(a) Prior to initiating damage assessment activities, the contracting officer shall verify that any contract identified in the cyber incident report includes the clause at DFARS 252.204-7012. If the contracting officer determines that a contract identified in the report does not contain the clause, the contracting officer shall notify the requiring activity that damage assessment activities, if required, may be determined to constitute a change to the contract.

(b) In cases of cyber incidents involving multiple contracts, a single contracting officer will be designated to coordinate with the contractor regarding media submission (see 204.7303-3 (a)(2)).

(c) If the requiring activity requests the contracting officer to obtain media, as defined in DFARS 252.204-7012, from the contractor, the contracting officer shall—

(1) Provide a written request for the media;

(2) Provide the contractor with the “Instructions for Media Submission” document available at http://www.acq.osd.mil/dpap/dars/pgi/docs/Instructions_for_Submitting_Media.docx; and

(3) Provide a copy of the request to DC3, electronically via email at dcise@dc3.mil, and the requiring activity.

(d) If the contracting officer is notified by the requiring activity that media are not required, the contracting officer shall notify the contractor and simultaneously provide a copy of the notice to DC3 and the requiring activity.

(e) The contracting officer shall document the action taken as required by paragraph (c) or (d) of this section, in the contract file.

(f) Upon receipt of the contractor media, DC3 will confirm receipt in writing to the contractor and the requesting contracting officer.

(g) Once the requiring activity determines that the damage assessment activities are complete, the requiring activity will provide the contracting officer with a report documenting the actions taken to close out the cyber incident.