For DoD contractors processing Controlled Unclassified Information (CUI), DFARS clause 252.204-7012 'Safeguarding Covered Defense Information and Cyber Incident Reporting' mandates a medium assurance certificate requirement:
'In order to report cyber incidents in accordance with this clause, the Contractor or subcontractor shall have or acquire a DoD-approved medium assurance certificate to report cyber incidents. For information on obtaining a
DoD-approved medium assurance certificate, see http://iase.disa.mil/pki/eca/Pages/index.aspx.'
Below is a set of procedures for obtaining an External Certificate Authority (ECA) certificate to comply with the above DFARS medium assurance certificate requirement to 'rapidly report' cyber incidents. The ECA certificate is required to authenticate a user/machine in your organization to the DoD Incident Reporting website. NOTE: if someone in your organization has a DoD Common Access Card (CAC), you don't need an ECA certificate; the certificates on the CAC provide all the authentication needed for the DoD.
There are two suppliers of ECA certificates: Operational Research Consultants, Inc. (ORC), and IdenTrust, Inc. Both offer the same prices for ECA certificates. IdenTrust seems to be the simpler interface, but both processes will require the same information to be presented, and a notarized form to be snail-mailed to the organization. The organizations require notarized forms to authenticate your organization's identity. The entire process can take a week or more,
so plan accordingly.