HomeGuides › Incident Response

Incident Response for CMMC — and the 72-Hour Rule

A plan you've never used isn't a plan. Here's the 3.6 family in plain English — plus the DoD reporting clock most small contractors don't know is ticking.

Incident response is one of those areas small contractors skip because "we'll figure it out if it happens." CMMC doesn't allow that — and a separate DFARS clause adds a hard reporting deadline that can catch you off guard. Here's the 3.6 family and the rule that sits next to it.

What the 3.6 family requires

ControlIn plain English
3.6.1 (5 pts)Have a real incident-handling capability: prepare, detect, analyze, contain, recover, user response.
3.6.2 (5 pts)Track, document, and report incidents to the right people — internal and external.
3.6.3Test the capability so it actually works when it's real.

Two of the three are 5-pointers — the program weights "can you respond" and "do you report" heavily, because an unhandled or unreported incident involving CUI is exactly the outcome the rules exist to prevent.

The 72-hour rule most people miss

DFARS 252.204-7012 — the clause already in most DoD contracts that handle CUI — requires you to rapidly report a cyber incident to the DoD within 72 hours of discovery, through dibnet.dod.mil. Reporting needs a DoD-approved medium assurance certificate, which takes time to obtain — so the moment to set that up is before an incident, not during one. This obligation sits alongside CMMC 3.6.2, and missing it is its own problem.

A workable IR plan for a small contractor

You don't need a 24/7 SOC. A small team can satisfy 3.6 with a tight, real plan:

  1. Write a one-pager that covers the lifecycle — who does what during preparation, detection, analysis, containment, recovery, and user notification.
  2. List your contacts in advance — internal decision-makers, your MSP/IT, and the external reporting paths (DoD via DIBNet, law enforcement if applicable, your prime if required).
  3. Get the DIBNet medium assurance certificate now so you can actually file the 72-hour report if you ever need to.
  4. Wire detection into it — your EDR/monitoring (3.14.6) and log review (3.3.5) are what trigger the plan.
  5. Run a tabletop — walk through a realistic scenario once, capture what broke, and fix the plan. That single exercise satisfies 3.6.3 and surfaces the gaps.
The fastest path to passing 3.6: a short documented plan, a pre-built contact + reporting list (including DIBNet), and one tabletop exercise on the calendar. See the full breakdowns in the Control Library.

Two of these are 5-point controls

See what incident response is worth to your SPRS score — run all 110 free.

Calculate your SPRS score →

Start here

Write the one-pager, build your contact + reporting list (get the DIBNet cert), tie in your monitoring, and run one tabletop. Score yourself, then document it. Both tools are free.