Reporting Cyber Incidents Under DFARS 7012

DFARS 7012 defines a cyber incident as actions through computer networks that result in a compromise — or potentially adverse effect — on an information system or the data residing in it. You must report when an incident affects:

1. A covered contractor information system that processes, stores, or transmits CDI.
2. The covered defense information (CDI) itself.
3. Your ability to deliver operationally critical support specified in the contract.

Reportable examples:

• Ransomware on a file server holding CUI — even with no confirmed exfiltration.
• Business email compromise of an engineer with CUI in their inbox.
• Unencrypted laptop with CUI stolen from an employee's vehicle.
• ITAR data inadvertently shared to a public SharePoint and accessed externally.
• Departing employee copies CUI to a personal USB drive.

Not reportable (under DFARS — other rules may still apply):

• Firewall blocks a malicious scan; no compromise.
• Antivirus quarantines a generic trojan before execution.
• Malware on a marketing laptop fully segmented from the CUI enclave.
• Phishing email reported by the employee without interaction.

When in doubt, lean toward reporting. A false-alarm report is far less costly than a missed real one.

The clock starts at discovery, not at the moment of the actual breach. If your IT team sees ransomware on the CUI server at 9:00 AM Tuesday, the report is due by 9:00 AM Friday. The DoD does not pause for weekends or holidays.

You are not expected to have the full forensic picture in 72 hours. The initial report notifies the DoD so they can assess national-security impact and offer support through DC3 or CNMF. Update the report as the investigation matures.

Do not wipe and rebuild compromised systems. DFARS requires you to preserve and protect images of all affected systems and relevant monitoring and packet-capture data for at least 90 days from submission of the report.

That means forensic, bit-for-bit images of affected servers, laptops, and VMs before remediation. Firewall logs, VPN logs, EDR telemetry, and packet captures stored securely. If the DoD requests the media within 90 days you must provide it; if they decline, you're free to dispose.

If you isolate malware connected to the incident, submit it to the DoD Cyber Crime Center (DC3) following their published instructions. Never email malware to your Contracting Officer — DC3 is the only correct channel.

Incidents are reported through dibnet.dod.mil. Filing requires authentication with a DoD-approved Medium Assurance Certificate (ECA) — a digital certificate issued by an approved commercial CA with rigorous identity proofing.

ECA issuance can take weeks. Do not wait until an incident occurs. Maintain at least two active ECA certificates (ISSM and a backup) at all times. No certificate, no 72-hour report.

Once logged in you complete the Incident Collection Format (ICF), which captures:

• Company name, CAGE code, point of contact
• All affected contract numbers and Contracting Officer details
• Dates of occurrence and discovery
• Attacker technique (phishing, vulnerability exploit, insider, etc.)
• The specific CDI or operationally critical support affected
• Affected systems — OS, IP ranges, physical location
• Containment and remediation actions to date

• DFARS-aligned IR plan — explicit reportable-incident definitions, the 72-hour timeline, named ICF/DIBNet ownership, and Contracting Officer and legal counsel contacts.
• DFIR retainer — a firm experienced with DFARS 7012 preservation standards and defense contractors on standby.
• Annual tabletops — simulate a CDI incident; practice the reportability decision, the DIBNet login, and evidence preservation.
• Subcontractor flow-downs — DFARS 7012 (m)(2) requires subs to notify the prime as soon as practicable. Your plan must handle inbound supply-chain reports as well as outbound DIBNet filings.