Mandatory and Voluntary Cyber Incident Reporting

Timely reporting is critical to national security. Don’t wait.

Report a Cyber Incident
 

A DoD-Approved Medium Assurance Certificate is required to report a cyber incident

However, if you do not yet have a DoD-Approved Medium Assurance Certificate and need to report a cyber incident,
please email DC3.DCISE@us.af.mil for further assistance

DoD–Defense Industrial Base (DIB) Collaborative Information Sharing Environment (DCISE) Overview

Designated as the single focal point and data repository for DIB cyber incident reporting, as required by 10 U.S. Code Sections 391 and 393 and Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, DC3 DCISE enriches DIB reporting with all-source intelligence analysis and disseminates this information via various intelligence products, reports, and actor profiles to enable a broad range of actions against malicious cyber actors.

While reports under the DFARS clause are mandatory, additional DIB cyber activity can be reported on a voluntary basis. Voluntary reporting enables DOD and the DIB to generate insights than enable cyber action.

  • Collaborative partnership with over 1,100 Defense Contractors (DCs) and US Government (USG) agency stakeholders
  • Daily publication of actionable, relevant, and timely cyber threat indicators
  • Offers forensics, malware analysis, and cybersecurity capabilities for DIB Partners
  • Shares a significant number of cyber threat reports (hundreds annually) for both DIB and USG consumption (USG members can access via SIPRNet Intelshare)
  • Operates 24/7/365 DC3 DCISE support hotline (1-877-838-2174) to assist incident reporting and DIB and USG Partners
  • Rated at Capability Maturity Model Integration for Services (CMMI-SVC) Maturity Level 3

Explore DC3 DIB-Focused Capabilities and Resources

Cybersecurity Capabilities

DC3 cybersecurity capabilities strengthen DIB cyber resilience and reduce risk for DoD and the DIB

DCISE3: Analyzes DIB firewall traffic and delivers risk-based threat scoring, altering, and insights to reduce threat exposure. Email DC3.DCISE@us.af.mil to learn more.
DIB-VDP: Uses vetted, ethical researchers to identify and mitigate vulnerabilities on DIB public-facing assets.
Learn more about the DIB Vulnerability Disclosure Program
DC3 ENSITE: Delivers real-time threat intelligence with artificial intelligence and machine learning powered detection through a centralized dashboard, enabling Partners to inspect traffic and strengthen enterprise awareness. Explore DC3 ENSITE capabilities

Events & Webinars

DCISE offers a full spectrum of engagements designed to inform, educate, and empower DIB Partners. These include introductory briefings, technical exchanges, webinars, and regional exchanges.

Learn more about DCISE engagement opportunities

DCISE Cyber Threat Products

DCISE Cyber Threat Products assist Partners in strengthening security and protecting controlled unclassified information.

Explore DCISE Cyber Threat Products


Cyber Resilience Analysis (CRA) Self-Evaluation Tool

Level Up Your Cyber Resilience

Ready to take your cybersecurity to the next level? The Cyber Resilience Analysis (CRA) is your mission-critical tool for identifying vulnerabilities and building a fortress against cyber threats. This self-assessment dives deep into 10 key security domains, aligning with NIST CSF, NIST 800-171, and CMMC. Are you ready to defend?


Cyber Incident Reporting FAQs +
What DoD-Approved Medium Assurance Certificate is required to submit a report?+

DoD-Approved certificates to enable secure communications between the USG and industry.

A DoD-Approved Medium Assurance Certificate is required to report a cyber incident. However, if you do not yet have a DoD-approved Medium Assurance Certificate and need to report a cyber incident, please email DC3.DCISE@us.af.mil or call the DoD-Defense Industrial Base Collaborative Information Sharing Environment (DCISE) hotline at (410) 981-0104 for further assistance.

For DoD Contractors Reporting Cyber Incidents (DFARS 252.204-7012)
+

DoD contractors shall report as much of the following information as can be obtained within 72 hours of discovery of any cyber incident involving covered defense information (CDI) or the information systems which store, process, or transmit CDI. If any additional information is obtained after the initial Incident Collection Format (ICF) is submitted, you should report it via a follow-on ICF.

