Cybersecurity Incident Reporting for Government Contractors
When a cyber incident affects covered defense information or contractor information systems, DFARS 252.204-7012 requires reporting to the Department of Defense within 72 hours. Missing this deadline or failing to follow proper procedures can result in contract termination and False Claims Act liability.
This guide covers the reporting requirements, the DIBNet portal, evidence preservation obligations, and how to prepare before an incident occurs.
100M+ government records · 300+ gov/news sources · Updated hourly
DFARS 252.204-7012 Reporting Requirements
DFARS 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting,” is the foundational clause for cybersecurity in DoD contracts. It applies to any contract or subcontract where the contractor processes, stores, or transmits covered defense information (CDI) on its information systems.
The clause has two primary requirements: first, contractors must implement the security controls in NIST SP 800-171 to protect CDI on their systems. Second, contractors must rapidly report cyber incidents that affect CDI or the contractor's information systems. The reporting obligation is absolute — there is no materiality threshold or exception for incidents deemed minor.
The clause defines a cyber incident broadly: “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.” This encompasses not just confirmed data breaches but also suspected compromises, malware infections, unauthorized access attempts that may have succeeded, and any event that could have exposed CDI.
The 72-Hour Reporting Deadline
The 72-hour clock starts when the contractor has “adequate evidence” that a cyber incident has occurred. This is not when the incident began (which may have been weeks or months earlier) but when you first have enough information to determine that an incident likely occurred. Defining this moment precisely is important because it triggers a binding legal obligation.
Within 72 hours, you must submit a report through the DIBNet portal that includes:
- A description of the technique or method used in the cyber incident
- A sample of the malicious software, if applicable
- A summary of information compromised (type, not content)
- The affected contracts, including contract numbers
- The contractor's point of contact for the incident
- Identification of the affected systems and infrastructure
The 72 hours runs continuously — weekends and holidays do not pause the clock. If an incident is discovered Friday evening, the report is due Monday evening. This makes having a pre-established incident response plan critical. You cannot afford to spend the first 48 hours figuring out who to call and where to report.
What Constitutes a Reportable Incident
The threshold for reporting is deliberately low. You must report any incident that results in an actual or potentially adverse effect on CDI or the information systems that process it. When in doubt, report. Under-reporting creates far greater legal risk than over-reporting.
Clearly reportable
Confirmed exfiltration of CUI/CDI data
Ransomware on systems that handle CDI
Unauthorized access to CDI databases
Compromised credentials for CDI systems
Supply chain compromise affecting CDI systems
Advanced persistent threat (APT) activity
Report when in doubt
Phishing email clicked by CDI system user
Malware detected and removed from CDI network
Anomalous network traffic from CDI systems
Lost or stolen device with CDI access
Unauthorized software on CDI systems
Failed but sophisticated intrusion attempts
DIBNet Reporting Portal
The Defense Industrial Base Cybersecurity Program (DIB CS) operates the DIBNet portal (dibnet.dod.mil), which is the mandatory reporting channel for DFARS 7012 cyber incidents. Contractors must register on DIBNet before an incident occurs — trying to register during an active incident wastes critical hours of your 72-hour window.
Registration requires a DoD-approved medium assurance PKI certificate. The process takes approximately 2 to 4 weeks, so plan ahead. Once registered, designated personnel can submit incident reports through the portal's secure interface. The portal provides a structured form that captures all required information and generates an incident tracking number.
After submitting a report, the DoD Cyber Crime Center (DC3) may contact you for additional information, request access to forensic evidence, or dispatch a damage assessment team. Cooperating with DC3 is mandatory under the DFARS clause. DC3 may also share threat intelligence that helps you understand the nature and scope of the incident.
Preservation of Forensic Evidence
DFARS 7012 requires contractors to preserve and protect images of all known affected information systems and all relevant monitoring and packet capture data for at least 90 days from the date of the cyber incident report. This obligation applies regardless of whether you believe the incident was significant.
Forensic images must be complete disk images, not just file-level backups. They should capture the state of the system at the time of discovery, before any remediation actions alter the evidence. Network logs, SIEM alerts, firewall logs, IDS/IPS logs, email headers, and any other monitoring data related to the incident must also be preserved.
The 90-day period can be extended by DoD. If DC3 or another DoD entity notifies you that it needs additional time for damage assessment, you must continue preserving the evidence until released. Destroying evidence prematurely — even accidentally through routine log rotation — can result in adverse contract actions and potential criminal liability.
This preservation requirement has practical implications for your infrastructure: you need sufficient storage capacity for forensic images, you need monitoring tools that retain data for at least 90 days, and you need documented procedures that prevent evidence from being overwritten or deleted during the preservation period.
Flowdown to Subcontractors
DFARS 252.204-7012 requires prime contractors to include the substance of the clause in all subcontracts (and lower-tier subcontracts) whose performance involves covered defense information or operationally critical support. This flowdown requirement extends through the entire supply chain.
Subcontractors must report cyber incidents directly to DoD through DIBNet and provide the incident report number to the prime contractor (or next-higher-tier subcontractor) as soon as practicable. This dual-reporting structure ensures that DoD receives timely notification while the prime contractor maintains awareness of incidents in its supply chain.
As a prime contractor, you have a responsibility to verify that your subcontractors understand and can comply with DFARS 7012. This means confirming that they are registered on DIBNet, that they have implemented NIST 800-171 controls, and that they have incident response plans in place. A subcontractor's failure to report an incident can expose the prime contractor to liability.
Related guides
For the underlying security framework, see our NIST 800-171 Guide and Controlled Unclassified Information (CUI) Guide.
Frequently Asked Questions
What is the 72-hour reporting requirement for cyber incidents?
Under DFARS 252.204-7012, defense contractors must report cyber incidents to the DoD within 72 hours of discovery. The clock starts when you have sufficient evidence that a cyber incident has occurred — not when the incident itself happened. The report must be submitted through the DIBNet portal (dibnet.dod.mil) and include a detailed description of the incident, the affected systems, the type of information compromised, and any actions taken in response.
What qualifies as a reportable cyber incident?
A reportable cyber incident is any action taken through the use of computer networks that results in a compromise or an actual or potentially adverse effect on a covered contractor information system or covered defense information (CDI) residing on it. This includes unauthorized access, exfiltration of data, manipulation of data, denial of service affecting CDI systems, and any malicious software found on systems that process, store, or transmit CDI.
Does DFARS 7012 apply to subcontractors?
Yes. DFARS 252.204-7012 requires prime contractors to flow down the clause to all subcontractors whose performance involves covered defense information (CDI) or operationally critical support. Subcontractors must report incidents directly to the DoD through DIBNet and notify the prime contractor as well. The flowdown requirement applies at all tiers of the supply chain, not just first-tier subcontractors.
How long must forensic evidence be preserved after a cyber incident?
Contractors must preserve and protect images of all known affected information systems and all relevant monitoring/packet capture data for at least 90 days from the date of the incident report. This evidence must be made available to DoD upon request for damage assessment purposes. The 90-day preservation period can be extended if DoD notifies the contractor that it needs additional time for its assessment.
Stay Ahead of Cybersecurity Requirements with Bureauify
Track DFARS and CMMC requirements across your contracts, monitor regulatory changes, and identify which solicitations require specific cybersecurity compliance levels.