A 72-hour playbook for DoD contractor breach response
Author: Leonard Esere, Senior Cybersecurity Engineer, CISSP, CCSP
Date: April 2026
Organization: Aeolitech
Abstract
When a cybersecurity incident occurs on a covered contractor information system, DFARS 252.204-7012 starts a 72-hour clock that runs continuously — weekends and holidays included. Missing that deadline, failing to preserve forensic evidence, or submitting an incomplete report to the DoD's Incident Collection Format (ICF) portal are not administrative technicalities. They are contractual failures that can trigger False Claims Act investigations, contract termination, and reputational damage that echoes through every future DoD contract pursuit. This whitepaper provides a practitioner-level 72-hour incident response runbook for defense contractors — covering the regulatory reporting requirements, the forensic preservation obligations, NIST SP 800-171 control alignment, IR plan structure, legal and HR coordination, tabletop exercise design, and the relationship to state breach notification laws.
Table of Contents
1. The DFARS 7012 Reporting Requirement: Specifics
2. NIST SP 800-171 Incident Response Controls
3. The 72-Hour Runbook: Hour-by-Hour
4. Forensic Imaging and Evidence Preservation
5. Reporting to DoD: The ICF Portal Process
6. IR Plan Structure and Required Components
7. Legal Counsel and HR Coordination
8. Tabletop Exercises: Design and Frequency
9. State Breach Notification Laws and the DFARS Overlay
10. Common IR Failures and Remediation
11. About the Author
12. References
13. Next Steps
1. The DFARS 7012 Reporting Requirement: Specifics
DFARS 252.204-7012(a) defines "rapidly report" as within 72 hours of discovery of a cyber incident. The clause at paragraph (c)(1) specifies that when a contractor discovers a cyber incident that:
- Affects a covered contractor information system, or
- Affects covered defense information (CDI/CUI) residing on that system, or
- Affects the contractor's ability to perform contract requirements designated as operationally critical support,
...the contractor must simultaneously conduct a review for evidence of compromise and rapidly report to DoD.
What Constitutes "Discovery"?
The 72-hour clock begins at the moment of discovery — not at the moment of confirmation, not after forensic analysis is complete, and not after internal legal review concludes. In practice, discovery occurs when any employee, automated tool, security system, or third party notifies the organization of a potential incident affecting a covered contractor information system. If there is reasonable cause to believe a cyber incident has occurred, the clock is running.
This creates a practical tension: organizations want to investigate before reporting to avoid false reports, while the regulation requires rapid notification. The resolution is to report upon reasonable discovery and update the report as the investigation proceeds. The ICF portal allows supplemental submissions.
Required Report Data Elements
When submitting to the DoD's ICF portal, the following information is required at a minimum:
| Field | Details |
|---|---|
| Company name | Legal entity name on the contract |
| CAGE Code | 5-character DoD Contractor and Government Entity code |
| DUNS / UEI | Unique Entity Identifier (now SAM.gov UEI format) |
| Affected contract numbers | All active DoD contracts with potential CDI exposure |
| Date/time of discovery | When the incident was first identified |
| Location of incident | Facility address; system location |
| System(s) affected | Names, descriptions, OS, network segment |
| Type of compromise | Actual vs. potential; malicious software; unauthorized access |
| CDI potentially compromised | Categories and approximate volume |
| Actions taken | Containment, isolation, malicious software removal |
| Ongoing impact | Any operational degradation |
Incident Report Number
Upon submission, DC3 assigns an incident report number automatically. Under DFARS 7012(m)(2)(ii), subcontractors that report a cyber incident must provide this incident report number to the prime contractor (or next higher-tier subcontractor) as soon as practicable. Primes must track these numbers for their own internal incident management records and potential government inquiries.
2. NIST SP 800-171 Incident Response Controls
DFARS 252.204-7012 requires compliance with NIST SP 800-171, which contains three explicit Incident Response requirements (Control Family 3.6.x) and one Security Monitoring requirement directly relevant to incident detection (3.14.6):
3.6.1 — Establish an Incident Handling Capability
Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
This is the foundational requirement — the organization must have a documented, tested IR capability. It is not sufficient to have an IR policy; the capability must be operational. Key components include: a defined IR team, contact rosters, escalation procedures, tooling (EDR, SIEM, forensic imaging), and integration with external resources (DFIR retainer, legal counsel).