  1. Company name
  2. Unique Entity Identifier (UEI)
  3. Facility CAGE code
  4. Facility Clearance Level (Unclassified, Confidential, Secret, Top Secret, Not Applicable)
  5. Contract Number (Procurement Instrument Identifier (PIID))
  6. Company point of contact information (name, position, telephone, email)
  7. U.S. Government Program Manager point of contact (name, position, telephone, email)
  8. Contract number(s) or other type of agreement affected or potentially affected
  9. Contracting Officer or other type of agreement point of contact (address, position, telephone, email)
  10. Contract or other type of agreement clearance level (Unclassified, Confidential, Secret, Top Secret, Not Applicable)
  11. Impact to Covered Defense Information
  12. Ability to provide operationally critical support
  13. Date incident discovered
  14. Location(s) of compromise
  15. Incident location CAGE code
  16. DoD programs, platforms or systems involved
  17. Type of compromise (unauthorized access, unauthorized release (includes inadvertent release), unknown, not applicable)
  18. Description of technique or method used in cyber incident
  19. Incident outcome (successful compromise, failed attempt, unknown)
  20. Incident/Compromise narrative (Ex: Chronological explanation of event/incident, threat actor TTPs, indicators of compromise, targeting, mitigation strategies, and any other relevant information to assist in understanding what occurred)
  21. Any additional information

See DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting for more information.

For DoD Contractors Reporting for Prohibition on Contracting for Certain Hardware, Software, and Services
(FAR 52.204-23 and FAR 52.204-25)
+

DoD Contractors shall report as much of the following information as can be obtained to the DoD within one business day of identifying or being notified by a subcontractor that a covered article was provided to the Government during contract performance.

  1. Contract Number
  2. Order Number(s), if applicable
  3. Supplier Name
  4. Brand
  5. Model Number (Original Equipment Manufacturer (OEM) number, manufacturer part number, or wholesaler number)
  6. Item Description
  7. Any readily available information about mitigation actions undertaken or recommended

See FAR 52.204-23 Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities for more information.

See FAR 52.204-25 Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment for more information.

For DoD Contractors Providing Cloud Services (DFARS 252.239-7010)
+
  1. Contract information to include contract number, USG Contracting Officer(s) contact information, contract clearance level, etc.
  2. Contact information for the impacted and reporting organizations as well as the MCND
  3. Details describing any vulnerabilities involved (e.g., Common Vulnerabilities and Exposures (CVE) identifiers)
  4. Date/Time of occurrence, including time zone
  5. Date/Time of detection and identification, including time zone
  6. Related indicators (e.g., hostnames, domain names, network traffic characteristics, registry keys, X.509 certificates, MD5 file signatures)
  7. Threat vectors, if known (see Threat Vector Taxonomy and Cause Analysis flowchart within the US-CERT Federal Incident Notification Guidelines)
  8. Prioritization factors (e.g., functional impact, information impact, and recoverability as defined flowchart within the US-CERT Federal Incident Notification Guidelines
  9. Source and Destination Internet Protocol (IP) address, port, and protocol
  10. Operating System(s) affected
  11. Mitigating factors (e.g., full disk encryption or two-factor authentication)
  12. Mitigation actions taken, if applicable
  13. System Function(s) (e.g., web server, domain controller, or workstation)
  14. Physical system location(s) (e.g., Washington DC, Los Angeles, CA)
  15. Sources, methods, or tools used to identify the incident (e.g., Intrusion Detection System or audit log analysis)
  16. Any additional information relevant to the incident and not included above

See DFARS 252.239-7010 Cloud Computing Services for more information.

For DoD Contractors Reporting Federal Acquisition Security Council (FASC) Exclusion Order Reports
(FAR Subpart 4.23)
+
  1. Company Name
  2. Unique Entity ID (UEI)
  3. Facility Commercial and Government Entity (CAGE) Code
  4. Facility clearance (If Applicable)
  5. Contract number(s), award date(s), submission number(s)
  6. Order number(s)
  7. Name of product or service provided to Government
  8. Name of covered article subject to exclusion order
  9. Name of vendor(s)
  10. Brand of covered article
  11. Model number of covered article
  12. Item description
  13. Mitigation actions
  14. Time of item prohibition in relation to contract award

See FAR Subpart 4.23 Federal Acquisition Security Council and FAR 52.204-30 Federal Acquisition Supply Chain Security Act Orders--Prohibition for more information.

For Voluntary Reporting+

DIB companies are encouraged to VOLUNTARILY report cyber threat activity they believe is valuable for the U.S. Government to analyze and share with other agencies and DIB companies. Voluntary reports enable the DoD and the DIB to better counter threat actor activity. Cyber activity other than compromises of covered defense information (CDI) and which do not adversely affect the contractor's ability to perform operationally critical support may be of interest to the DIB and DoD for situational awareness. Cyber threat activity recommended to be submitted as a voluntary report includes but is not limited to:

  • Suspected APT activity
  • Reconnaissance activities such as vulnerability scanning, exploitation attempts, etc.
  • Threat actor infrastructure
  • Network compromises NOT impacting DoD information
  • Phishing email messages
  • Suspicious files, activity, or network traffic
How can I submit malicious files for analysis to DC3? (DFARS 252.204-7012)
+

DFARS 252.204-7012 requires contractors to isolate and submit malicious files, if available, to DoD Cyber Crime Center (DC3) as part of the mandatory reporting requirements for cyber incidents. If you have a PKI certificate, you can get an Electronic Malware Submission (EMS) portal account where you will be able to submit malicious files and download the associated report once complete. Submit malicious files to EMS at https://ems.dc3on.gov. You may also request a one-time link for uploading malware by emailing DC3.DCISE@us.af.mil and including your ICF number in the subject line, or by calling (410) 981-0104. DO NOT use email to submit malicious files to DoD.

