Report incidents within 24-72 hours to your Contracting Officer's Representative and designated security officials with incident details and affected information.
Government customers need timely notification of security incidents for several reasons. Mission impact assessment allows agencies to determine whether compromised information affects ongoing operations, deployments, or national security.
Broader threat awareness since incident affecting one contractor might indicate campaign targeting multiple contractors or government agencies—early warning enables defensive actions. Coordination of response across multiple organizations if attackers used compromised information to target other contractors or government systems.
Intelligence value as incident details contribute to threat intelligence about adversary tactics, techniques, and targets. Contractual compliance verification that contractors take security seriously and meet obligations. Legal obligations under various statutes and regulations requiring notification.
Delayed or absent notification prevents government from taking protective actions, potentially causing greater damage than the initial incident.
Contractors that fail to report incidents breach contractual obligations, potentially resulting in contract termination, suspension from future contracts, or legal penalties.
Prompt, transparent incident reporting demonstrates contractor maturity and strengthens government relationships even when incidents themselves are concerning.
Most government contracts involving specified information include security incident reporting clauses. Notification triggers typically require reporting in the following situations:
Reporting timelines vary by contract but commonly require initial notification within 24-72 hours of incident discovery, with detailed follow-up reports after investigation concludes. Required information in notifications includes:
Notification methods specified in contracts might include dedicated email addresses, phone numbers, or incident reporting portals.
Organizations should review each government contract for specific reporting requirements since they vary across agencies and contract types.
Documentation of reporting including copies of notifications sent, acknowledgments received, and subsequent communications should be maintained for compliance evidence.
Determining correct government notification recipients can be challenging. The following contacts should be considered:
If unsure who to notify, start with contracting officer's representative who can direct you to appropriate security personnel.
Organizations should maintain current contact information for government security personnel and verify contacts periodically since personnel change.
Establishing relationships with government security contacts before incidents occur facilitates smoother incident response and reporting when incidents do happen.
Beyond contract-specific reporting, organizations should consider reporting significant incidents to the Canadian Centre for Cyber Security.
The Cyber Centre provides cybersecurity advice, guidance, and operational services to government and critical infrastructure.
Incident reporting helps them understand threat landscape, provide warnings to other potential targets, and offer assistance to organizations responding to incidents.
Reporting is voluntary for most private sector organizations but encouraged, particularly for defense contractors given national security implications.
Contact information includes email at contact@cyber.gc.ca or phone at 1-833-CYBER-88 (1-833-292-3788). Information to provide includes:
The Cyber Centre treats incident reports confidentially and uses information to improve national cybersecurity awareness without disclosing source.
Benefits of reporting include potentially receiving tactical advice on response, contributing to national threat intelligence, and receiving warnings if similar attacks target other organizations.
Organizations should establish procedures for when to report incidents to Cyber Centre, recognizing that reporting to Cyber Centre doesn't substitute for contractually required notifications to specific government customers.
Incidents involving personal information trigger separate privacy breach reporting obligations.
Under Breach of Security Safeguards Regulations, organizations must report breaches to Privacy Commissioner of Canada if breach creates real risk of significant harm to individuals.
Significant harm includes bodily harm, humiliation, damage to reputation, financial loss, identity theft, negative employment or business effects, and similar harms.
Reporting must occur as soon as feasible after organization determines that breach creates real risk of significant harm. Report content must include the following information:
Organizations must also notify affected individuals directly unless Privacy Commissioner determines notification would cause further harm. Provincial privacy regulators may have additional reporting requirements depending on jurisdiction.
Privacy breach reporting is separate from security incident reporting to government customers—incidents might trigger both obligations.
Organizations should engage privacy counsel to assess privacy breach reporting obligations when incidents involve personal information.
Incident reporting typically occurs in stages. Initial notification within contractually specified timeframe (often 24-72 hours) provides preliminary information about what is known at early stage including:
Initial reports acknowledge incidents quickly even when investigation is incomplete—don't delay notification waiting for complete information. Follow-up reporting after investigation provides detailed information including:
Follow-up reports might be submitted days or weeks after initial notification depending on investigation complexity. Interim updates during extended investigations keep government customers informed of progress.
Organizations should clarify expected reporting cadence with government customers—some want daily updates during active incidents while others are satisfied with less frequent communication.
Comprehensive incident reports help government customers understand impacts. The following information should be included:
Incident description covers what type of incident occurred (malware, unauthorized access, data breach, etc.), when it was discovered, how it was discovered, and timeline of adversary activities.
Affected information specifies what specified information was involved, what contract(s) it relates to, sensitivity level, and whether classified information was also affected.
Affected systems describes what systems were compromised, what networks were affected, and whether government-owned equipment was involved.
Impact assessment explains what information adversaries likely accessed or exfiltrated, what use adversaries might make of compromised information, whether information could enable further attacks, and potential mission impacts.
Response actions details what containment, eradication, and recovery actions were taken, what external assistance was engaged (forensic investigators, law enforcement), and current status.
Root cause analysis explains how incident occurred, what vulnerabilities were exploited, and what control failures enabled compromise.
Remediation plans describes what security improvements are being implemented to prevent similar incidents.
Organizations should be thorough and transparent in reporting—attempting to minimize or conceal incident details typically backfires when government customers conduct their own assessments and discover fuller picture.
Serious security incidents might warrant law enforcement involvement. Criminal incidents involving theft, sabotage, espionage, or fraud are crimes warranting police or federal law enforcement notification. Relevant law enforcement agencies include:
When notifying law enforcement, coordinate with legal counsel to ensure reporting satisfies legal obligations without inadvertently creating legal risks.
Law enforcement investigations might require preserving evidence, providing access to systems, or delaying remediation actions—balance security and operational needs with investigative support.
Government customers should be informed of law enforcement involvement. Organizations should establish relationships with law enforcement cybercrime units before incidents occur—understanding investigation processes and establishing contacts facilitates coordination during actual incidents.
Several common mistakes undermine incident reporting effectiveness:
Organizations should focus incident reporting on providing timely, accurate, comprehensive information to enable effective response rather than managing organizational image or minimizing perceived consequences.
Organizations should maintain comprehensive incident reporting records. Documentation should include:
Records demonstrate compliance with reporting requirements during audits or disputes. Organizations should develop templates for common incident notification scenarios to ensure consistent, complete reporting.
Post-incident review should evaluate whether reporting was timely and effective, identifying improvements for future incidents.
Organizations should verify incident reporting procedures work before actual incidents. Testing activities include:
Testing reveals whether organizations can meet rapid notification timelines (24-72 hours) and identifies improvements needed before actual incidents create compliance pressure.
Additional resources are available on government incident reporting:
Preparing for CPCSC (Canadian Program for Cyber Security Certification) demands deep knowledge of the certification framework, careful evidence preparation, and hands-on technical implementation. Plurilock delivers with compliance readiness specialists serving Canadian defense suppliers who bring proven experience guiding contractors through cybersecurity certification programs on both sides of the border.
As an established CMMC readiness provider for U.S. defense contractors, we were among the first to extend that expertise north—launching CPCSC readiness services early and serving Canadian defense suppliers from the program's earliest days. We don't conduct audits; we get you ready for them, then help you stay ready.
Why we're the superior choice:
CPCSC-ready—with proven defense contractor experience guiding every step.
A plurilock representative will contact you within one business day.
Contact Plurilock
+1 (888) 776-9234 (Plurilock)