3.6.2 — Track, Document, and Report Incidents
Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.
This control explicitly requires external reporting — which under DFARS 7012 means reporting to DoD within 72 hours. All incidents must be documented in an incident ticket or log that captures status, timeline, handling actions, forensic information, and any communications with external parties. This documentation becomes the evidentiary record in the event of a DoD damage assessment or FCA investigation.
3.6.3 — Test the Incident Response Capability
Test the organizational incident response capability.
Testing must be documented and may use walkthroughs, tabletop exercises, or simulations. Best practice is to conduct at least one full tabletop per year and a live drill (simulated incident) biennially. Test results must be documented and must drive process improvements.
3.14.6 — Monitor for Attacks and Indicators of Compromise
Monitor organizational systems, including security alerts and advisories, to detect attacks and indicators of potential compromise.
This is the detection control that enables the 72-hour clock to start at the earliest possible moment. Organizations must deploy monitoring capabilities — endpoint detection and response (EDR), SIEM, network detection and response (NDR), or at minimum centralized log collection and review — that can surface indicators of compromise on covered contractor information systems. An organization that discovers an incident six months after it began because it had no monitoring capability has a 3.14.6 gap and a contractual problem.
3.14.7 — Identify Unauthorized Use
Identify unauthorized use of organizational systems.
Complements 3.14.6 with user behavior analytics, privileged access monitoring, and anomaly detection. This control enables detection of insider threats and compromised credentials — two of the most common initial access vectors in CDI-affecting incidents.
3. The 72-Hour Runbook: Hour-by-Hour
The following runbook is structured around a discovered cyber incident affecting a covered contractor information system. Adapt timing and ownership to your organization's size and structure.
Hours 0–4: Detection and Initial Triage
| Time | Action | Owner |
|---|---|---|
| H+0 | Incident detected (alert, user report, third-party notification) | SOC / IT Staff |
| H+0 | Log the discovery time — this is T=0 for the 72-hour clock | IR Lead |
| H+0.5 | Notify IR Lead and initiate the IR plan | First Responder |
| H+1 | Assess initial scope: which systems affected, is CDI involved? | IR Lead + IT |
| H+1.5 | Invoke IR team; assign roles (IR Lead, Forensics, Legal, Comms) | CISO / IR Lead |
| H+2 | Begin containment: isolate affected system(s) if possible without destroying evidence | IT / Forensics |
| H+2 | Pull initial indicators: network logs, endpoint alerts, authentication logs | Forensics |
| H+3 | Determine if this is a DFARS-qualifying incident (CDI affected or at risk?) | IR Lead + Legal |
| H+3.5 | If qualifying: notify legal counsel; confirm intent to report within 72 hours | CISO + Legal |
| H+4 | Brief executive sponsor (CEO/COO/CISO) on incident status and reporting intent | CISO |
Hours 4–24: Containment, Forensics, and Reporting Preparation
| Time | Action | Owner |
|---|---|---|
| H+4 | Begin forensic imaging of affected systems (do not wipe or reimage) | Forensics |
| H+6 | Activate DFIR retainer if internal capacity is insufficient | CISO |
| H+8 | Collect and preserve packet capture data from affected network segments | Network / Forensics |
| H+12 | Conduct preliminary scope assessment: compromised accounts, exfiltrated data | IR Lead |
| H+16 | Prepare draft DoD incident report for ICF portal | IR Lead + Legal |
| H+20 | Legal review of draft report | Legal Counsel |
| H+22 | Ensure DoD-approved Medium Assurance Certificate (ECA/CAC) is accessible | IT / IR Lead |
| H+24 | Internal checkpoint: is the 72-hour deadline at risk? Escalate if yes | CISO |
Hours 24–72: Report Submission, Notification, and Stabilization
| Time | Action | Owner |
|---|---|---|
| H+36 | Submit incident report to DC3 via ICF portal (icf.dcise.cert.org) | IR Lead |
| H+37 | Confirm DC3 receipt; record assigned incident report number | IR Lead |
| H+38 | Provide incident report number to prime contractor if applicable | Contracts / IR Lead |
| H+40 | Notify subcontractors that may have CDI on affected systems | Contracts |
| H+48 | Assess state breach notification obligations (see Section 9) | Legal Counsel |
| H+60 | Compile forensic preservation log; confirm 90-day retention is in place | Forensics |
| H+72 | Close the initial 72-hour reporting phase; transition to long-term IR | IR Lead |
| H+72+ | Continue investigation; submit supplemental reports to DC3 as needed | IR Lead |
4. Forensic Imaging and Evidence Preservation
DFARS 252.204-7012(e) requires preservation of images of all known affected information systems and all relevant monitoring/packet capture data for a minimum of 90 days from the submission of the cyber incident report. This period allows DoD to review the incident and either request the media or decline interest.
