← All posts

DFARS 72-Hour Cyber Incident Reporting: What It Means for Your Email System

cmmccomplianceemail

DFARS 252.204-7012 paragraph (c) requires defense contractors to report cyber incidents to the DoD within 72 hours. Most contractors know this requirement exists. Few have tested whether their email system can actually support it.

What the clause says

DFARS 252.204-7012(c)(1) states:

When the Contractor discovers a cyber incident that affects a covered contractor information system or the covered defense information residing therein, the Contractor shall report the incident to the DoD within 72 hours.

The 72-hour clock starts when the contractor discovers the incident, not when it occurred. But discovery depends on detection, and detection depends on your systems.

What counts as a cyber incident

The clause defines a cyber incident as actions taken through the use of computer networks that result in a compromise or an effect on an information system. For email, this includes (and remember, encrypted CUI is still CUI):

  • Unauthorized access to a mailbox containing CUI
  • A compromised user account used to access or exfiltrate email
  • Phishing that results in credential theft
  • Malware delivered via email attachment that affects the information system
  • Unauthorized forwarding rules that send CUI to external addresses

If any of these happen and your system handles CUI, you have a reportable incident.

What the DoD expects in your report

The report must be submitted through the DIBNet portal and include:

  • A description of the technique or method used in the incident
  • A sample of the malicious software (if applicable)
  • A summary of information compromised (type of CUI, number of records)
  • Affected covered contractor information systems
  • Evidence of the compromise

Your email system must be able to produce this evidence. If it cannot, you cannot comply with the reporting requirement.

What your email system needs to support this

Detection: knowing an incident happened

You cannot report what you cannot detect. Your email system must provide:

  • Login audit logs with source IP addresses, timestamps, and success/failure indicators. If someone logs in from an unusual location or a compromised credential is used, the logs must show it.
  • Mail flow logs showing who sent what to whom and when. If CUI is exfiltrated via email, you need the evidence.
  • Admin action logs showing changes to forwarding rules, DLP policies, and user permissions. Unauthorized changes to these settings can indicate compromise.
  • Alerting on suspicious activity. Bulk email forwarding, login from a new country, or multiple failed authentication attempts should trigger notifications.

Preservation: keeping the evidence

DFARS 252.204-7012(e) requires contractors to preserve and protect images of all known affected information systems and all relevant monitoring and packet capture data for at least 90 days. For email, this means:

  • Audit logs must be immutable. If an attacker (or an admin) can delete logs, you lose your evidence. Logs should be stored in a system separate from the email platform or protected by write-once policies.
  • Mailbox state must be preservable. You may need to freeze a mailbox at a point in time to show what was accessed. Legal hold capabilities support this.
  • Retention policies must prevent auto-deletion. If your email system automatically purges deleted items after 30 days, critical evidence may be gone before the 90-day preservation period ends.

Forensic access: producing the evidence

DFARS 252.204-7012(f) states that the contractor shall provide the DoD with access to additional information or equipment necessary to conduct forensic analysis. For email:

  • Export capabilities for individual mailboxes in standard formats (PST, MBOX, EML)
  • Searchable audit logs that can be filtered by user, date range, and event type
  • Access logs showing exactly who accessed what mailbox and when

If your email provider cannot produce these artifacts, you cannot satisfy the forensic access requirement.

Where commercial email systems fall short

Standard Office 365 (E3): Basic audit logs exist but retention is limited to 90 days by default (180 with E5). Advanced audit features (MailItemsAccessed, SearchQueryInitiated) require E5 licensing. No built-in alerting for CUI-specific threats. Log export requires PowerShell scripting or a SIEM integration.

Google Workspace: Admin audit logs are available but email-level access logs (who read which message) are limited. Log retention is 6 months for most event types. No native legal hold for email content on standard tiers. Alert Center provides basic alerting but does not map to DFARS incident categories.

Proton: Minimal audit logging. No admin-level visibility into user activity by design (privacy-first architecture). No mechanism for legal hold or forensic export of another user’s mailbox. Cannot support the preservation or forensic access requirements.

PreVeil: Encrypted email logs are limited by the overlay architecture. The base email system (Gmail/Outlook) provides its own logs, but PreVeil’s encrypted enclave has separate logging that may not capture all required events. Two systems means two sets of incomplete logs.

GCC High: Meets most requirements with E5 licensing and proper configuration, though the migration cost is significant. Microsoft Sentinel integration supports alerting and SIEM. The challenge is cost and the fact that most GCC High deployments are under-configured for these specific DFARS requirements.

How to test your readiness

Before your C3PAO assessment, run this exercise:

  1. Simulate a compromised account. Change a test user’s password from an unusual device. Can your logs show the event with IP address, timestamp, and outcome?

  2. Check your detection time. How long before someone notices? If the answer is “we wouldn’t know unless the user reports it,” your detection capability is insufficient.

  3. Attempt evidence preservation. Can you freeze a mailbox? Can you export a complete audit trail for one user over a 90-day period? Can you produce it in a format the DoD can consume?

  4. Test your reporting workflow. Do you know who submits the DIBNet report? Do they have an account? Have they practiced the submission process? The 72-hour clock does not pause while you figure out the portal.

  5. Document the results. Your C3PAO will ask about your incident response capability. Having run a drill with documented results is significantly stronger than having a plan you have never tested.

The 72-hour reality

72 hours sounds like three days. In practice, it is much less. Discovery takes time. Investigation takes time. Evidence collection takes time. Internal escalation takes time. If your email system does not provide real-time alerts, searchable logs, and preservation tools, you will spend most of those 72 hours trying to figure out what happened instead of reporting it.

The contractors who fail this requirement do not fail because they refused to report. They fail because their systems could not detect the incident, preserve the evidence, or produce the artifacts the DoD requires.

Your email system is either built to support this or it is not. Configuration and add-ons cannot retrofit a detection and preservation capability that does not exist in the architecture.

Get early access

Be first in line when we launch. Founding member pricing and a free CMMC Level 2 readiness checklist included.