Incident Response

Incident Response is your breach playbook. When — not if — something goes wrong, these requirements ensure you can detect it, contain it, report it, and recover.

The Big Picture

The 72-hour DIBCAC reporting requirement (DFARS 252.204-7012) lives here. If a CUI incident occurs and you don’t report within 72 hours, you’ve violated your contract. The assessor will ask to see your reporting procedure and your DIBNet portal access.

The Lifecycle

Plan (3.6.1) — A documented IR capability covering preparation, detection, analysis, containment, recovery, and communication — including the 72-hour DoD reporting requirement.

Execute (3.6.2) — Track every incident from detection through closure. Report internally and externally as required.

Improve (3.6.3) — Test the plan at least annually with tabletop exercises. Document findings and update the plan.

---

All 3 Requirements

Ref	Short Name	What It Covers
3.6.1	Have a Plan	Documented IR capability with all six phases
3.6.2	Track and Report	Incident tracking, documentation, and DIBCAC reporting
3.6.3	Test the Plan	Annual tabletop exercises with documented improvements