What Must Be Preserved
| Evidence Type | Description | Format |
|---|---|---|
| Disk Images | Full bit-for-bit images of all affected hard drives, SSDs, or virtual disk files | E01, dd, VMDK snapshot |
| Memory Images | Volatile memory (RAM) captures taken before system reboot/isolation | LiME, WinPmem |
| Network Packet Captures | PCAP files from affected network segments for the relevant time window | PCAP/PCAPNG |
| Log Archives | Security event logs, authentication logs, endpoint agent logs, SIEM exports | Preserved exports |
| Email Archives | If email system is involved or used for exfiltration | PST/EML archives |
| Mobile Device Images | If mobile devices had access to CDI and were potentially affected | Cellebrite, UFED |
Preservation Best Practices
1. Image before wiping. Never reimage an affected system before capturing a forensic image. This is the most common evidence destruction error, often made by well-intentioned IT staff trying to restore operations quickly.
2. Maintain chain of custody. Document who created each image, when, and what tool was used. Store images in a write-protected, hash-verified repository. Record the SHA-256 hash of each image immediately upon creation.
3. Segregate preserved evidence. Store forensic images on media that is isolated from production systems, with access limited to IR team members. Cloud storage is acceptable if the storage environment is U.S.-based and access-controlled.
4. Do not destroy after 90 days without confirmation. The 90-day period is a minimum. If DoD has requested images or if an investigation is ongoing, preserve until explicitly released by DoD or until legal hold is lifted.
5. Pre-position forensic tooling. Do not wait until an incident occurs to acquire forensic imaging software. Have tools pre-installed or on standby: FTK Imager, Autopsy, Velociraptor, or equivalent. Establish a DFIR retainer before an incident if internal capacity is limited.
DoD Requests for Media
Under DFARS 252.204-7012(f), upon DoD request, the contractor must provide DoD with access to additional information or equipment necessary to conduct a forensic analysis. Under paragraph (g), if DoD elects a damage assessment, the contractor must provide all information gathered pursuant to the preservation requirement. These requests typically come through the contracting officer and are coordinated by DCISE. Response timelines are defined in the request; contractors should have a process for compiling and transmitting preserved evidence on short notice.
5. Reporting to DoD: The ICF Portal Process
As of June 6, 2025, the DIBNet portal (dibnet.dod.mil) has been decommissioned. All cyber incident reports are now submitted through the Incident Collection Format (ICF) portal operated by the Defense Cyber Crime Center (DC3) and the Defense Collaborative Information Sharing Environment (DCISE).
Step-by-Step ICF Submission Process
Step 1: Access the portal
Navigate to https://icf.dcise.cert.org. A DoD-approved Medium Assurance Certificate is required to access the portal. Acceptable certificate types:
- Common Access Card (CAC)
- External Certificate Authority (ECA) certificate from an approved provider at https://public.cyber.mil/eca/
If you do not have a certificate at incident time, contact DC3/DCISE directly:
- Email: dc3.dcise@us.af.mil
- Phone: 410-981-0104
- Toll Free: 1-877-838-2174
Step 2: Complete the ICF form
Fill in all required data fields, including company identifiers, contract numbers, affected systems, discovery timeline, and initial response actions.
Step 3: Generate the .xml file
The portal generates a standardized incident report in .xml format upon form completion. Download this file.
