Skip to content

IR.L2-3.6.2 Incident Reporting

Incident Response 2 of 3 in family

Track and Report.

Log every incident, notify internal stakeholders, report to DoD via DC3/DCISE within 72 hours for CUI incidents.

The one-liner

If a cyber incident affects CUI and you don't report to DoD via DC3/DCISE within 72 hours, you've violated your DFARS contract.

Practice names: DoD CIO CMMC Model Overview v2.0 (CC BY 4.0).

3.6.2 — Track and Report

Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.

Every incident — from a phishing attempt to a confirmed breach — must be tracked, documented, and reported to the right people. Three activities:

  1. Track. Every incident is logged in a ticketing system or incident tracker with: what happened, when it was detected, severity, affected systems, CUI impact assessment, actions taken, current status, and resolution. The incident lives in the tracker from detection through closure.

  2. Document. Each incident has a record that captures the full lifecycle: initial detection, analysis findings, containment actions, recovery steps, and lessons learned. Evidence is preserved — screenshots, log exports, forensic images where applicable.

  3. Report. Internal: notify the people who need to know based on severity — IT management, executive leadership, legal, and the prime contractor. The plan names a specific role responsible for communicating about the incident to internal and external stakeholders — not whoever happens to be free. External: for incidents involving CUI, report to DoD (DC3/DCISE) within 72 hours of discovery per DFARS 252.204-7012 — file through the Incident Collection Format (ICF) portal at icf.dcise.cert.org, which produces an XML you transmit to DC3 via encrypted email or DoD SAFE; DC3/DCISE then assigns the incident report number. (DIBNet was decommissioned 6 June 2025; the 7012 clause text still names dibnet.dod.mil, which now redirects to DC3/DCISE.) The 72-hour clock starts at discovery, not at confirmation. Reporting isn’t limited to network intrusions — mishandling or unauthorized disclosure of CUI is reportable through your contract channels too. A paper spill is still an incident.


Your assessor needs a “yes” to every row:

#QuestionWhat “yes” looks like
1Are incidents tracked?Incident tracking system with entries from detection through closure
2Are incidents documented?Incident records with timeline, actions, evidence, and resolution
3Are external reporting authorities identified?DoD Cyber Crime Center (DC3) identified as recipient; DC3/DCISE portal access verified; 72-hour procedure documented
4Are internal officials identified?Escalation matrix: who is notified at each severity level
5Are external authorities notified?Evidence of DC3/DCISE reporting for past CUI incidents (or documented procedure if no incidents have occurred)
6Are internal officials notified?Internal notification records for past incidents

Documents they’ll review: Incident response policy; incident tracking records; incident documentation; internal notification records; DC3/DCISE reporting procedures; DC3/DCISE portal access evidence; escalation matrix

People they’ll talk to: Personnel with incident monitoring and reporting responsibilities; management who receive incident notifications; personnel with DC3/DCISE reporting responsibility

Live demos they’ll ask for: “Show me your incident tracking system.” “Walk me through a past incident record.” “Show me your 72-hour reporting procedure and DC3/DCISE access.”


These are the actual questions. Have answers ready.

  • “Show me your incident tracking system. Walk me through a recent entry.”
  • “Who gets notified internally when an incident is detected? Show me the escalation matrix.”
  • “How do you report to DoD via DC3/DCISE? Show me the procedure and DC3/DCISE access.”
  • “When does the 72-hour clock start? Who is authorized to file the report?”
  • “Show me documentation from a past incident — or your template if you haven’t had one.”

No incident log. Incidents are handled but not tracked. The assessor asks “show me your incident records” and there are none. Use a ticketing system — even a dedicated spreadsheet — but track everything.

No 72-hour awareness. The IR team doesn’t know about the DFARS 252.204-7012 reporting requirement or has never accessed DC3/DCISE. Train the team, obtain the DoD-approved medium assurance certificate DC3/DCISE requires, verify portal access annually, and include the procedure in the IR plan.

Internal only. Incidents are handled and reported internally but the external reporting requirement is ignored. DC3/DCISE reporting is a contractual obligation for CUI incidents.

No evidence preservation. Incidents are resolved but logs, screenshots, and forensic evidence aren’t preserved. Document as you go — evidence is needed for DC3/DCISE reporting and lessons learned.



RequirementWhy it matters here
3.6.1 — Have a PlanThe IR plan that establishes the capability this requirement exercises
3.6.3 — Test the PlanTesting validates that tracking and reporting procedures work
3.3.6 — Search and ReportOn-demand log queries support incident investigation and documentation