Skip to main content
Compliance

Cyber incident reporting obligations for federal contractors

A cyber incident on a federal contract is not only a security event. It is a contractual reporting obligation with a clock. Here is what triggers it, how fast you report, what evidence you must preserve, and how the DoD and civilian regimes differ.

The obligation is contractual, not just technical

Most engineers meet a cyber incident as a security problem: contain it, remediate it, harden against the next one. On a federal contract it is also a reporting obligation written into the clauses you signed, and that obligation runs on a fixed clock. Miss the window, destroy the evidence, or route the report to the wrong place, and a manageable intrusion becomes a compliance failure that a contracting officer records. For a defense contractor the governing text is DFARS 252.204-7012, which requires a rapid report within 72 hours of discovery of any cyber incident. The technical response and the reporting response run in parallel from the same first minute.

THE CLOCK YOU LIVE UNDER

Under DFARS 252.204-7012, a defense contractor that discovers a cyber incident affecting a covered contractor information system or covered defense information must report it to the Department of Defense within 72 hours, through the DIBNet portal at dibnet.dod.mil. The clause is in force today for contracts that carry it.

What follows is the operator's version: what counts as a reportable incident, the DIBNet channel and the certificate it requires, the media you must preserve, how the DoD and civilian regimes differ, where the Cyber Incident Reporting for Critical Infrastructure Act stands, and how CMMC and your SPRS score intersect with all of it. It closes with a readiness checklist and the failure modes that turn an incident into a finding.

What counts as a reportable cyber incident

DFARS 252.204-7012 attaches to two things: a covered contractor information system, meaning an unclassified system that processes, stores, or transmits covered defense information, and covered defense information itself, which is the controlled unclassified information a program provides to you or that you develop in performance of the contract. A cyber incident becomes reportable when it affects one of those, or affects your ability to perform requirements designated as operationally critical support.

The reporting trigger is not forensic certainty. The clause runs on a reasonable belief that a reportable incident has occurred, and the 72-hour count begins at discovery. A routine antivirus quarantine on a workstation that never touched covered information is generally not a reportable event. Exfiltration signs, unexplained privilege escalation, or ransomware on a system inside your covered boundary generally are. When the answer is genuinely unclear, treat the question of whether covered information or a covered system was involved as the deciding line, and preserve first so you keep the option to report.

The 72-hour clock starts at discovery, not at the moment you finish understanding what happened.

The 72-hour rapid report and the DIBNet channel

Reports go to a single place: the DIBNet portal at dibnet.dod.mil. Submitting is not a phone call or an email to the contracting officer. It is a structured Incident Collection Form, and to file it your firm needs a DoD-approved medium assurance certificate. That certificate is the item most small firms discover they are missing at the worst possible moment, because obtaining one takes time and identity vetting that cannot be compressed into a 72-hour crisis.

The report asks for whatever you know at the time. If you do not yet have every field, you file with the available facts inside the window and submit follow-on reports as the picture clarifies. Reporting is not an admission of a contract breach. The clause anticipates that incidents happen and defines the cooperative process that follows one. The failure the government penalizes is the silent incident, not the reported one.

The DFARS 7012 response sequence

1
Detect. Discovery of the incident starts the reporting clock.
Hour 0
2
Assess. Scope the affected systems and any covered information.
Hours 0–72
3
Report. File the DIBNet Incident Collection Form with known facts.
Within 72h
4
Preserve. Image affected systems, hold monitoring data.
90 days
5
Cooperate. Support damage assessment, submit isolated malware to DC3.
As requested

Media preservation and imaging duties

Reporting is only the first duty. DFARS 252.204-7012 also requires you to preserve and protect images of all known affected information systems, along with all relevant monitoring and packet-capture data, for at least 90 days from the submission of the report. The purpose is to give the Department the opportunity to request the media or decline interest. This is the obligation that a fast, well-meaning remediation most often violates.

Two related duties follow. When you discover and isolate malicious software connected to the incident, you submit that sample to the DoD Cyber Crime Center under the instructions it or the contracting officer provides. You do not attach the malware to the incident report. Separately, on request, you provide the government access to additional information or equipment needed for a forensic analysis, and you support the cyber incident damage assessment that may follow. Preservation is what makes all of that possible, so the imaging step has to happen before, not after, you rebuild.

DoD reporting versus the civilian FAR picture

The mature, mandatory rapid-report regime is the DoD one. On the civilian side the baseline is FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, which applies broadly across federal contracts but sets fifteen basic safeguarding requirements without a standalone rapid-report clock of the 7012 kind. A contractor working only civilian agencies today does not automatically inherit a government-wide 72-hour clock from that clause.