Step 4: Submit to DC3
Submit the .xml file via one of the following secure channels:
- Encrypted email to dcise@us.af.mil
- DoD SAFE (Secure Access File Exchange) — request a SAFE link by contacting DC3 at the numbers above
Step 5: Receive confirmation
DC3 confirms receipt and issues an incident report number. Retain this number; it is required for subcontractor notification and DoD follow-up coordination.
Pre-Incident Preparation
Contractors should complete the following before any incident occurs:
- Obtain ECA certificates for all IR team members who may need to report.
- Conduct a test run through the ICF portal in a non-incident context to confirm access and familiarity.
- Store ICF portal URL, DC3 contact information, and certificate credentials in the IR plan and a physically accessible location (in case systems are down during an incident).
6. IR Plan Structure and Required Components
An IR plan compliant with NIST SP 800-171 control 3.6.1 must address the full incident lifecycle. The following components are required:
IR Plan Outline
Section 1: Purpose and Scope
Define the systems covered (reference the SSP system boundary), the types of incidents addressed, and the regulatory drivers (DFARS 7012, NIST 800-171, applicable state laws).
Section 2: Roles and Responsibilities
Named roles (not just job titles): IR Lead, Forensics Lead, Legal Liaison, HR Liaison, Executive Sponsor, Communications Lead, Contracts Manager. Include backup contacts for each role.
Section 3: Incident Classification Matrix
| Severity | Definition | Examples | Response SLA |
|---|---|---|---|
| Critical | Active compromise of CDI; ransomware; data exfiltration in progress | Ransomware deployment, confirmed data theft | DFARS 7012 report within 72 hours; immediate containment |
| High | Potential CDI exposure; unauthorized privileged access | Compromised admin credential, phishing with CDI access | Report within 72 hours if CDI at risk; full IR |
| Medium | Malware on non-CDI system; suspected reconnaissance | Malware isolated to non-CUI segment | Investigate; escalate to High if CDI risk found |
| Low | Policy violation; lost device with no CDI | Personal device policy breach | Document; no DoD report required unless CDI involved |
Section 4: Detection and Analysis Procedures
How incidents are detected (monitoring tools, alert types, user reporting); initial triage procedures; criteria for DFARS 7012 reporting trigger.
Section 5: Containment, Eradication, and Recovery
Containment strategies (network isolation, account lockout); eradication procedures (malware removal, credential reset); recovery sequencing (restore from known-good backup, verify integrity, return to production).
Section 6: Forensic Evidence Procedures
Cross-reference Section 4 of this whitepaper; include tool names, storage locations, and chain of custody procedures.
Section 7: DoD Reporting Procedures
Step-by-step ICF portal submission process; certificate storage location; DC3 contact information; prime contractor notification procedure.
Section 8: Communication Plan
Internal escalation matrix; external notification matrix (DoD, prime, subcontractors, legal counsel, state authorities); approved messaging for each audience.
Section 9: Post-Incident Activities
Lessons learned process; IR plan update procedure; SSP update triggers; SPRS re-assessment if controls were found deficient.
7. Legal Counsel and HR Coordination
Legal Counsel Integration
Legal counsel must be involved from the initial qualification decision at Hour 3. Key legal functions in a DFARS-qualifying IR:
- Attorney-client privilege: Engage legal counsel early to establish privilege over internal investigation communications and reports where possible.
- DFARS 7012 report review: Legal counsel should review the draft ICF submission before it is filed. The report becomes a government record and may be referenced in contract disputes or FCA proceedings.
- FCA self-disclosure assessment: If the incident reveals that SPRS scores were inflated or that compliance certifications were inaccurate, legal counsel must evaluate whether voluntary disclosure under the DoD's Voluntary Disclosure Program is warranted.
- State breach notification analysis: Legal counsel with cybersecurity expertise should assess all applicable state notification obligations simultaneously with the DoD report (see Section 9).
- Evidence preservation directive: A written legal hold notice should be issued to all IT staff and IR team members at or near H+3 to prevent inadvertent destruction of relevant evidence.
