Which DoD contractors require the medium assurance External Certification Authority (ECA) certificate?
UPDATE APRIL 2024: As of 11 April 2024, DoD contractors are no longer required to have a medium assurance ECA certificate for access to DIBNET to report cyber incidents. Instead, contractors need only have access to the DoD’s Procurement Integrated Enterprise Environment (PIEE), and the contractor will use PIEE credentials to access the DIBNET reporting site. This post contains information on how to get access to PIEE / SPRS. What follows is the older content of this blog, still relevant for contractors that would like to have an ECA certificate anyway.
For DoD contractors that process Controlled Unclassified Information (CUI), DFARS clause 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting” mandates a specific method contractors must follow to report cyber incidents. To be able to report an incident at all, the contractor must buy a “medium assurance certificate” from an approved External Certification Authority (ECA) vendor.
Download our simple guide to obtaining a medium assurance DoD (ECA) certificate
The following is the medium assurance certificate requirement in the DFARS clause:
“In order to report cyber incidents in accordance with this clause, the Contractor or subcontractor shall have or acquire a DoD-approved medium assurance certificate to report cyber incidents. For information on obtaining a DoD-approved medium assurance certificate, see https://public.cyber.mil/eca/.”
Who are responsible for issuing DoD medium assurance certificates?
There are two External Certification Authorities that can issue DoD ECA certificates: WidePoint (formerly Operational Research Consultants, Inc. (ORC)), and IdenTrust, Inc. Both offer the same prices for DoD medium assurance certificates. The IdenTrust website seems to have a simpler interface, but both ECAs will require your organization to submit the same information, as well as to “snail-mail” a notarized form to the ECA. The ECAs use these notarized forms to authenticate your organization’s identity. The entire process can take a week or more, so plan accordingly. Our downloadable guide takes you step by step through the procurement process.
Medium assurance certificate for reporting: What about your Incident Response Plan?
With the medium assurance certificate your organization will be able to report cyber incidents to the DoD, as required by the DFARS 7012 clause. One important aspect for any cybersecurity program, which happens to also be required by the DoD, is to have a solid Incident Response Plan (IRP) in place. If you still need to create an IRP for your organization, check out our blog that covers the six phases every IRP should include. To see where the ECA medium-assurance certificate falls into the Incident Response requirements for a Cybersecurity Maturity Model Certification (CMMC), check out the fourth milestone in our interactive CMMC Compliance Roadmap.
What are the steps for procuring the ECA certificates?
By filling out the form below you can download a set of procedures that details how to obtain a DoD medium assurance certificate that your organization needs to comply with the DFARS requirement to “rapidly report” cyber incidents. An ECA-issued certificate is required to authenticate a user/machine in your organization to the DoD Incident Reporting website. NOTE: if someone in your organization has a DoD Common Access Card (CAC), you may not need an ECA certificate; the medium assurance certificates on the CAC provide all the authentication needed for the DoD. Check to see that the CAC card provides access, and check with your legal counsel to ensure your organization meets all the DFARS 7012 requirements.
If you want to learn more about the current DFARS/NIST 800-171/CMMC landscape, or how to build a CMMC-compliant cybersecurity program, grab a seat in one of our Workshops. Or, drop us a line; we love talking about all this stuff!
Good Hunting!
–Adam Austin
Cybersecurity Lead
Updated 11/20/2023