Skip to main content
Greypike's CMMC Knowledge Base

Welcome to the CMMC Knowledgebase. Search for CMMC, resources, tools, sources, sites, and platforms using the search box below.
We add more to the database weekly, check back often.

If you cannot find an answer then contact us or click the chat button on the lower right..

< All Topics
Print

72-Hour DoD Breach Notification: DFARS Reporting Requirements

When a cyber incident affects systems containing Controlled Unclassified Information, defense contractors have exactly 72 hours to report to the Department of Defense. This requirement, established in DFARS 252.204-7012, is one of the most critical—and most misunderstood—obligations for defense contractors.

DFARS stands for Defense Federal Acquisition Regulation Supplement—contract clauses specific to DoD contracts.

CUI stands for Controlled Unclassified Information—sensitive government data requiring protection but not classified as secret.

Missing this deadline or failing to report can result in contract termination, suspension, or debarment. Understanding what triggers reporting and how to comply is essential.

What Triggers the 72-Hour Reporting Requirement

Not every security event requires DoD notification. The requirement applies to “cyber incidents” as specifically defined:

DFARS Definition of Cyber Incident

A cyber incident means actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.

Reporting Triggers

You must report when a cyber incident affects:

  • Covered defense information (CDI) on your systems
  • Your ability to provide operationally critical support
  • Covered contractor information systems

CDI stands for Covered Defense Information—essentially CUI related to defense contracts, plus other categories of controlled technical information.

Practical Examples Requiring Notification:

  • Malware detected on systems containing CUI
  • Unauthorized access to CUI systems
  • Ransomware affecting the CUI environment
  • A successful phishing attack compromised CUI access
  • Lost or stolen device containing CUI
  • Data exfiltration from CUI systems
  • Insider threat incident involving CUI

Examples That May Not Require Notification:

  • Blocked phishing attempts with no compromise
  • Malware quarantined before system access
  • Failed login attempts
  • Incidents on systems completely separate from CUI

When in doubt, report. The DoD prefers over-reporting to under-reporting.

The 72-Hour Timeline

The clock starts when you discover the incident:

Hour 0: Discovery

The 72-hour period begins when you “discover” the cyber incident. Discovery means when you have enough information to reasonably conclude a cyber incident has occurred.

Hours 0-72: Rapid Assessment

During this period, you must:

  • Conduct initial investigation
  • Gather required reporting information
  • Preserve evidence and images
  • Prepare your submission

Hour 72: Submission Deadline

Submit your report to DC3 within 72 hours of discovery. The report does not need to be complete—preliminary information is acceptable with updates to follow.

Important Clarifications:

  • 72 hours means 72 hours, not three business days
  • Weekends and holidays count
  • You can update reports as the investigation continues
  • Late reporting is still better than no reporting

How to Report: DIBNet Portal

Reports are submitted through the DIBNet portal operated by the DoD Cyber Crime Center (DC3):

Portal Access

  • URL: dibnet.dod.mil
  • Requires account registration before the incident occurs
  • Register now—do not wait until you have an incident

Registration Requirements:

  • Organization information
  • Point of contact details
  • Contract information
  • System information

Submission Process:

  1. Log into DIBNet portal
  2. Navigate to the incident reporting section
  3. Complete required fields
  4. Attach supporting documentation
  5. Submit report
  6. Note the confirmation number for records

Required Information in Your Report

DFARS specifies minimum information to include:

Company Information

  • Company name
  • Company point of contact (name, phone, email)
  • CAGE code
  • Contract numbers affected

CAGE stands for Commercial and Government Entity—your unique identifier for government contracting.

Incident Details

  • Date incident discovered
  • Location(s) of incident
  • Type of compromise
  • Description of the technique or method used
  • Incident outcome
  • Identification of compromised systems
  • CUI involved or potentially affected
  • List of affected programs or contracts

Technical Information

  • Malware samples (if applicable)
  • Relevant monitoring or log data
  • Images of affected systems (may be required)
  • Network traffic logs
  • Forensic analysis results

Supporting Documentation

  • Timeline of events
  • Technical analysis reports
  • System inventories
  • Network diagrams (if relevant)

Preserving Evidence and Images

DFARS requires preserving evidence for 90 days:

What to Preserve:

  • System images of affected machines
  • Log files and audit records
  • Malware samples
  • Network traffic captures
  • Email headers and attachments (for phishing)
  • Physical evidence (if applicable)

Preservation Requirements:

  • Maintain for a minimum 90 days
  • Preserve in a manner that protects integrity
  • Make available to DoD upon request
  • Do not alter or destroy evidence

Image Requirements:

The DoD may request full system images. Be prepared to:

  • Create forensic images of affected systems
  • Preserve images with a chain of custody
  • Provide images to government investigators

After Initial Reporting

The initial 72-hour report is just the beginning:

Ongoing Communication

  • DC3 may request additional information
  • Respond promptly to all requests
  • Provide updates as the investigation progresses
  • Notify of significant new findings

Investigation Support

  • Support DoD damage assessment activities
  • Provide access to affected systems if requested
  • Cooperate with government investigators
  • Make personnel available for interviews

Remediation

  • Continue incident response activities
  • Implement containment and recovery
  • Address root causes
  • Strengthen controls to prevent recurrence

Contractor-to-Contractor Reporting

If you are a subcontractor, additional reporting applies:

Notify Prime Contractor

  • Report incidents to your prime contractor
  • Provide the same information as the DoD report
  • Coordinate on government communication

Flow-Down Obligations

  • Your subcontractors must report to you
  • You must report their incidents to DoD
  • Ensure subcontracts include reporting requirements

Consequences of Non-Compliance

Failure to report has serious consequences:

Contractual Consequences:

  • Breach of contract
  • Contract termination
  • Loss of future contract opportunities
  • Liability for damages

Administrative Consequences:

  • Suspension from government contracting
  • Debarment proceedings
  • False Claims Act liability (if certifying compliance)
  • Negative past performance evaluations

Practical Reality:

The government takes reporting seriously. Contractors have been suspended for failing to report incidents. The risk of non-compliance far exceeds the effort of reporting.

Preparing Before Incidents Occur

Do not wait for an incident to prepare:

Advance Preparation:

  • Register for DIBNet portal access now
  • Document your reporting procedures
  • Identify who is authorized to submit reports
  • Train personnel on reporting triggers
  • Establish relationships with IT/security resources

Information Readiness:

Maintain current records of:

  • Contract numbers with CUI involvement
  • CAGE code and company information
  • System inventories
  • Network architecture documentation
  • Points of contact for DoD communication

Response Planning:

  • Include 72-hour reporting in the incident response plan
  • Identify evidence preservation procedures
  • Establish rapid investigation capabilities
  • Plan for weekend/holiday incidents

Common Reporting Mistakes

Avoid these frequent errors:

Mistake 1: Waiting Too Long to Determine If Reporting Is Required

The clock starts at discovery, not when you complete your investigation. Report within 72 hours, even ifthe investigation is ongoing.

Mistake 2: Not Having DIBNet Access

Registering during an incident wastes precious time. Register before you need it.

Mistake 3: Under-Reporting

When uncertain whether an incident triggers reporting, err on the side of reporting. DC3 can determine if further action is needed.

Mistake 4: Destroying Evidence

Reformatting systems or deleting logs to “clean up” destroys required evidence. Preserve first, remediate second.

Mistake 5: Not Notifying Prime Contractor

Subcontractors must report to primes in addition to DoD. Failure to notify primes can damage critical business relationships.

Mistake 6: Incomplete Contract Information

Not knowing which contracts involve CUI delays in reporting. Maintain current contract inventories.

Key Takeaways

Defense contractors must report cyber incidents affecting CUI systems to the DoD Cyber Crime Center within 72 hours of discovery. Submit through the DIBNet portal at dibnet.dod.mil—register now, before you have an incident.

The 72-hour clock runs continuously, including weekends and holidays. Submit preliminary reports on time and update as the investigation continues. Preserve evidence for at least 90 days.

Failure to report can result in contract termination, suspension, or debarment. When in doubt, report.

Related Articles:

Official Sources: This article is based on DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) and DoD Cyber Crime Center guidance.

Do you know how to report a cyber incident within 72 hours? Contact Greypike for help building incident response procedures that meet DoD requirements. Getting started with CMMC? Obolix gets you Level 1 compliant in a week or less, with templates and guidance for incident response readiness.

Table of Contents