You may also request a DoD SAFE link drop via emailing DC3.DCISE@us.af.mil and including your ICF number in the subject line, or by calling (410) 981-0104.

DO NOT use email to submit malicious files to DoD.

Policy, Standards, and Resources+
DIB CS Activities and Related Policy+
  • 32 CFR Part 236: Department of Defense (DoD) Defense Industrial Base (DIB) Cybersecurity (CS) Activities
  • 32 CFR Part 2002: Controlled Unclassified Information (CUI)
  • DFARS 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting
  • DFARS 252.239-7010: Cloud Computing Services
  • DFARS 252.204-7018: Prohibition on the Acquisition of Covered Defense Telecommunications Equipment or Services
  • DFARS 252.204-7019: Notice of NIST SP 800-171 DoD Assessment Requirements
  • FAR 52.204-23: Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab
  • FAR 52.204-25: Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment
  • FAR 52.204-30: Federal Acquisition Supply Chain Security Act Orders—Prohibition

Cyber Maturity Model Certification (CMMC)

Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)

Supplier Performance Risk System (SPRS)

Cybersecurity Standards+

NIST SP 800-171 Rev. 2: "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations"
(Note the DoD is assessing compliance against Rev 2. A transition to Rev 3 will be announced by DoD in the future.)

NIST SP 800-172: "Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171"

DoD DIB Cybersecurity Capabilities and Support+

The DoD recognizes the need to help DIB organizations improve their cybersecurity posture and operational resilience and to help the DIB protect DoD information that resides on and transits DIB information systems. A variety of services are available based on your specific needs. Visit the websites below for information about cybersecurity training, services, and products. You may also email DCISE DC3.DCISE@us.af.mil to request additional details about these to request additional details about these services.

DoD Defense Industrial Base Collaborative Information Sharing Environment (DCISE)

DCISE3:

DCISE has partnered with a service provider to offer real-time monitoring of your organization's firewall traffic, threat detection, and alerts as well as the option to block malicious traffic.

This service includes real-time network traffic monitoring for malicious sources and destinations and shares data anonymously. Malicious traffic is alerted on and, if desired, can be automatically blocked.

Email DC3.DCISE@us.af.mil for more information.

DIB-VDP:

A voluntary program for DIB companies that provides vulnerability discovery, triaging, and validation. DIB-VDP researchers reduce cyber risk by facilitating timely vulnerability remediation by the system owner. DIB-VDP leverages the proven model of DoD’s own VDP, and is a powerful way to discover vulnerabilities discovery on DIB companies' publicly accessible information systems.

Participation does not require DIB CS Program enrollment.

Email AFOSI.DC3.DIB-VDP@us.af.mil for more information.

DC3 ENSITE:

Delivers real-time threat intelligence and AI/ML-powered detection through a centralized dashboard, enabling partners to inspect traffic and strengthen enterprise awareness. DC3 analysis can enable DIB companies prevent data exfiltration and ransomware detonation before it’s too late.

Email DC3.DCISE@us.af.mil for more information.

NSA Cybersecurity Collaboration Center (CCC)

Learn more about the NSA CCC here.

Protective Domain Name System (PDNS+):

The PDNS service combines commercial cyber threat feeds and unique insights to filter external DNS queries and block known malicious or suspicious website traffic, mitigating nation-state malware, spear phishing, botnets, and more.

Attack Surface Management:

This service helps DIB customers find and fix issues before they become compromises by identifying DIB internet-facing assets, then leveraging commercial scanning services to find vulnerabilities or misconfigurations on these networks. Each customer receives a tailored report with issues to remediate, prioritized based on both severity of the vulnerability and whether or not it is being exploited.

Autonomous Penetration Testing:

Leverages AI to automate pen-testing, enabling DIB companies to identify and mitigate vulnerabilities within their internal networks. The service also provides visualizations, tailored mitigation guidance, and the ability to verify if a DIB company has implemented the suggested mitigations effectively.

