Free IT tools for business owners — try them now, no sign-up
GovCon IT • 6 min read

Government Contractor Cyber Incident Reporting: The 72-Hour DIBNET Requirement Explained

The 72-hour incident reporting clock starts at discovery, not confirmation. Here's what counts as a reportable incident and how to report it correctly.

Quick Answer

Defense contractors must report cyber incidents affecting Covered Defense Information (CDI) to DoD within 72 hours of discovery via the DIBNET Portal (dibnet.dod.mil). The report requires: company CAGE code, affected contracts, incident description, systems affected, CDI potentially compromised, and actions taken. Preserve system images and logs for 90 days. Report malware samples to DC3. Flow incident information up to the prime contractor within the same 72-hour window.

What Triggers the Reporting Requirement

Under DFARS 252.204-7012, a reportable "cyber incident" is any action through computer networks that results in — or may have resulted in — an actual or potentially adverse effect on a covered contractor information system or covered defense information. This definition is deliberately broad:

  • Clearly reportable: Ransomware attack on systems with CDI, confirmed data exfiltration of CDI, unauthorized access to CDI systems confirmed by forensics
  • Likely reportable: Malware discovered on systems that could have accessed CDI, phishing attack that successfully harvested credentials used for CDI system access, unauthorized remote access to CDI systems
  • Possibly reportable (judgment call): Phishing email opened on a workstation with CDI access but no confirmed compromise, malware on a system that doesn't directly touch CDI but is on the same network segment
  • Not reportable: Blocked phishing attempts, malware quarantined before execution, incidents on systems completely isolated from CDI

When in doubt, report. The penalty for failing to report a reportable incident is significantly higher than the overhead of reporting an incident that turns out to be below the threshold.

The 72-Hour Clock: When It Starts

The 72-hour window begins when you discover — or should have discovered — the incident. This has important implications:

  • If your logging and monitoring systems detected anomalous activity 3 days ago but you didn't review the logs until today, the clock may have already been running for 3 days
  • If a vendor notifies you that their systems were compromised and may have exposed your CDI, the clock starts when you received that notification
  • If an employee reports suspicious behavior on their workstation on Monday, the clock starts Monday — not when forensics confirms a compromise on Wednesday

This is why rapid detection capability matters for DFARS compliance — it's not just about stopping attacks, it's about knowing quickly enough to meet the reporting deadline.

The DIBNET Reporting Process

Cyber incident reports are submitted at dibnet.dod.mil. The online form requires:

  • Company information: CAGE code, company name, DUNS/UEI number, DCSA/DCAA contact information
  • Contract information: All contract numbers affected by the incident
  • Incident details:
    • Date incident was discovered
    • Date of incident (if known and different from discovery)
    • How the incident was discovered
    • Type of incident (malware, unauthorized access, data exfiltration, etc.)
    • Physical location of compromised systems
  • Systems and data affected:
    • Description of compromised systems
    • Type and amount of CDI potentially compromised
    • Whether CDI was exfiltrated, modified, or deleted
  • Actions taken: Containment steps, remediation underway, whether law enforcement has been notified

After submission, DoD assigns an incident tracking number. Preserve this for your records and for follow-up communications.

What to Preserve for 90 Days

Following a reportable incident, preserve for 90 days (DFARS requirement):

  • System images: Forensic copies of all compromised systems. These must be bit-level copies (not just file copies) to preserve forensic integrity. Use tools like FTK Imager or dd. If you don't have in-house forensic capability, engage a forensic firm before an incident occurs.
  • Log data: All relevant system logs, network logs, security event logs for the period of the incident. If your log retention period is shorter than 90 days, you may need to preserve specific log extracts.
  • Malware samples: Any malware identified must be submitted to the DoD Cyber Crime Center (DC3) at dc3.mil. Coordinate with your forensic firm for proper malware handling and submission.
  • Documentation: Your incident timeline, response actions, communications, and assessment findings — everything needed to reconstruct what happened if DoD requests a damage assessment.

Flowdown to Prime Contractors

If you're a subcontractor, you must also notify your prime contractor within the same 72-hour window. The prime contractor consolidates incident information for DoD reporting and needs to assess whether CDI in their possession was also compromised through your systems.

Include a point of contact for prime contractor incident notification in your contracts and subcontracts. Don't wait for a crisis to figure out who to call at your prime.

Building an Incident Response Plan for DFARS Compliance

NIST 800-171 control family IR (Incident Response) requires a written incident response capability. Your plan should specifically address DFARS reporting:

  • Define what constitutes a "cyber incident" for your organization
  • Assign the person responsible for making the reportability determination
  • Include the DIBNET URL, your CAGE code, and affected contract numbers in the plan document (don't look these up during an active incident)
  • Include your prime contractor's incident notification contact information
  • Define the forensic preservation procedure (who does it, with what tools, stored where)
  • Test the plan annually with a tabletop exercise

A GovCon-specialized IT provider should help you build and exercise an incident response plan that addresses all DFARS requirements — including the 72-hour reporting window. See our complete guide to DFARS 252.204-7012 compliance for the full context.

Frequently Asked Questions

What is the penalty for failing to report a DFARS cyber incident?

The clause itself doesn't specify a penalty for non-reporting, but failure to report can result in: contract termination for default, suspension or debarment from future government contracts, False Claims Act exposure if you certified compliance and failed to report, and potential criminal liability in egregious cases. Penalties have been significant in enforcement actions.

Do I need to report to law enforcement in addition to DoD?

DFARS requires reporting to DoD via DIBNET. Law enforcement notification is separate and not required by the clause — but it may be required by state data breach notification laws if PII was involved. For significant incidents, engaging the FBI Cyber Division is advisable both for investigative assistance and to demonstrate good faith remediation efforts.

What if we're still investigating when the 72-hour deadline hits?

Report what you know at 72 hours, clearly noting that the investigation is ongoing and information may be updated. DIBNET reports can be supplemented with additional information as your investigation progresses. The requirement is to report within 72 hours of discovery — not to have a complete forensic investigation complete within 72 hours.

Does Your Firm Have a DFARS-Compliant Incident Response Plan?

Get incident response planning help from a GovCon IT specialist — before you need to use it.

Get GovCon IT Quote