That gap is what the FAR Council is moving to close. The Council published an updated governmentwide CUI proposed rule on June 23, 2026, part of the broader FAR overhaul, superseding a standalone January 2025 version. It revises its incident reporting requirement to 72 hours to align with DFARS 252.204-7012 and the critical-infrastructure statute. As of mid-2026 this is still a proposed rule, with a comment period that runs to July 23, 2026, not a binding obligation. The accurate posture: civilian CUI reporting is likely to mirror the 72-hour model, but it is not yet law, so track the final rule rather than plan against a proposal.

Where CIRCIA stands

The Cyber Incident Reporting for Critical Infrastructure Act of 2022, CIRCIA, is a separate track that reaches critical-infrastructure entities rather than flowing through the acquisition clauses. The statute directs CISA to write regulations requiring covered entities to report a covered cyber incident within 72 hours of a reasonable belief that it occurred, and to report a ransom payment within 24 hours of making it. Those numbers come from the law itself.

The timing is the part to get right. CISA published its notice of proposed rulemaking on April 4, 2024, and the comment period closed that July. As of July 2026 the final rule has not been published, and CISA extended its rulemaking timeline into 2026. CIRCIA's reporting obligations do not bind anyone until the final rule takes effect. Until then, reporting to CISA under CIRCIA is voluntary, and the operative mandatory clock for a defense contractor remains the DFARS 7012 one.

How reporting interacts with CMMC and SPRS

Incident reporting does not live alone. It sits inside the same DFARS family that governs how you attest to your security posture before award. Under DFARS 252.204-7019 and 252.204-7020, a defense offeror that must implement NIST SP 800-171 needs a current assessment, meaning not more than three years old, with its summary-level score posted in the Supplier Performance Risk System, SPRS, for each relevant covered system. A Basic Assessment is your own self-assessment against the NIST SP 800-171 DoD Assessment Methodology, and it carries a low confidence level because it is self-generated.

The Cybersecurity Maturity Model Certification program layers verification on top of that self-attestation. The 48 CFR CMMC rule became effective on November 10, 2025, implemented through DFARS 252.204-7021, and it phases in over three years. The first phase introduced Level 1 and Level 2 self-assessment requirements into new solicitations; higher-assurance work moves toward third-party Level 2 certification through a C3PAO as the phases progress, with that certification requirement widening around the program's second year. CMMC verifies that the 800-171 controls you claimed are real. It does not replace the 7012 reporting duty or change the 72-hour clock. The clean mental model: 7019 and 7020 govern what you attest, CMMC governs how that attestation is verified, and 7012 governs what you do when something goes wrong anyway.

RegimeApplies toReport clock and channelStatus (mid-2026)
DFARS 252.204-7012DoD contractors and subs handling covered defense information.72 hours of discovery, filed to DIBNet at dibnet.dod.mil.In force.
FAR 52.204-21Broadly across federal contracts (basic safeguarding).Fifteen basic safeguards; no standalone rapid-report clock.In force.
FAR CUI ruleCivilian and DoD contractors handling CUI (governmentwide).72-hour reporting proposed, aligned to 7012 and CIRCIA.Proposed; comments to Jul 23, 2026.
CIRCIACovered critical-infrastructure entities.72h covered incident, 24h ransom payment (by statute).Not yet effective; final rule pending.

Readiness that makes the obligation meetable

A small firm can meet every one of these duties, but only if the plumbing exists before an incident. The 72-hour window is not enough time to build a reporting capability from scratch, provision a certificate, and locate your logs at the same time. The readiness work is ordinary and inexpensive; the value is that it is already done when the clock starts.

  • Asset inventory. A current list of every system that stores, processes, or transmits covered information, so you can scope an incident quickly.
  • Centralized logging. Enough log retention to reconstruct what happened; without logs, you cannot assess scope inside the window.
  • A written incident-response plan. Named roles, the 72-hour clock on the first page, and the DIBNet steps spelled out.
  • A designated reporter. One accountable person, with a DoD medium assurance certificate and DIBNet access provisioned in advance.
  • A preserved-evidence procedure. Image affected systems before remediation and hold monitoring and packet data for the 90-day window.
  • A malware handling path. A defined route for submitting isolated malicious software to DC3 under its instructions.
  • A current SPRS posture. A self-assessment score no more than three years old and a maintained system security plan behind it.
  • A parallel notification path. Counsel and the contracting officer looped in alongside the DIBNet report, not as a gate before it.