HR Coordination
HR involvement is required when an incident has insider threat dimensions or when employees must be interviewed, placed on administrative leave, or have access revoked:
- Coordinate employee interviews: HR must be involved in any employee interview related to a suspected insider threat or negligence finding to ensure employment law compliance.
- Access revocation: HR must be notified before terminating employee access if employment status is implicated.
- Employee communications: HR leads internal communications to employees about the incident, working within the Communication Plan to avoid premature or legally problematic disclosures.
- Contractor and vendor personnel: If the incident involves personnel from a staffing firm or vendor, HR and legal must coordinate with those organizations' HR functions.
8. Tabletop Exercises: Design and Frequency
NIST SP 800-171 control 3.6.3 requires testing of the IR capability. A robust testing program includes both tabletop exercises and live drills.
Tabletop Exercise Design
Recommended frequency: At minimum annually; semi-annually for organizations with active CDI handling or elevated threat exposure.
Scenario Selection Principles:
Scenarios should be realistic to the organization's threat landscape. For defense contractors, high-priority scenarios include:
1. Ransomware on a CDI-holding file server — Tests: detection, containment without destroying evidence, DFARS 7012 reporting trigger, forensic imaging, DoD notification.
2. Phishing email leading to credential compromise — Tests: detection latency, account lockout procedures, scope determination (was CDI accessed?), 72-hour clock management.
3. Supply chain software compromise (trojanized update) — Tests: detection via monitoring (3.14.6), scope determination across multiple systems, subcontractor notification.
4. Insider threat — employee copies CDI to personal device — Tests: HR coordination, evidence handling for potential employment action, reporting threshold determination.
Tabletop Structure:
| Phase | Duration | Activities |
|---|---|---|
| Inject 1 — Discovery | 20 min | Scenario presented; team identifies first response actions and who does what |
| Inject 2 — Escalation | 20 min | Complication added (e.g., system owner unavailable; CDI confirmed affected); escalation decisions |
| Inject 3 — Reporting decision | 20 min | Team must decide whether DFARS 7012 reporting is triggered; draft notification decisions |
| Inject 4 — Media inquiry | 15 min | External complication (e.g., prime contractor calls demanding status); communication plan invoked |
| After Action Review | 30 min | What went well; what failed; what needs to be in the IR plan |
Documentation: All tabletop exercises must be documented, including date, participants, scenario, decisions made, and identified gaps. This documentation satisfies 3.6.3 and provides evidence for C3PAO assessment.
9. State Breach Notification Laws and the DFARS Overlay
DFARS 7012(l) explicitly states that the clause's reporting requirements "in no way abrogate the Contractor's responsibility for other safeguarding or cyber incident reporting pertaining to its unclassified information systems as required by other applicable clauses of this contract, or as a result of other applicable U.S. Government statutory or regulatory requirements."
In practice, this means the 72-hour DoD report is not the only notification obligation. All 50 states and the District of Columbia have breach notification laws, with widely varying:
- Definitions of personal information triggering notification
- Notification timelines (ranging from "expedient" to specific windows of 30, 45, 60, or 90 days)
- Notification recipients (state Attorney General, affected individuals, state data protection agencies)
Key interaction points:
| Scenario | DoD Obligation | State Obligation |
|---|---|---|
| CDI breached, no PII | DFARS 7012 report within 72 hours | Likely no state notification required |
| CDI + employee PII breached | DFARS 7012 report within 72 hours | State notification to employees per applicable state laws |
| CDI + customer/subcontractor PII breached | DFARS 7012 report within 72 hours | State notification to affected individuals |
| CDI breached, state employees affected | DFARS 7012 report within 72 hours | State government may have specific notification rights |
Critical coordination point: The DoD report and the state notifications are parallel obligations with different timelines and different recipients. Do not wait for the DoD investigation to conclude before assessing state notification obligations. Engage legal counsel at H+48 or earlier to conduct the multi-state analysis.
Defense contractors operating in multiple states should maintain a pre-built state notification matrix identifying the applicable law, timeline, notification recipients, and regulatory contact for each state where they have employees, customers, or subcontractors.
10. Common IR Failures and Remediation
Failure 1: No Pre-Positioned Reporting Certificate
Problem: IR team discovers the 72-hour clock is running but no one has a DoD-approved Medium Assurance Certificate to access the ICF portal.
