CMMCDocs.comUnder DFARS 252.204-7012, defense contractors must report cyber incidents involving CUI to the DoD within 72 hours of discovery. This is not 72 business hours — it is 72 consecutive hours, including weekends and holidays. Most contractors have an incident response plan document somewhere, but few have actually tested whether their team can detect, contain, and report an incident within that window.
What the Clock Actually Means
The 72 hours begins when you discover an incident that could affect CUI, not when you confirm a breach. If your SOC alerts on suspicious lateral movement at 2 AM Saturday, the clock starts then — not Monday morning when someone reads the alert. This means your IR plan must work outside business hours.
What Your Plan Needs
A working IR plan needs more than a document. It needs: designated responders with after-hours contact information, a clear escalation path from detection to executive notification, pre-drafted DIBnet reporting templates, preserved forensic evidence procedures, and a lessons-learned process that feeds back into prevention.
Test It
Conduct a tabletop exercise at least annually. Pick a realistic scenario — ransomware encrypts three servers at 11 PM Friday — and walk through the response step by step. Time each phase. Can your team contain within 4 hours? Can they notify leadership within 8? Can they file with DIBnet within 72? If not, the plan needs work, and you need to know that before a real incident, not during one.
CMMCDocs includes incident ticketing with phase tracking (Detect → Contain → Eradicate → Recover → Close), action timeline logging, and a visual 72-hour countdown timer. When the clock is ticking, you need a system, not a binder.