Does the 72-hour clock pause for weekends?

No. The 72 hours run continuously. Keep at least two ECA-cert holders so coverage is never single-threaded.

What if I'm not 100% sure CUI was involved?

Report. DFARS expects reports based on reasonable belief — over-reporting is acceptable, under-reporting is not.

Do I have to tell my prime?

Yes, if their flow-down requires it (most do). Notify them in parallel with the DIBNet filing, not after.

Will DoD share my incident report publicly?

No. ICFs go to DoD Cyber Crime Center (DC3) and are protected. They are not FOIA-released.

DFARS 72-Hour Incident Report: What to File and How (with Template)

Short answer: Under DFARS 252.204-7012(c), you must report a "cyber incident" affecting covered defense information or contractor systems to DIBNet (dibnet.dod.mil) within 72 hours of discovery. You'll need a DoD-approved medium assurance certificate (ECA cert) to file. The report goes to DoD; you separately notify any prime per their flow-down. Preserve affected media for 90 days and image relevant systems before remediation.

What counts as a "cyber incident"

DFARS defines it as actions taken through computer networks that result in actual or potentially adverse effect on a contractor information system or CUI. Practical examples:

Confirmed malware, ransomware, or unauthorized access to a system holding CUI
Lost / stolen laptop containing CUI
Email-based exfiltration of a drawing or technical data package
Vendor breach where the vendor stored your CUI
Insider exfiltration (including accidental over-sharing)

Phishing emails that nobody clicked, blocked port scans, and routine alerts that did not succeed are not reportable.

Set this up BEFORE an incident

Get an ECA medium assurance certificate for at least two people. Provisioning takes 2–4 weeks.
Register a DIBNet account tied to your CAGE.
Write a one-page IR runbook with the DIBNet URL, the ECA cert location, the legal/PR contact, and the prime notification list.
Decide your imaging tool (FTK Imager, dd, EnCase) and store it on a clean USB.
Tabletop the scenario once a year.

Filing the report

The 72-hour clock starts at discovery, not occurrence. To file:

Authenticate to dibnet.dod.mil using your ECA cert.
Complete the Incident Collection Form (ICF).
Receive an Incident Report Number — keep this for your records and share with primes.
Update the report as new facts emerge. Underreporting and over-claiming are both red flags.

After filing

Preserve media affected by the incident for at least 90 days for DoD forensic review on request.
Image relevant systems before remediating; remediation destroys evidence.
Notify primes per each flow-down — usually parallel to the DIBNet filing.
Update SSP / POA&M with the root-cause finding and the corrective action.

Fill-in template

Mentioned in this guide

Frequently asked questions

Does the 72-hour clock pause for weekends?: No. The 72 hours run continuously. Keep at least two ECA-cert holders so coverage is never single-threaded.
What if I'm not 100% sure CUI was involved?: Report. DFARS expects reports based on reasonable belief — over-reporting is acceptable, under-reporting is not.
Do I have to tell my prime?: Yes, if their flow-down requires it (most do). Notify them in parallel with the DIBNet filing, not after.
Will DoD share my incident report publicly?: No. ICFs go to DoD Cyber Crime Center (DC3) and are protected. They are not FOIA-released.

Related guides

DFARS 252.204-7012: A Plain-English Guide for Small Contractors
DFARS · 9 min read
Responding to a Prime's CMMC Flow-Down Letter (Template Inside)
Flow-Down · 7 min read
CUI Marking Guide: Banners, Portion Marks, and What DoD Actually Checks
CUI · 9 min read
CMMC Level 1 vs Level 2: Which Do You Actually Need?
CMMC Basics · 7 min read