Contact us today.Phone: +1 888 776-9234Email: sales@plurilock.com

How do I report security incidents to the government?

When security incidents affect specified information provided by government customers, contractors have legal and contractual obligations to report incidents promptly. Proper incident reporting enables government agencies to assess impact on their missions, take protective actions, and coordinate response across multiple affected contractors. Understanding reporting requirements and procedures helps executives ensure their organizations meet notification obligations and maintain trust with government customers.

Answer

Report incidents within 24-72 hours to your Contracting Officer's Representative and designated security officials with incident details and affected information.

Why Government Incident Reporting Matters

Government customers need timely notification of security incidents for several reasons. Mission impact assessment allows agencies to determine whether compromised information affects ongoing operations, deployments, or national security.

Broader threat awareness since incident affecting one contractor might indicate campaign targeting multiple contractors or government agencies—early warning enables defensive actions. Coordination of response across multiple organizations if attackers used compromised information to target other contractors or government systems.

Intelligence value as incident details contribute to threat intelligence about adversary tactics, techniques, and targets. Contractual compliance verification that contractors take security seriously and meet obligations. Legal obligations under various statutes and regulations requiring notification.

Delayed or absent notification prevents government from taking protective actions, potentially causing greater damage than the initial incident.

Contractors that fail to report incidents breach contractual obligations, potentially resulting in contract termination, suspension from future contracts, or legal penalties.

Prompt, transparent incident reporting demonstrates contractor maturity and strengthens government relationships even when incidents themselves are concerning.

Contractual Reporting Requirements

Most government contracts involving specified information include security incident reporting clauses. Notification triggers typically require reporting in the following situations:

  • When unauthorized access to specified information occurs
  • When data breaches expose specified information
  • When systems processing specified information are compromised
  • When malware infections affect systems handling specified information
  • When loss or theft of devices or media containing specified information occurs

Reporting timelines vary by contract but commonly require initial notification within 24-72 hours of incident discovery, with detailed follow-up reports after investigation concludes. Required information in notifications includes:

  • Description of incident and how it occurred
  • What specified information was affected
  • What systems were compromised
  • What actions contractor took in response
  • What assistance is needed from government
  • Point of contact for follow-up

Notification methods specified in contracts might include dedicated email addresses, phone numbers, or incident reporting portals.

Organizations should review each government contract for specific reporting requirements since they vary across agencies and contract types.

Documentation of reporting including copies of notifications sent, acknowledgments received, and subsequent communications should be maintained for compliance evidence.

Who to Notify in Government Organizations

Determining correct government notification recipients can be challenging. The following contacts should be considered:

  • Contracting Officer's Representative (COR) or Technical Authority is typically primary contract contact responsible for technical oversight—they should be notified and can coordinate with other government personnel
  • Contract Security Officer if contract has designated security official, they're appropriate notification point for security incidents
  • Program Security Officer for the government program your contract supports often has broader security responsibilities
  • Government information system security officer if your work involves government IT systems, the system's security officer should be notified
  • Agency Security Operations Center or Computer Security Incident Response Team for serious incidents might need direct notification to agency security operations

If unsure who to notify, start with contracting officer's representative who can direct you to appropriate security personnel.

Organizations should maintain current contact information for government security personnel and verify contacts periodically since personnel change.

Establishing relationships with government security contacts before incidents occur facilitates smoother incident response and reporting when incidents do happen.

Canadian Centre for Cyber Security Notification

Beyond contract-specific reporting, organizations should consider reporting significant incidents to the Canadian Centre for Cyber Security.

The Cyber Centre provides cybersecurity advice, guidance, and operational services to government and critical infrastructure.

Incident reporting helps them understand threat landscape, provide warnings to other potential targets, and offer assistance to organizations responding to incidents.

Reporting is voluntary for most private sector organizations but encouraged, particularly for defense contractors given national security implications.

Contact information includes email at contact@cyber.gc.ca or phone at 1-833-CYBER-88 (1-833-292-3788). Information to provide includes:

  • Description of incident
  • Indicators of compromise (IP addresses, malware hashes, domains)
  • What sector or industry you're in
  • Whether you need assistance

The Cyber Centre treats incident reports confidentially and uses information to improve national cybersecurity awareness without disclosing source.

Benefits of reporting include potentially receiving tactical advice on response, contributing to national threat intelligence, and receiving warnings if similar attacks target other organizations.

Organizations should establish procedures for when to report incidents to Cyber Centre, recognizing that reporting to Cyber Centre doesn't substitute for contractually required notifications to specific government customers.

Privacy Breach Reporting

Incidents involving personal information trigger separate privacy breach reporting obligations.

