A practitioner-led tabletop exercise walking through the DFARS 7012 incident response timeline: 72-hour DIBNet reporting, evidence preservation, malware submission, damage assessment, and subcontractor notification. Designed for compliance and IT leadership at DoD contractors.
When a cyber incident touches Covered Defense Information (CDI), the clock starts immediately. DFARS 252.204-7012 imposes precise, sequential obligations on DoD contractors — and regulators have little patience for organizations that discover the requirements only after an event is underway. This four-hour virtual tabletop exercise, led by Carl B. Johnson, President and CISO of Cleared Systems, moves your team through a realistic incident scenario from initial detection to final reporting, exposing gaps before they become findings.
The workshop opens with the requirement that shapes everything else: the mandatory 72-hour report to DoD via the DIBNet portal. Participants work through what the clock actually measures, what information must be present in the initial submission, and what happens when the facts are still unclear at the time of filing. The session covers how to draft an accurate, legally defensible initial report under time pressure — and how to manage subsequent updates as the picture develops.
DFARS 7012 requires contractors to preserve images of compromised systems and, where applicable, submit malware samples to DoD Cyber Crime Center (DC3). The tabletop walks through the practical handoff between your IT team and your compliance function: what to capture, how to document chain of custody, and how to coordinate malware submission without disrupting an active investigation or your own remediation timeline.
Determining what CDI was accessed, exfiltrated, or destroyed is both a technical exercise and a contractual one. Participants practice scoping a damage assessment against the definitions in DFARS 7012, connecting system logs and network telemetry to specific contract performance and data holdings. The scenario forces decisions about what you know, what you can reasonably infer, and how to represent uncertainty accurately in communications to the Contracting Officer.
Prime contractors carry flow-down obligations. The session addresses when and how to notify subcontractors who may have handled CDI relevant to the incident, what your prime-sub agreements should already say, and how to coordinate parallel reporting streams without creating contradictory records. This portion is especially valuable for compliance leads who manage a tiered supply chain.
Throughout the scenario, the facilitator pauses at realistic decision points — incomplete information, a subcontractor that is slow to respond, a Contracting Officer asking questions your team is not prepared to answer. Participants practice the judgment calls that policy documents rarely anticipate, building the muscle memory that makes a real incident manageable rather than chaotic.
This workshop is built for the people who will be in the room when an incident actually happens. Compliance managers and program managers responsible for DFARS contract performance need to understand their reporting obligations before they are tested. IT and security leads at DoD contractors who handle CDI environments benefit from practicing the handoff between technical response and regulatory reporting. In-house counsel and contracts professionals who advise on Contracting Officer communications will find the scenario grounding. If your organization holds DoD contracts that involve CDI and you have not rehearsed the 7012 response sequence as a team, this session is the right starting point.
Managers approving this training should know: DFARS 7012 non-compliance is not a paperwork problem — it is a contract performance issue that can affect past performance ratings, affect option exercise decisions, and attract scrutiny from the Defense Contract Management Agency. Four hours of structured rehearsal is a direct investment in your organization's ability to perform under pressure.
The tabletop is a pressure test, not a foundation. If this exercise surfaces broader gaps in your organization's regulatory posture, Cleared Systems offers ongoing support through our CMMC, CUI & DFARS compliance services and, for organizations that need executive-level guidance between incidents, our Regulatory vCISO services. Tabletop participants often find it useful to review those options alongside their debrief notes while the scenario is still fresh.
Ask about group rates, private delivery of this curriculum for your team, or whether this session fits your compliance roadmap.
Contact Us
