Disaster Recovery and Cybersecurity for Defense Contractors

When a defense contractor's systems go down—whether from ransomware, a natural disaster, or a targeted nation-state intrusion—the consequences extend far beyond operational disruption. Depending on the nature of the incident, contractors may have legal obligations to report to the Department of Defense within 72 hours, preserve forensic evidence for 90 days, and demonstrate to assessors that their incident response and recovery capabilities are operational and tested. Under CMMC 2.0 and NIST SP 800-171, disaster recovery and cybersecurity incident response aren't separate disciplines—they're intertwined requirements that must be documented, implemented, and regularly exercised. For small and mid-size defense contractors, this is one of the most frequently cited deficiency areas in DIBCAC assessments.

What Does NIST SP 800-171 Require for Incident Response and Recovery?

The Incident Response control family in NIST SP 800-171 Revision 2 contains three controls, each with defined objectives that CMMC Level 2 assessors will evaluate:

• Control 3.6.1 – Establish an operational incident-handling capability: This control requires organizations to maintain a functioning incident response capability that covers the full incident lifecycle: preparation, detection, analysis, containment, recovery, and user response activities. The key word is "operational"—CMMC assessors expect more than a policy document. They look for defined roles, named or role-based assignments, escalation procedures, decision points, and evidence that the organization has the tools and personnel to execute the plan under pressure. "The IT team will handle incidents" is not a sufficient answer.
• Control 3.6.2 – Track, document, and report incidents: This control requires incidents to be tracked through closure, documented consistently, and reported to appropriate internal and external parties. For DoD contractors, this control directly links to DFARS 252.204-7012: if a cyber incident affects a covered contractor information system or CUI residing on it, the contractor must report to DC3 via DIBNet within 72 hours of discovery—not confirmation, discovery. That clock starts the moment you become aware something may have happened.
• Control 3.6.3 – Test the organizational incident response capability: Organizations must periodically test their incident response capability. Testing must produce evidence: exercise documentation, after-action notes, identified gaps, assigned action items with due dates, and proof that the Incident Response Plan was updated based on lessons learned. A tabletop exercise held once and lightly documented will typically be assessed as insufficient.

Each of these controls carries significant weight in the CMMC assessment scoring methodology. Controls 3.6.1 and 3.6.2 are worth 5 points each—meaning failing to implement them fully results in a 10-point deduction from your SPRS score.

What Are the DFARS 252.204-7012 Reporting Requirements When an Incident Occurs?

DFARS clause 252.204-7012 establishes specific, legally binding obligations that activate the moment a contractor discovers a cyber incident affecting covered defense information or the contractor's ability to perform on an operationally critical contract. The requirements are more demanding than many contractors realize:

• 72-hour reporting window: Report the incident to the DoD via DIBNet (https://dibnet.dod.mil) within 72 hours of discovery. The report must include specific elements: contractor identification (including CAGE code), contract information, date of detection, type of compromise, techniques used, outcomes, and narrative description of the incident and its impact.
• Medium assurance certificate required: To submit an incident report through DIBNet, the contractor must have a DoD-approved medium assurance certificate. This is a prerequisite that must be obtained before an incident occurs—not during the 72-hour response window.
• Malware submission to DC3: If the contractor isolates malicious software in connection with the incident, they must submit the malware to the Defense Cyber Crime Center (DC3) as instructed. This is not optional.
• 90-day evidence preservation: Upon discovering a cyber incident, the contractor must preserve and protect images of all known affected information systems and all relevant monitoring and packet capture data for at least 90 days. This gives DoD the ability to request media and conduct a damage assessment.
• Subcontractor notification: Subcontractors must provide the incident report number to the prime contractor (or next higher-tier subcontractor) as soon as practicable after reporting to DoD. This flow-up obligation means your incident response plan must include communication procedures with prime contractors.

These reporting obligations are among the most consequential parts of DFARS 252.204-7012. Contractors who experience an incident but fail to report within 72 hours—or who fail to preserve evidence—face potential breach of contract claims, False Claims Act liability (if they've certified compliance), and loss of contract eligibility.

What Should a CMMC-Compliant Incident Response Plan Include?

A compliant incident response plan (IRP) for a DoD contractor must be more than a generic cybersecurity policy. CMMC assessors evaluating control 3.6.1 look for evidence of operational readiness across the full incident lifecycle:

• Incident Response Team (IRT) composition: Defined roles with named or role-based assignments, including alternates. Roles typically include an Incident Manager (overall coordination), IT Specialist (technical response), Legal/Compliance Advisor (DFARS reporting obligations), Communications Lead (prime contractor and contracting officer notification), and an Executive Sponsor (authority to authorize containment actions).
• CUI-specific decision criteria: The IRP must define what constitutes a reportable incident under DFARS 252.204-7012—specifically, any event that affects a covered contractor information system or CUI residing on it. Teams must know how to scope whether CUI was potentially accessed, even before confirmation, because the 72-hour clock starts at discovery.
• Documented escalation paths: Who gets called at 11pm on a Saturday when a server shows signs of ransomware? The answer must be documented. Escalation paths should include after-hours contact information, external vendors (IR retainer, forensic support), legal counsel, and the prime contractor's security POC.
• DIBNet reporting readiness: Confirm that your DoD medium assurance certificate is current and that at least two team members know how to submit an incident report through DIBNet. Practice the reporting process before you need it.
• Evidence preservation procedures: Step-by-step procedures for isolating affected systems, creating forensic images, preserving packet capture data, and maintaining chain of custody for 90 days. These procedures must be executable by your team under pressure.
• Communication templates: Pre-drafted notification templates for the DoD (DIBNet incident report), prime contractor notification, and contracting officer notice. Templates don't eliminate the 72-hour work—but they reduce the cognitive load during a high-stress response.