Under Breach of Security Safeguards Regulations, organizations must report breaches to Privacy Commissioner of Canada if breach creates real risk of significant harm to individuals.

Significant harm includes bodily harm, humiliation, damage to reputation, financial loss, identity theft, negative employment or business effects, and similar harms.

Reporting must occur as soon as feasible after organization determines that breach creates real risk of significant harm. Report content must include the following information:

  • Circumstances of breach
  • Date or time period when breach occurred
  • Description of personal information involved
  • Number of affected individuals
  • Steps taken to reduce risk of harm
  • Steps individuals can take to reduce harm
  • Contact information for inquiries

Organizations must also notify affected individuals directly unless Privacy Commissioner determines notification would cause further harm. Provincial privacy regulators may have additional reporting requirements depending on jurisdiction.

Privacy breach reporting is separate from security incident reporting to government customers—incidents might trigger both obligations.

Organizations should engage privacy counsel to assess privacy breach reporting obligations when incidents involve personal information.

Initial vs Follow-Up Reporting

Incident reporting typically occurs in stages. Initial notification within contractually specified timeframe (often 24-72 hours) provides preliminary information about what is known at early stage including:

  • That incident occurred and is being investigated
  • What information or systems appear affected based on initial assessment
  • What immediate containment actions were taken
  • Contact information and expected timeline for updates

Initial reports acknowledge incidents quickly even when investigation is incomplete—don't delay notification waiting for complete information. Follow-up reporting after investigation provides detailed information including:

  • How incident occurred and root causes
  • Complete scope of compromise and information affected
  • Full timeline of adversary activities
  • Actions taken for eradication and recovery
  • Whether attacker maintained persistent access
  • Assessment of information likely exfiltrated
  • Improvements being implemented to prevent recurrence
  • Final lessons learned

Follow-up reports might be submitted days or weeks after initial notification depending on investigation complexity. Interim updates during extended investigations keep government customers informed of progress.

Organizations should clarify expected reporting cadence with government customers—some want daily updates during active incidents while others are satisfied with less frequent communication.

Information to Include in Reports

Comprehensive incident reports help government customers understand impacts. The following information should be included:

Incident description covers what type of incident occurred (malware, unauthorized access, data breach, etc.), when it was discovered, how it was discovered, and timeline of adversary activities.

Affected information specifies what specified information was involved, what contract(s) it relates to, sensitivity level, and whether classified information was also affected.

Affected systems describes what systems were compromised, what networks were affected, and whether government-owned equipment was involved.

Impact assessment explains what information adversaries likely accessed or exfiltrated, what use adversaries might make of compromised information, whether information could enable further attacks, and potential mission impacts.

Response actions details what containment, eradication, and recovery actions were taken, what external assistance was engaged (forensic investigators, law enforcement), and current status.

Root cause analysis explains how incident occurred, what vulnerabilities were exploited, and what control failures enabled compromise.

Remediation plans describes what security improvements are being implemented to prevent similar incidents.

Organizations should be thorough and transparent in reporting—attempting to minimize or conceal incident details typically backfires when government customers conduct their own assessments and discover fuller picture.

Coordinating with Law Enforcement

Serious security incidents might warrant law enforcement involvement. Criminal incidents involving theft, sabotage, espionage, or fraud are crimes warranting police or federal law enforcement notification. Relevant law enforcement agencies include:

  • RCMP National Cyber Crime Coordination Unit coordinates cyber crime investigations federally—contact through local RCMP detachments or national center
  • Canadian Security Intelligence Service (CSIS) investigates national security threats including foreign intelligence operations targeting defense contractors
  • Department of National Defence Counterintelligence may investigate incidents affecting defense information

When notifying law enforcement, coordinate with legal counsel to ensure reporting satisfies legal obligations without inadvertently creating legal risks.

Law enforcement investigations might require preserving evidence, providing access to systems, or delaying remediation actions—balance security and operational needs with investigative support.

Government customers should be informed of law enforcement involvement. Organizations should establish relationships with law enforcement cybercrime units before incidents occur—understanding investigation processes and establishing contacts facilitates coordination during actual incidents.

What Not to Do When Reporting

Several common mistakes undermine incident reporting effectiveness:

  • Delayed reporting while waiting for complete information or hoping incident will prove less serious than initially feared violates contractual obligations and prevents timely response—report promptly even if initial information is incomplete
  • Minimizing incident severity or scope to avoid consequences typically fails when investigations reveal fuller picture and creates credibility problems
  • Incomplete reporting that omits relevant details prevents effective assessment—be thorough even when information is unflattering
  • Technical jargon without explanation makes reports incomprehensible to non-technical government personnel—explain technical details in accessible language
  • Finger-pointing or blame-shifting (to vendors, subcontractors, etc.) rather than accepting responsibility damages credibility—acknowledge organizational accountability
  • Unauthorized public disclosure before government customers are notified and can coordinate messaging creates tension and potential national security risks

Organizations should focus incident reporting on providing timely, accurate, comprehensive information to enable effective response rather than managing organizational image or minimizing perceived consequences.

