Requirements for safeguarding unclassified controlled technical information resident on or transiting through a contractor's unclassified information systems (see Safeguarding Requirements).

Reporting obligations for the compromise of unclassified controlled technical information (see Cyber Incident and Compromise Reporting).

Implementing information systems security programs with, at minimum, the specified National Institute of Standards and Technology (NIST) Special Publication security controls. If NIST controls are not used, the contractor must provide a written explanation to the DoD and apply other equivalent security measures.

Applying additional information systems security requirements if the contractor reasonably determines that they are needed based on assessed risk or vulnerability.

The Data Universal Number System (DUNS).

The contract numbers affected.

The Facility CAGE code, if the incident occurred at a location other than the prime contractor's location.

A point of contact, if different from the point of contact recorded in the System for Award Management (SAM) website.

A point of contact for the contracting officer.

The contract's clearance level.

The name of subcontractor and CAGE code, if applicable.

The DoD programs, platforms or systems involved.

The location or locations of the compromise.

The date the incident was discovered.

The type of compromise (for example, unauthorized access or inadvertent release).

A description of the technical information compromised.

Conducting further review of unclassified networks for evidence of compromise, including for example, identifying compromised computers and servers, specific data and user accounts.

Reviewing the compromised data to identify specific unclassified controlled technical information associated with DoD programs.

Preserving and protecting images of known and affected information systems and relevant monitoring or packet capture data for at least 90 days after the incident.