Which DoD contractors require the External Certification Authority (ECA) certificate?
For DoD contractors processing Controlled Unclassified Information (CUI), DFARS clause 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting” mandates a medium assurance certificate requirement:
“In order to report cyber incidents in accordance with this clause, the Contractor or subcontractor shall have or acquire a DoD-approved medium assurance certificate to report cyber incidents. For information on obtaining a
DoD-approved medium assurance certificate, see http://iase.disa.mil/pki/eca/Pages/index.aspx.”
Who are responsible for issuing DoD ECA certificates?
There are two suppliers of DoD ECA certificates: Operational Research Consultants, Inc. (ORC), and IdenTrust, Inc. Both offer the same prices for DoD ECA certificates. IdenTrust seems to be the simpler interface, but both processes will require the same information to be presented, and a notarized form to be snail-mailed to the organization. The organizations require notarized forms to authenticate your organization’s identity. The entire process can take a week or more, so plan accordingly.
What are the steps for procuring the ECA certificates?
Below is a set of procedures for obtaining a DoD ECA certificate to comply with the above DFARS medium assurance certificate requirement to “rapidly report” cyber incidents. The DoD ECA certificate is required to authenticate a user/machine in your organization to the DoD Incident Reporting website. NOTE: if someone in your organization has a DoD Common Access Card (CAC), you don’t need an ECA certificate; the certificates on the CAC provide all the authentication needed for the DoD.