INSIDE THE CMMC READINESS GAP
Want to know where defense contractors are falling short? We surveyed 100+ contractors and the findings are striking.
Executive Brief
A Controlled Unclassified Information (CUI) incident does not start when you resolve it. The 72-hour reporting clock starts the moment you discover it.
That distinction matters more than most defense contractors realize. Under Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, the 72-hour reporting clock starts at discovery, not confirmation. Waiting for certainty before acting is one of the most common and costly mistakes contractors make.
When an incident hits, most teams face the same problem:
- No clear escalation path
- Uncertainty about who to notify and when
- Evidence modified or lost before it can be preserved
- The reporting window missed entirely
We built a 9-step CUI Incident Response Checklist to give Facility Security Officers (FSOs), Information System Security Officers (ISSOs), and operations teams a field guide for the moments that matter most.
Dig deeper below to learn more.
Why Having a Plan Before an Incident Is Non-Negotiable
Incident response is not just an operational concern. It is a Cybersecurity Maturity Model Certification (CMMC) compliance requirement.
National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 includes a dedicated Incident Response control family. Your System Security Plan (SSP) must document how your organization detects, reports, and responds to incidents, and assessors will validate that what is written reflects what actually happens.
Contractors who handle CUI without a documented response process are exposed in two ways:
- A real incident can escalate quickly without clear containment steps
- An undocumented or informal response will surface as a finding during a Certified Third-Party Assessment Organization (C3PAO) assessment
The 72-Hour Clock Starts at Discovery
This is the detail that catches most contractors off guard.
Under DFARS 252.204-7012, defense contractors must report a possible cyber incident to the Department of Defense (DoD) (also known as the Department of War) within 72 hours of when it is discovered, regardless of whether the full scope is known. Subcontractors often face an even tighter window to notify their prime.
Most organizations are not set up to move that fast without a plan already in place. That is exactly what ISI's checklist is designed to solve.
Where Every Response Has to Start
Our checklist walks through nine steps designed to guide your team from initial discovery through final closeout.
Step 1: Immediate Actions (0 to 60 Minutes)
The decisions made in the first hour shape the entire trajectory of the response. Containment has to happen immediately, evidence must be preserved before anything in the environment is changed, and the right people need to be notified in the right order. An incident ticket opens here, time-stamped at the point of discovery, not at the point of confirmation.
This step is where most teams lose ground. Without a defined process, critical evidence gets overwritten, escalation paths get improvised, and the 72-hour clock burns down before anyone has formally engaged.
Step 2: Triage and Classification
Before your team can determine how to respond, they need to determine what they are responding to. This step establishes whether the data involved qualifies as CUI, whether your organization was authorized to handle it, and whether it was stored in an approved system or enclave.
When the answers are unclear, the guidance is unambiguous: treat it as CUI and proceed accordingly. Over-reporting is recoverable. Under-reporting is not.
Step 3: Determine Your Response Path
Not every CUI incident triggers the same obligations. This step maps what your team discovered in triage to the specific reporting tracks that apply, whether that means submitting a report to the DoD via the DC3 Defense Cyber Crime Center (DCISE) portal within 72 hours, notifying your prime contractor, initiating a state breach analysis if personally identifiable information (PII) is involved, or some combination of all three running in parallel. Understanding what tools in your tech stack or processes in your SSP need to be updated as a result also starts here.
Knowing which tracks apply, and activating them simultaneously, is what separates a controlled response from one that compounds the damage.
Download the full CUI Incident Response Checklist below to get the complete step-by-step guide:
FAQs
When does the 72-hour DFARS reporting clock start?
At discovery, not resolution. The moment your organization becomes aware of a possible cyber incident involving CUI, the window begins.
Does this apply to subcontractors?
Yes. If your contract includes DFARS 252.204-7012 or a similar flow-down clause, the requirement applies. Subcontractors often face additional notification obligations to their prime. Check your specific subcontract terms.
What if we are not sure whether CUI is involved?
Treat it as CUI and proceed. Over-reporting is recoverable. Under-reporting is not.
How does incident response connect to our CMMC assessment?
NIST SP 800-171 requires a documented incident response capability. If your SSP describes a process that does not match how your team actually responds, assessors will flag it. A structured checklist helps demonstrate real, implemented controls.
