact DC3.DCISE@us.af.mil to submit a Request for Information (RFI), and we’ll help you understand how our capabilities are cross walked to support CMMC.

We recommend maintaining your relationships with other agencies that you share information with and maintain any other contractual requirements you may have to share with other agencies. On the Incident Collection Format (ICF), there is also an area to let us know who else you've shared the information with. Per the DFARS 252.204-7012 clause, you do need to report any incidents involving Controlled Unclassified Information (CUI) to DCISE via the Mandatory Report ICF.

The U.S Government and law enforcement agencies have access to mandatory reports. Voluntary reporting is anonymized and the submitter’s identity is shared with consent from the submitting company.