DFARS: incident‑response reminder

DFARS clause 252.204‑7012 defines “rapidly report” as within 72 hours of discovery for any cyber incident affecting covered defense information. (acquisition.gov) (acquisition.gov) The clause also mandates preservation of media and evidence, submission of the Incident Collection Format (ICF) with required elements, and cooperation with DoD for damage assessment. (ecfr.gov) (ecfr.gov) DoD retired the legacy DIBNet portal and on June 6, 2025 launched a new ICF submission flow at icf.dcise.cert.org that requires a DoD‑approved medium assurance certificate for portal access. (peerless.com) (getpeerless.com) After an ICF is submitted, the DoD Cyber Crime Center (DC3) issues an official incident number and sends an unclassified, encrypted ICF notification to the contracting officer identified on the report. (acquisition.gov) (acquisition.gov) Regulatory housekeeping has also shifted assessment obligations: DFARS 252.204‑7019 was deleted and DFARS 252.204‑7020 renumbered (effective Feb 1, 2026), while the DFARS CMMC clause 252.204‑7021 has been promulgated as part of the DoD final rule implementing CMMC. (summit7.us) (summit7.us) CISA’s Known Exploited Vulnerabilities (KEV) catalog expanded substantially in 2025—security reporting tracked an increase that pushed the catalog past roughly 1,480 entries—raising the likelihood that contractors will encounter exploitable CVEs that trigger DFARS reporting obligations. (securityweek.com) (securityweek.com) High‑impact supply‑chain compromises such as the SolarWinds/SUNBURST operation remain cited as the prime example of downstream compromise risk that forces large‑scale DFARS incident reporting and forensic collaboration across affected contractors. (mitre.org) (attack.mitre.org)