Remediation: Obtain ECA certificates for all potential IR reporters before any incident. Store credentials in a sealed emergency access packet.
Failure 2: Reimaging Before Forensic Capture
Problem: IT staff restore an affected system from backup to minimize downtime before forensics team is engaged.
Remediation: Train all IT staff that no system potentially involved in a CDI-affecting incident may be reimaged or wiped without explicit IR Lead authorization. Add this as a specific line item in IT runbooks.
Failure 3: Scope Determination Delayed Beyond 48 Hours
Problem: Organization spends 60+ hours trying to conclusively determine whether CDI was accessed before deciding to report, and misses the 72-hour window.
Remediation: Establish a "report on reasonable belief, supplement as investigation continues" policy. The 72-hour requirement does not demand certainty — it demands speed. A supplemental report can update the initial submission with additional findings.
Failure 4: Prime Not Notified of Sub's Incident
Problem: Subcontractor reports a cyber incident to DoD but fails to provide the incident report number to the prime.
Remediation: Add explicit contractual requirements to subcontract agreements; include prime notification as a milestone in the sub's IR plan.
Failure 5: No Post-Incident SSP/SPRS Update
Problem: Incident reveals that several NIST 800-171 controls were not actually implemented as documented in the SSP. SPRS score remains inflated.
Remediation: Mandate a post-incident SSP review as a standard step in the "post-incident activities" phase. Update SPRS within 30 days of incident closure.
About the Author
Leonard Esere is a Senior Cybersecurity Engineer and compliance strategist at Aeolitech with deep expertise in DFARS/CMMC, NIST SP 800-171, and DoD Industrial Security. Holding CISSP and CCSP certifications, Leonard has developed DFARS-compliant incident response programs for defense contractors, conducted NIST 800-171 IR control assessments, facilitated tabletop exercises for CDI-handling organizations, and guided contractors through the DoD incident reporting process — including the transition from the legacy DIBNet portal to the current ICF/DC3 reporting workflow.
References
| Source | URL |
|---|---|
| DFARS 252.204-7012 (MAY 2024) | https://www.acquisition.gov/dfars/252.204-7012-safeguarding-covered-defense-information-and-cyber-incident-reporting |
| ICF Cyber Incident Reporting Portal (DC3) | https://icf.dcise.cert.org |
| DC3/DCISE Contact Page | https://www.dc3.mil/Missions/Cyber-Forensics/DIB-Cybersecurity/ |
| ECA Certificate Providers | https://public.cyber.mil/eca/ |
| NIST SP 800-171 Rev. 3 (Incident Response Family) | https://csrc.nist.gov/publications/sp800 |
| NIST SP 800-61 Rev. 2 — IR Guidance | https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final |
| DoD DIBNet Transition Announcement | https://isidefense.com/blog/dibnet-portal-shutdown-defense-contractors |
| 112Cyber DIBNet Reporting Update | https://112cyber.com/blog/cmmc-news-dibnet-updates-for-incident-reporting/ |
| 32 CFR Part 170 (CMMC Final Rule) | https://www.ecfr.gov/current/title-32/part-170 |
| CIS Tabletop Exercise Resources | https://www.cisecurity.org/insights/white-papers/cybersecurity-tabletop-exercises |
| Mayer Brown FCA Enforcement Report (2026) | https://www.mayerbrown.com/en/insights/publications/2026/03/false-claims-act-enforcement-record-breaking-year-signals-continued-attention-to-cybersecurity |
Next Steps
The gap between having an IR plan on a shelf and having an IR capability that will actually meet the DFARS 72-hour requirement is significant — and often only discovered during a real incident, when it is too late. Proactive preparation is the only effective strategy.
Schedule a CMMC Gap Assessment with Aeolitech →
Our team assesses your NIST 800-171 Incident Response controls (3.6.1–3.6.3), evaluates your current monitoring capability against 3.14.6/3.14.7, reviews your ICF reporting readiness, and can facilitate a customized tabletop exercise designed around the specific threats facing defense manufacturing, aerospace, and technology contractors.