← Back to ordica.ai
Incident Response Plan
Last updated: March 29, 2026 · DFARS 252.204-7012 Compliant
This document defines Ordica LLC's procedures for identifying, responding to, and reporting cybersecurity incidents. This plan satisfies the incident response requirements of NIST SP 800-171 (Section 3.6) and DFARS 252.204-7012.
1. Scope
This plan covers all Ordica systems that process, store, or transmit data on behalf of customers, including:
- API proxy and compression infrastructure
- Customer account and billing systems
- SDK distribution and key management
- Supporting infrastructure (DNS, CDN, tunnels)
2. Incident Classification
| Severity | Definition | Response Time | Examples |
|---|
| Critical | Active breach, data exfiltration, or system compromise | Immediate | Unauthorized access to customer data, key compromise, active exploit |
| High | Attempted breach, vulnerability with known exploit | < 4 hours | Failed intrusion attempts, critical CVE in production dependency |
| Medium | Anomalous activity, policy violation | < 24 hours | Unusual traffic patterns, access control misconfiguration |
| Low | Informational, minor policy deviation | < 72 hours | Failed login attempts, non-critical software update needed |
3. Incident Response Team
| Role | Responsibility | Contact |
|---|
| Incident Commander | Decision authority, customer communication, regulatory reporting | Jacob Schargus, CEO |
| Technical Lead | Investigation, containment, remediation | Engineering team |
| Communications | Customer notification, public disclosure if required | support@ordica.ai |
4. Response Phases
Phase 1: Detection & Identification
- Automated monitoring detects anomalous activity (health checks, WAF alerts, log analysis)
- Determine if the event constitutes an incident
- Assign severity level
- Begin incident log with timestamp, initial findings, and assigned personnel
Phase 2: Containment
- Isolate affected systems to prevent further damage
- Preserve evidence (logs, memory dumps, network captures)
- Revoke compromised credentials immediately
- Activate backup systems if necessary
- Do not destroy evidence in the containment process
Phase 3: Eradication
- Identify root cause and attack vector
- Remove malicious artifacts from all affected systems
- Patch vulnerabilities that enabled the incident
- Rotate all potentially compromised keys and credentials
Phase 4: Recovery
- Restore systems from known-good state
- Verify system integrity before returning to production
- Monitor for recurrence with enhanced logging
- Confirm no residual compromise
Phase 5: Post-Incident
- Conduct lessons-learned review within 5 business days
- Update security controls to prevent recurrence
- Update this plan if process gaps are identified
- Archive incident report for minimum 3 years
5. DoD Reporting Requirements (DFARS 252.204-7012)
For incidents involving Covered Defense Information (CDI) or systems that process CDI:
- 72-hour reporting: Report to the DoD Cyber Crime Center (DC3) at dibnet.dod.mil within 72 hours of discovery
- Report contents: Company name, point of contact, contract numbers affected, date discovered, location of compromise, type of compromise, description of techniques used, incident identification number
- Evidence preservation: Preserve and protect images of affected systems and all relevant monitoring/packet capture data for at least 90 days
- Cooperation: Provide DoD access to additional information or equipment as necessary for forensic analysis
- Subcontractor flow-down: Ensure subcontractors report incidents to Ordica immediately; Ordica reports to DC3
6. Customer Notification
Affected customers will be notified within:
- Critical incidents: 24 hours of confirmation
- High incidents: 48 hours of confirmation
- Medium/Low: As appropriate, in aggregate security updates
Notification will include: nature of the incident, data potentially affected, actions taken, and recommended steps for the customer.
7. Data Preservation Architecture
Ordica's architecture inherently limits incident scope:
- No customer message content is stored at rest — data exists only in memory during processing
- API keys are stored in encrypted vaults with TOTP-gated access
- Intellectual property is stored in hardware-encrypted containers
- Infrastructure uses FIPS 140-2 validated cryptographic modules
- All external traffic routes through Cloudflare WAF with geo-restrictions
8. Testing
This incident response plan is tested annually through:
- Tabletop exercises simulating breach scenarios
- Automated security scanning and penetration testing
- Review and update of contact information and procedures
9. Contact
To report a security incident or vulnerability:
support@ordica.ai
ordica.ai/.well-known/security.txt