Subcontractor flow-down

The reporting obligation does not stop at the prime. DFARS 252.204-7012 flows down to subcontractors whose work involves covered defense information or a covered contractor information system, and the reporting duty runs to each party directly. A subcontractor that discovers a reportable incident files its own rapid report to DoD through DIBNet, and it also provides the incident report number to the prime. A prime cannot assume a sub will report on its behalf, and a sub cannot assume the prime will report for it. If you sit in the middle of a contracting chain, confirm that the flow-down clause is present in both directions and that every party knows it holds its own certificate and its own 72-hour clock.

Do I wait until I understand the incident before reporting?

No. You report within 72 hours of discovery with the facts you have, and you file follow-on reports as more becomes known. The clock does not pause for a complete forensic picture, and a partial report inside the window is the correct move.

Is every malware alert a reportable cyber incident?

No. The reporting trigger is an incident that affects a covered contractor information system or covered defense information, or your ability to perform operationally critical support. A quarantined item on a system that never touched covered information is generally not reportable, but preserve first if you are unsure.

Does filing to DIBNet admit a contract breach?

No. The clause is built around the expectation that incidents occur and defines the cooperative process that follows one. The reported incident is the compliant path. The silent one is the violation.

Do my civilian-agency contracts carry the same 72-hour clock?

Not uniformly today. The DoD 7012 clock is specific to contracts that carry that clause. The governmentwide FAR CUI rule that would extend a comparable 72-hour duty across civilian agencies is still a proposed rule as of mid-2026. Read your clauses rather than assuming parity.

What not to do

The failure modes are predictable, and every one of them is avoidable with the readiness above in place.

  • Silent remediation. Wiping and rebuilding an affected system before you image it destroys the evidence the clause requires you to preserve for 90 days.
  • Running legal review to completion before reporting. The clock does not pause for counsel. File with available facts, then refine through follow-on reports.
  • Waiting for certainty. A reasonable belief that a reportable incident occurred is the trigger, not confirmed forensics.
  • Sending isolated malware with the incident report. Malicious software goes to DC3 under separate instructions, never inside the Incident Collection Form.
  • Leaving the reporter unprovisioned. A medium assurance certificate takes time to obtain, so acquire it before an incident, not during one.
  • Assuming someone else will report. Flow-down obligations run to each party; the prime and the sub each own a clock.

Bottom line

For a defense contractor, a cyber incident starts two responses at once: contain the intrusion and report it. DFARS 252.204-7012 sets a 72-hour clock from discovery, a DIBNet filing channel that needs a certificate you should already hold, and a 90-day evidence-preservation duty that a hasty rebuild will violate. The civilian side is converging on the same 72-hour model through the proposed FAR CUI rule, and CIRCIA will add a critical-infrastructure track once its final rule takes effect, but neither binds you the way 7012 does today. Build the readiness once, keep your SPRS posture current, confirm flow-down in both directions, and the obligation becomes a procedure you run rather than a crisis you improvise.

Frequently asked questions

How fast must a defense contractor report a cyber incident?

Within 72 hours of discovery, under DFARS 252.204-7012, filed to the DIBNet portal at dibnet.dod.mil. The count begins at discovery, and you report with available facts rather than waiting for a complete investigation.

What do I need in place to file a DIBNet report?

A DoD-approved medium assurance certificate and a DIBNet account, provisioned before an incident. The report is a structured Incident Collection Form, not an email, and the certificate can take time to obtain.

What evidence must I preserve after an incident?

Images of all known affected systems and all relevant monitoring and packet-capture data, held for at least 90 days from the report so the Department can request the media. Isolated malicious software goes separately to the DoD Cyber Crime Center.

Do civilian-agency contracts have the same reporting clock as DoD?

Not uniformly today. FAR 52.204-21 sets basic safeguarding without a 7012-style rapid-report clock. The governmentwide FAR CUI rule that would add 72-hour reporting is still a proposed rule as of mid-2026, with comments open into July.

Is CIRCIA reporting mandatory yet?

No. CIRCIA's statutory 72-hour incident and 24-hour ransom-payment duties take effect only when CISA's final rule is in force. As of July 2026 that final rule has not been published, so CIRCIA reporting remains voluntary.

How does CMMC relate to incident reporting?

CMMC verifies that your NIST SP 800-171 controls are implemented as attested in SPRS. The 48 CFR CMMC rule took effect November 10, 2025, and phases in over three years. It does not replace the DFARS 7012 reporting duty or alter the 72-hour clock.

1 business day response

Building your incident-reporting readiness?

We stand up the asset inventory, logging, IR plan, and DIBNet provisioning that make the 72-hour clock a procedure instead of a scramble.

Talk to usRead more insights →
UEI Y2JVCZXT9HP5CAGE 1AYQ0NAICS 541512SAM.GOV ACTIVE