CMMCDocs.comWhen a cyber incident affecting covered defense information occurs, DFARS 252.204-7012 requires you to report it to the DoD Cyber Crime Center (DC3) within 72 hours of discovery. That is not 72 business hours — it is 72 clock hours, including weekends and holidays. Your incident response plan must be designed around this timeline.
What Constitutes a Reportable Incident
Under DFARS, a cyber incident is any action taken through computer networks that results in a compromise or an actual or potentially adverse effect on a covered contractor information system or the covered defense information residing therein. This includes unauthorized access, data exfiltration, malware infection, denial of service, and any other event that compromises the confidentiality, integrity, or availability of CUI.
Not every security event is a reportable incident. A blocked phishing email is not reportable. A successful phishing attack that leads to account compromise on a system with CUI access is reportable. Your incident response plan should include clear criteria for determining reportability.
The 72-Hour Timeline
Hour 0-4: Detection and initial assessment. Your monitoring systems detect an anomaly or a user reports suspicious activity. The incident response team performs an initial triage to determine scope and severity. The key question: does this involve a system that processes, stores, or transmits CUI?
Hour 4-24: Investigation and containment. Conduct a deeper investigation. Contain the incident to prevent further damage or data loss. Preserve forensic evidence — do not wipe systems or restore from backup before capturing relevant logs, memory dumps, and disk images. Begin documenting the incident timeline.
Hour 24-48: Impact assessment and reporting preparation. Determine the extent of compromise. Identify what CUI may have been affected. Prepare the incident report for DC3 submission. The report must include the date the incident was discovered, the location and description of affected systems, the type of CUI involved, and the contractor's point of contact.
Hour 48-72: Submission and notification. Submit the incident report to DC3 via the DIBNet portal. Notify your contracting officer. Begin remediation and recovery while maintaining forensic evidence for at least 90 days as required by DFARS.
Building Your IR Plan
Your incident response plan should be a practical document that people can actually use during a crisis, not a compliance artifact that sits in a binder. Include contact lists (who to call, in what order), roles and responsibilities, decision trees for incident classification, containment procedures by incident type, evidence preservation procedures, DC3 reporting procedures and portal access credentials, and communication templates for internal and external stakeholders.
Testing Your Plan
NIST 800-171 requires testing your incident response capability. Conduct tabletop exercises at least annually. Walk through realistic scenarios: a ransomware attack, a phishing compromise, an insider threat event. Time the exercise. Can your team get from detection to DC3 submission within 72 hours? If not, identify the bottlenecks and fix them.