Threat Intelligence Collaboration:

Stay one step ahead of the adversary through threat intelligence shared by NSA analysts.

Ransomware Resources, Services, and Support+
Miscellaneous FAQs+
I clicked on the "Report" or "Apply" button, and I got a browser error. Is the site down? +

A DoD-approved Medium Assurance Certificate is required to access these capabilities. To learn more about Medium Assurance Certificates, and to obtain one, please visit http://public.cyber.mil/eca You can also read more below.

If you do not yet have a DoD-approved Medium Assurance Certificate, please email DCISE DC3.DCISE@us.af.mil or call the DCISE hotline at (410) 981-0104 for further assistance.

Please DO NOT send any malicious files to the email address.

What is a DoD-approved Medium Assurance Certificate? +

The DoD has established the External Certification Authority (ECA) Program to support the issuance of DoD-approved identification certificates to industry partners and other external entities and organizations. DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) requires contractors and subcontracts to obtain a DoD-Approved Medium Assurance Certificate in order to report cyber incidents.

The ECA Program is designed to provide the mechanism for these entities to securely communicate with the DoD and authenticate to DoD Information Systems. To learn more about Medium Assurance Certificates and to obtain one, please visit http://public.cyber.mil/eca.

If I need assistance from DCISE outside of normal business hours, what are my options? +

The DCISE hotline (410) 981-0104 operates 24/7. Normal, in-office operating hours for DCISE are from 6:00 A.M. to 6:00 P.M. ET.

What is the difference between a mandatory and a voluntary cyber incident report? +

Mandatory incident reporting under DFARS 252.204-7012 (Safeguarding Covered Defense Information (CDI) and Cyber Incident Reporting) is required by most DoD contracts and subcontracts that involve CDI and/or operationally critical support to DoD. Contractors must report cyber incidents that affect information systems which store, process, or transmit CDI, or the CDI information residing therein, to https://icf.dcise.cert.org/ within 72 hours of discovery. Malicious software, affected system images, packet capture, and other data relevant to the reported cyber incident must be preserved for 90 days to allow time for DoD to request the data in order to conduct a damage assessment or decline interest.

DFARS 252.204-7012 defines CDI as:

Any unclassified controlled technical information (CTI) OR other information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, and is:

  1. Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
  2. Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

Voluntary reporting is the primary channel for DIB Participants to share cyber threat information and indicators of compromise (IoCs) that may help the cybersecurity posture of other DIB Participants. Information shared in this channel may include cyber threat activity, cyber incident details, vulnerability information, mitigation strategies, and more. Cyber threat activity recommended to be submitted as a voluntary report includes but is not limited to:

  • Suspected Advance Persistent Threat (APT) activity
  • Compromise not impacting DoD information
  • Targeted activity
  • Vulnerability scanning and exploitation attempts
  • Phishing email messages
  • Suspicious files, activity, or network traffic
I was made aware that one of my vendors or customers suffered a cyber-attack. Can I submit a Mandatory ICF
on their behalf? +

No. DFARS 252.204-7012 requires the impacted company to submit a report on the specific cyber incident. Additionally, if a sub-contractor experiences a reportable cyber incident, the sub-contractor is required to provide the incident report number, automatically assigned by DoD, to the prime Contractor (or next higher-tier subcontractor) as soon as possible.

Can the DCISE help me with the upcoming Cybersecurity Maturity Model Certification (CMMC)?+

Contact DC3.DCISE@us.af.mil to submit a Request for Information (RFI), and we’ll help you understand how our capabilities are cross walked to support CMMC.

Do you work with any other agencies, or do I have to report to other agencies separately? +

We recommend maintaining your relationships with other agencies that you share information with and maintain any other contractual requirements you may have to share with other agencies. On the Incident Collection Format (ICF), there is also an area to let us know who else you've shared the information with. Per the DFARS 252.204-7012 clause, you do need to report any incidents involving Controlled Unclassified Information (CUI) to DCISE via the Mandatory Report ICF.

Do you share information with law enforcement agencies? +

The U.S Government and law enforcement agencies have access to mandatory reports. Voluntary reporting is anonymized and the submitter’s identity is shared with consent from the submitting company.

Contact Us

Phone: 
410-981-0104
  
Toll Free: 
1-877-838-2174

  Email: 

dc3.dcise@us.af.mil

 

Follow us on X: @DC3DCISE

 

Obtain a Medium Assurance Certificate

Required by DFARS 252.204-7012, DoD-approved certificates enable secure communications between the DIB and the DoD.

Submit Malware

Electronic Malware Submission (EMS) enables the DoD, the IC, the DIB, and other mission partners to securely submit malware and
malware artifacts for analysis via the Electronic Malware Submission (EMS) portal.