Which DoD contractors require the External Certification Authority (ECA) certificate?
For DoD contractors processing Controlled Unclassified Information (CUI), DFARS clause 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting” mandates a way to report cyber incidents. Learn how to get your ECA certificate.
The following is the medium assurance certificate requirement: “In order to report cyber incidents in accordance with this clause, the Contractor or subcontractor shall have or acquire a DoD-approved medium assurance certificate to report cyber incidents. For information on obtaining a
DoD-approved medium assurance certificate, see http://iase.disa.mil/pki/eca/Pages/index.aspx.”
Who are responsible for issuing DoD ECA certificates?
There are two suppliers of DoD ECA certificates: Operational Research Consultants, Inc. (ORC), and IdenTrust, Inc. Both offer the same prices for DoD ECA certificates. IdenTrust seems to be the simpler interface, but both processes will require the same information to be presented, and a notarized form to be snail-mailed to the organization. The organizations require notarized forms to authenticate your organization’s identity. The entire process can take a week or more, so plan accordingly.
ECA certificate for reporting: What about your Incident Response Plan?
With the ECA certificate you will be able to report cyber incidents to the DoD. One important step for any cybersecurity program, and required by the DoD, is to have a solid Incident Response Plan in place. If you still need to create one for your organization you can read our blog that covers the six steps ever Incident Response Plan should include.
What are the steps for procuring the ECA certificates?
Below is a set of procedures for obtaining a DoD ECA certificate to comply with the above DFARS medium assurance certificate requirement to “rapidly report” cyber incidents. The DoD ECA certificate is required to authenticate a user/machine in your organization to the DoD Incident Reporting website. NOTE: if someone in your organization has a DoD Common Access Card (CAC), you don’t need an ECA certificate; the certificates on the CAC provide all the authentication needed for the DoD.