Explore the incident response and reporting requirements under CMMC, the DIBNet portal, preserving evidence and more through the Frequently Asked Questions (FAQs) below. If you are looking for certified CMMC Professionals and a customised solution for your organization, please schedule a free consultation.
Table of Contents
What must a CMMC-compliant incident response plan contain?
Summary: A CMMC-compliant incident response plan must be a written, formally approved document establishing an operational capability for preparing for, detecting, analyzing, containing, recovering from, and documenting cybersecurity incidents, satisfying NIST SP 800-171 Rev 2 Incident Response (IR) domain control 3.6.1.
The plan must contain, at minimum: defined roles and responsibilities for the incident response team, including a designated Incident Response Coordinator; procedures for detecting and identifying potential incidents including indicators of compromise; analysis and triage procedures to classify incident severity; containment procedures to isolate affected systems and prevent further CUI exposure; eradication procedures to remove malware or unauthorized access; recovery procedures to restore systems to normal operation; and documentation and reporting procedures.
The plan must define what constitutes a reportable cyber incident under the contractor’s DoD contract obligations. It must include requirements for preserving system images and relevant data for at least 90 days following an incident. The plan must be tested at a defined frequency, annual tabletop exercises or simulated incident scenarios both qualify, with exercise records maintained as evidence.
What constitutes a reportable cyber incident under a DoD contract?
Summary: A reportable cyber incident under a DoD contract is any actual or suspected unauthorized access, use, disclosure, modification, destruction, or loss of covered defense information, or any action that damages, degrades, or disrupts a contractor’s information system in a way that affects the contractor’s ability to provide operationally critical support, as defined in DFARS clause 252.204-7012.
Not every security event is a reportable cyber incident. A failed login attempt, a blocked phishing email, or a quarantined malware file that was prevented from executing and caused no CUI exposure does not typically require DoD reporting.
A reportable incident involves actual unauthorized access to systems containing CUI, exfiltration or suspected exfiltration of CUI, compromise of system credentials that could enable access to CUI, ransomware or destructive malware impacting systems within the CMMC assessment scope, or any other event that has affected or is likely to affect covered defense information. Contractors must establish clear incident classification criteria in their incident response plan. When in doubt, contractors should err toward reporting, failure to report a qualifying incident carries greater legal risk than over-reporting.
How quickly must a cyber incident involving CUI be reported to the DoD under a defense contract, and what are the reporting steps?
Summary: A contractor who discovers a cyber incident affecting covered defense information must report to the DoD within 72 hours of discovery using the DoD’s online reporting portal at DIBNet (dibnet.dod.mil), as required under the contractor’s DoD contract obligations.
The reporting process requires: within 72 hours of discovery, submitting a cyber incident report through the DIBNet portal with details including the company’s CAGE code, contract numbers affected, date of discovery, incident description, systems and data involved, and initial impact assessment. Within the same 72-hour window, the contractor must also preserve images of the compromised systems and all relevant data, including logs, memory captures, and disk images, and maintain those images for at least 90 days, providing DoD access to them upon request.
The contractor must continue to investigate and submit updated information as analysis develops. Cloud service providers supporting the contractor’s environment must be notified to cooperate with preservation and investigation requirements. Prime contractors must also notify their contracting officer. Failure to report within the required timeframe is an independent contractual violation, regardless of whether the incident resulted in confirmed CUI compromise.
What is the DoD’s DIBNet portal and how is it used for cyber incident reporting?
DIBNet (Defense Industrial Base Network), accessible at dibnet.dod.mil, is the DoD’s official online portal through which defense contractors submit cyber incident reports, access cybersecurity threat information, and engage with the DoD Cyber Crime Center (DC3) for incident response support.
When a reportable cyber incident occurs under a DoD contract, the contractor uses DIBNet to submit the required report within 72 hours of discovery. Accessing DIBNet for reporting purposes requires contractors to register and obtain a DoD-compatible digital certificate (PKI certificate or CAC) for authenticated access. The portal provides a structured incident reporting form that captures the information the DoD requires to assess impact to defense programs and CUI.
DIBNet also serves as the channel through which the DoD shares cybersecurity threat indicators with DIB members under the voluntary DIB Cybersecurity Program. Contractors operating under DFARS clause 252.204-7012 should ensure that designated incident response personnel are registered on DIBNet before an incident occurs, attempting to register during an active incident significantly delays the reporting timeline.
What evidence and system images must be preserved following a cyber incident under a DoD contract?
Summary: Following a cyber incident involving covered defense information, a contractor must preserve images of all known affected information systems and all relevant monitoring and audit data for a minimum of 90 days from the date of the incident report, and must provide the DoD access to those images upon request.
Preservation requirements cover: forensic disk images of all servers, endpoints, and devices involved in or potentially affected by the incident; memory captures if feasible and if volatile data is relevant; relevant audit log files, SIEM data, and security event records for the period preceding, during, and following the incident; network traffic captures if available; and any other data that could support forensic analysis of how the incident occurred and what data was affected.
Evidence must be preserved using forensic best practices, images must be bit-for-bit copies taken using validated forensic tools, and chain-of-custody documentation should be maintained. Contractors must not destroy, overwrite, or alter any potentially relevant evidence during the 90-day preservation window without written authorization. The DoD Cyber Crime Center (DC3) may request access to the preserved images for analysis as part of its investigation.
Explore Blogs, Webinars and other Resources
Trusted by Reputed Companies
What Our Clients Say
We used databrackets (formerly EHR 2.0) in our small medical practice for our risk analysis assessment to be in compliance with meaningful use. Their response was fast, the final report is detailed but simple and easy to follow. They were always available to answer our questions.
E. Compres
Pulmonary and Sleep Center of the Valley
I never miss the opportunity to learn something new …that’s why I am always registering to all free seminars offered on the web. databrackets (formerly EHR 2.0) happened to be the friendliest, comprehensive and up-to- date source of HIPAA Privacy and Security updates.
Alexandra V.
Community Healthcare Network
Today’s presentation was great! Thank you for sending the slides. My only feedback is that it would be fabulous to have the slides ahead of time so I could print them and take notes on the slides.Thanks for your time and knowledge today!
T.B., PM
Community Health Network
Particularly interesting was the flow chart on Administrative Simplification. I utilize all of the Security subcategories you list under the Security tile and appreciate knowing that I am hitting all of the relevant topics during my employee training.
Jessica B.
JD, CHC
I have re-worked our original risk assessment….We are using databrackets' (formerly EHR 2.0) Meaningful Use Security Risk Analysis Toolkit and it meets our needs. It was easy to use and I believe that it very beneficial to our meeting meaningful use.
Bill Curtis
Neurosurgical Associates Of Texarkana, TX
Information (webinars) presented by databrackets (formerly EHR 2.0) highlights some of today’s most demanding healthcare topics. The webinars help to direct those operating in today’s rapidly changing environment in the right direction.
Candace M.
Privacy and Security Officer, Springhill Medical Center
Our Growing List of Credentials
0
+
Assessments
0
+
Clients
0
+
Assessment Libraries
0
+
Years of Experience
0
+
No. of Staff Trained
0
+
HIPAA
0
+
SOC 2 Readiness
0
+
Pen Testing
0
+
ISO 27001 Certifications
0
+
Dollars Saved in Compliance Penalties