Incident Reporting Documentation

Organizations should maintain comprehensive incident reporting records. Documentation should include:

  • Notification log tracking all incident notifications sent including date and time sent, recipients, method of notification, and content
  • Government responses and acknowledgments documenting government questions, requests for additional information, or guidance provided
  • Follow-up communications throughout incident lifecycle
  • Decisions and approvals about reporting including assessment of reporting obligations, decisions about what to report, and management approvals
  • Supporting documentation including investigation reports, forensic findings, and remediation plans that underlie notifications
  • Contractual requirements extracted from contracts specifying reporting obligations

Records demonstrate compliance with reporting requirements during audits or disputes. Organizations should develop templates for common incident notification scenarios to ensure consistent, complete reporting.

Post-incident review should evaluate whether reporting was timely and effective, identifying improvements for future incidents.

Testing Incident Reporting Procedures

Organizations should verify incident reporting procedures work before actual incidents. Testing activities include:

  • Tabletop exercises simulate incident scenarios and practice notification procedures, identifying gaps in knowledge of reporting requirements, unclear contact information, or procedural weaknesses
  • Contact verification confirms government contact information is current and communication channels work
  • Template development creates notification templates for common incident types to speed reporting
  • Team training ensures personnel know reporting obligations, notification procedures, and information requirements
  • Process documentation captures reporting procedures in incident response plans for reference during stressful incident response
  • Annual review of contracts confirms understanding of current reporting requirements since they may change with new contracts

Testing reveals whether organizations can meet rapid notification timelines (24-72 hours) and identifies improvements needed before actual incidents create compliance pressure.

Learn More

Additional resources are available on government incident reporting:

Why Choose Plurilock for CPCSC Readiness?

Preparing for CPCSC (Canadian Program for Cyber Security Certification) demands deep knowledge of the certification framework, careful evidence preparation, and hands-on technical implementation. Plurilock delivers with compliance readiness specialists serving Canadian defense suppliers who bring proven experience guiding contractors through cybersecurity certification programs on both sides of the border.

As an established CMMC readiness provider for U.S. defense contractors, we were among the first to extend that expertise north—launching CPCSC readiness services early and serving Canadian defense suppliers from the program's earliest days. We don't conduct audits; we get you ready for them, then help you stay ready.

Why we're the superior choice:

  • First-mover CPCSC expertise: Plurilock was among the first firms to launch dedicated CPCSC readiness services—and among the first to serve clients in this practice—giving your organization a partner with real, accumulated experience preparing suppliers for certification.
  • Deep CMMC heritage: Our established U.S. defense contractor practice has guided organizations through CMMC readiness for years, and those underlying controls map closely to CPCSC—we bring battle-tested methodologies, not theory borrowed from adjacent frameworks.
  • Federal experience on both sides of the border: With extensive engagements across U.S. and Canadian federal government environments, we understand the contractual, technical, and procedural realities that shape defense supply chain compliance.
  • Readiness assessment and gap analysis: We evaluate your current posture against CPCSC requirements, identify control gaps with precision, and deliver clear, prioritized roadmaps that align remediation effort to certification level and contract obligations.
  • Strategy and execution, not just paperwork: Beyond identifying gaps, we help you execute—planning the remediation program, supporting policy and evidence development, and preparing your team and systems so that when the assessor arrives, you're ready.

CPCSC-ready—with proven defense contractor experience guiding every step.

Reach Out Now â†’

+1 (888) 776-9234 (Plurilock)
+1 (310) 530-8260 (Aurora)
+1 (613) 526-4945 (Integra)

sales@plurilock.com

Schedule a free consultation to plot a course toward CPCSC compliance.

loading...

Thank you.

A plurilock representative will contact you within one business day.

Contact Plurilock

+1 (888) 776-9234 (Plurilock)
+1 (310) 530-8260 (Aurora)
+1 (613) 526-4945 (Integra)

sales@plurilock.com

Your information is secure and will only be used to communicate about Plurilock and Plurilock services. We do not sell, rent, or share contact information with third parties. See our Privacy Policy for complete details.

More About Plurilockâ„¢ Services

Subscribe to the newsletter for Plurilock and cybersecurity news, articles, and updates.

You're on the list! Keep an eye out for news from Plurilock.