How Does Disaster Recovery Differ from Incident Response for DoD Contractors?

Incident response focuses on detecting, containing, and documenting cybersecurity events—particularly those involving potential CUI compromise. Disaster recovery focuses on restoring systems and operations after any disruption, whether cyber or physical. For defense contractors, both are required under NIST SP 800-171 and CMMC, and they should be coordinated in a unified continuity framework.

Key disaster recovery requirements for DoD contractors under NIST 800-171 include:

• CUI availability under contingency conditions: Systems that store or process CUI must have documented recovery procedures. If CUI is stored on-premise, what happens if the facility is unavailable? If CUI is in a cloud environment, what are the provider's recovery time objectives (RTOs) and recovery point objectives (RPOs), and are they documented in the SSP?
• Backup and restoration testing: NIST SP 800-171 control 3.8.9 requires protection of CUI in backups. But equally important is testing that those backups are actually recoverable—an untested backup is a hope, not a control. Restoration tests should be documented and retained as evidence for assessments.
• Configuration baselines and system rebuild procedures: Control family 3.4 (Configuration Management) requires documented baseline configurations. These baselines are essential not just for preventing drift—they're the foundation for rebuilding systems after an incident. Without documented baselines, system recovery becomes a guessing exercise.
• Single points of failure identification: Map the systems, personnel, and vendors whose loss would prevent you from performing on CUI-related contracts. Document contingency procedures for each. For many small contractors, the single point of failure is an individual IT staff member who holds all the passwords and institutional knowledge.

What Are the Most Common Disaster Recovery Failures in DIBCAC Assessments?

DIBCAC assessors and CMMC C3PAO teams consistently identify the same recurring gaps in contractor disaster recovery and incident response programs:

• IRP exists on paper but hasn't been tested: Having an incident response plan in a binder is insufficient. Control 3.6.3 explicitly requires testing. Untested plans fail in real incidents—and assessors know this. Annual tabletop exercises with documented after-action reviews are the minimum standard.
• No documented DIBNet reporting process: Many contractors don't know about the medium assurance certificate requirement or haven't obtained one. Discovering this gap during an actual incident is a compliance and legal crisis that could have been avoided.
• Backups stored in the same environment as primary systems: A ransomware attack that encrypts your primary systems will also encrypt co-located backups. CMMC-compliant backup strategies require offsite or air-gapped copies, with documented restore procedures.
• Missing or stale System Security Plans (SSPs): The SSP documents how your environment is configured and how controls are implemented. Recovery from any significant incident requires this documentation. Without a current SSP, IT staff may not know the system's intended configuration when rebuilding.
• Inadequate logging for forensic reconstruction: DFARS requires preserving system images and monitoring data for 90 days. If your organization doesn't maintain robust logs before an incident, you may not be able to fulfill this obligation—and you'll also struggle to determine the scope of any CUI exposure.

How Should Small Defense Contractors Structure Their Recovery Planning?

For small and mid-size defense contractors, a practical, CMMC-aligned recovery planning approach follows a logical sequence:

• Start with your CUI boundary: Identify which systems are in scope—those that store, process, or transmit CUI. Recovery planning should prioritize these systems first.
• Build your IRP against the NIST 800-61 framework: NIST SP 800-61 (Computer Security Incident Handling Guide) provides the foundational structure for a compliant IRP. Align your procedures to its phases: Preparation, Detection and Analysis, Containment/Eradication/Recovery, and Post-Incident Activity.
• Get your medium assurance certificate now: Don't wait for an incident. Obtain a DoD-approved medium assurance certificate through the External Certificate Authority (ECA) program and confirm your DIBNet account is active.
• Establish an IR retainer with an external partner: Small contractors typically don't have internal forensic capability. An IR retainer with a qualified cybersecurity firm ensures you have experienced support available within hours of discovering an incident—before the 72-hour clock expires.
• Test annually, document everything: Conduct annual tabletop exercises that walk through a realistic scenario—ransomware encryption of CUI systems, credential theft from a cleared employee, or a vendor breach. Document participants, findings, and remediation actions.

See also our article on Ransomware Defense for DoD Contractors for specific controls and backup strategies that support rapid recovery after an encryption attack.

What Should Defense Contractors Do Next?

Incident response and disaster recovery are no longer background compliance activities for defense contractors—they're operational requirements with legal consequences and contract implications. The 72-hour DFARS reporting clock, the 90-day evidence preservation mandate, and the CMMC assessment weight on IR controls collectively mean that unprepared contractors face both regulatory exposure and assessment failure.

NorthStar Technology Group helps defense contractors build CMMC-compliant incident response programs: from drafting the IRP and obtaining medium assurance certificates, to implementing the logging infrastructure needed to detect and reconstruct incidents, to running tabletop exercises that produce the documented evidence assessors require. If your organization needs to close the gap between having a policy and having an operational capability, contact our team at northstartechnologygroup.com/services/dod-cmmc.