What is the 72-hour cyber incident reporting rule?

Under DFARS 252.204-7012, defense contractors must rapidly report a cyber incident affecting covered defense information or their covered contractor information systems to the Department of War within 72 hours of discovering it. The report is submitted through the DIBNet portal.

How do I report a cyber incident to DoD?

Cyber incidents are reported through the DIBNet portal at dibnet.dod.mil, which requires a DoD-approved medium assurance PKI certificate to access. Because obtaining that certificate takes time, contractors should acquire it in advance — not during an active incident.

How long must I preserve evidence after a cyber incident?

DFARS 252.204-7012 requires contractors to preserve and protect images of affected systems and relevant monitoring data for at least 90 days from the incident report, so the Department of War can request them for forensic analysis.

Do subcontractors have to report cyber incidents?

Yes. The clause flows down to subcontractors handling covered defense information. A subcontractor reports the incident to the Department of War through DIBNet and provides the resulting incident report number to the prime contractor, so reporting obligations are met at every tier.

DFARS 7012Incident ReportingCMMC

The 72-Hour Rule: Cyber Incident Reporting Under DFARS 252.204-7012

By Glenn Ballard·CMMC Registered Practitioner·June 20, 2026·7 min read

CMMC is about preventing incidents. DFARS 252.204-7012 is about what you must do when one happens anyway — and the clock is unforgiving: 72 hours. Contractors that haven't prepared the mechanics in advance routinely blow the deadline, not because they don't care, but because they're scrambling for access and evidence mid-crisis. This is the part of compliance you want fully wired up before you ever need it.

The 72-Hour Clock

DFARS 252.204-7012 requires you to rapidly report a cyber incident affecting covered defense information (CUI) or your covered contractor information systems to the Department of War within 72 hours of discovery. “Discovery” starts the clock — not full confirmation, not the end of your investigation. The moment you have reason to believe an incident occurred, the countdown is running.

How Reporting Works

Where: the DIBNet portal at dibnet.dod.mil.
Access: DIBNet requires a DoD-approved medium assurance PKI certificate. Acquiring one takes time — days to weeks.
What: a defined set of incident details — affected systems, the CUI involved, and the techniques observed.

The single most common failure: trying to obtain the medium assurance certificate duringan incident. You can't report through DIBNet without it, and the 72-hour clock doesn't pause while you wait. Get the certificate now, while nothing is on fire.

Preserve the Evidence

Reporting is only part of the duty. The clause also requires you to:

Preserve and protect images of affected systems and relevant monitoring/packet-capture data for at least 90 days from the report, so the Department of War can request them for forensic analysis.
Conduct a review for evidence of compromise and identify the CUI and systems involved.
Submit malicious software to the Department of War if you isolate any in connection with the incident.

Flow-Down to Subcontractors

The reporting duty flows down to subcontractors that handle covered defense information. A sub reports its own incident to DoD through DIBNet and gives the resulting incident report number to the prime — so the obligation is satisfied at every tier of the supply chain. (For how obligations cascade, see CMMC flow-down.)

Why This Carries Real Risk

Failure to report isn't just a contractual lapse. The DOJ Civil Cyber-Fraud Initiative has explicitly targeted contractors who failed to report cyber incidents as required — making the 72-hour rule a False Claims Act exposure, not just a checkbox. (See CMMC and the False Claims Act.) Tabletop the process, assign owners, and pre-stage your DIBNet access so a bad day doesn't become a legal one.

Build the Capability, Not Just the Policy

Incident response is a full requirement family in NIST SP 800-171 — and an assessor will test whether your capability is real, not just written down. The Dragonfli Group CMMC Accelerator assesses your incident-response and reporting readiness alongside all 110 requirements, and documents it in a draft SSP reviewed by a CMMC Registered Practitioner — so the 72-hour clock is something you've rehearsed, not something you fear.

BE READY BEFORE THE CLOCK STARTS

Could you report an incident in 72 hours?

The free Pulse Check takes about 15 minutes and shows where you stand on your highest-risk CMMC requirements — no credit card, no sales call.

Start Free Pulse Check →

RELATED GUIDES

CMMC and the False Claims Act

Why failing to report carries legal risk →

The Complete CMMC 2.0 Guide

Where incident response fits in the 110 →