Skip to main content
govconCyber — Federal Cybersecurity Law Reference
Back to results
X-DFARS7012-RPT Informational

Report Cyber Incidents to DoD Within 72 Hours

Official citation: DFARS 252.204-7012(c)

Class: informational · Severity: critical

Statement of the obligation — verify against source

DFARS 252.204-7012(c)

What it means

NIST 800-171 makes you handle incidents internally; DFARS 252.204-7012 adds a hard external duty: tell the Department of Defense within 72 hours, keep the forensic evidence, and require your subs to do the same. Missing the window or the flow-down is a contract-compliance failure, not just a security gap.

Required by

  • DFARSDFARS 252.204-7012(c)
  • UAIDFARS 252.204-7012
  • DLADDFARS 252.204-7012 (DLAD)
  • NMCARSDFARS 252.204-7012 (NMCARS)
  • DAFFARSDFARS 252.204-7012 (DAFFARS)
  • AFARSDFARS 252.204-7012 (AFARS)
  • 32 CFR Part 2002
  • DIB32 CFR Part 2002

Educational reference only — not legal advice. Consult a qualified assessor or attorney for binding compliance determinations.